[RFC][PATCH ima-evm-utils 1/7] Download UML kernel and signing key

[Roberto Sassu <roberto.sassu@huawei.com>]

Testing kernel functionality is more difficult than testing user space
software, as it requires support from the testing platform to create a
more specific environment (e.g. a virtual machine). User space software
instead could be simply run in a container.

Fortunately, a kernel architecture named UML (User Mode Linux) allows the
kernel to be executed as a user space process, which would be suitable also
for testing platforms such as Github Actions and Travis.

This patch simply downloads (errors are ignored) the UML kernel binary and
its signing key as artifacts from a URL in the format:

$LINUX_URL/<ima-evm-utils branch>-test/<asset>

The LINUX_URL environment variable must be set in the configuration of the
testing platform (for Github Actions, the variable must be created in an
environment named 'test').

LINUX_URL could be for example:

https://github.com/robertosassu/linux/releases/download/

If Github Releases is used, a workflow should build the kernel, tagged as
'<ima-evm-utils>-test', and publish the artifacts.

The UML kernel binary should be named 'linux-<container name>[.<arch>]' and
the signing key 'signing_key.pem-<container name>', where the '.<arch>'
suffix appears only if the current arch is not x86_64 and separator
characters in the container name are replaced with '.'.

Finally, the patch also adds curl and ca-certificates as software
dependencies when necesssary.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
---
 .github/workflows/ci.yml | 16 ++++++++++++++++
 .travis.yml              | 12 ++++++++++++
 ci/alpine.sh             |  3 ++-
 ci/alt.sh                |  1 +
 ci/debian.sh             |  2 ++
 ci/fedora.sh             |  3 ++-
 ci/tumbleweed.sh         |  3 ++-
 7 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 088c04188682..51f7dbe0aaa6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -101,6 +101,9 @@ jobs:
       image: ${{ matrix.container }}
       env: ${{ matrix.env }}
 
+    environment:
+      name: test
+
     steps:
     - name: Show OS
       run: cat /etc/os-release
@@ -125,6 +128,19 @@ jobs:
             fi
         fi
 
+    - name: Download UML kernel and signing key
+      run: |
+        asset_name_suffix=${{ matrix.container }}
+        asset_name_suffix="$(echo $asset_name_suffix | sed 's/[:\/]/./')"
+        if [ -n "$ARCH" ]; then
+          asset_name_suffix="$asset_name_suffix.$ARCH"
+        fi
+        curl -L ${{ secrets.LINUX_URL }}/${GITHUB_REF##*/}-test/linux-$asset_name_suffix -s -f --output linux || echo
+        curl -L ${{ secrets.LINUX_URL }}/${GITHUB_REF##*/}-test/signing_key.pem-$asset_name_suffix -s -f --output signing_key.pem || echo
+        if [ -f linux ]; then
+                chmod +x linux
+        fi
+
     - name: Compiler version
       run: $CC --version
 
diff --git a/.travis.yml b/.travis.yml
index 7a7627323724..23c220e857b6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -87,11 +87,23 @@ before_install:
             sudo curl -L https://github.com/opencontainers/runc/releases/download/v1.0.0-rc93/runc.amd64 -o /usr/bin/runc
             sudo chmod +x /usr/bin/runc
         fi
+    - asset_name_suffix=$DISTRO
+    - asset_name_suffix="$(echo $asset_name_suffix | sed 's/[:\/]/./')"
+    - >
+        if [ -n "$ARCH" ]; then
+          asset_name_suffix="$asset_name_suffix.$ARCH"
+        fi
     - $CONTAINER info
 
     - DIR="/usr/src/ima-evm-utils"
     - printf "FROM $DISTRO\nRUN mkdir -p $DIR\nWORKDIR $DIR\nCOPY . $DIR\n" > Dockerfile
     - cat Dockerfile
+    - curl -L $LINUX_URL/$TRAVIS_BRANCH-test/linux-$asset_name_suffix -s -f --output linux || echo
+    - curl -L $LINUX_URL/$TRAVIS_BRANCH-test/signing_key.pem-$asset_name_suffix -s -f --output signing_key.pem || echo
+    - >
+        if [ -f "linux" ]; then
+                chmod +x linux
+        fi
     - $CONTAINER build $CONTAINER_ARGS -t ima-evm-utils .
 
 script:
diff --git a/ci/alpine.sh b/ci/alpine.sh
index 63d79546c0dd..588f450bdb5f 100755
--- a/ci/alpine.sh
+++ b/ci/alpine.sh
@@ -42,7 +42,8 @@ apk add \
 	sudo \
 	wget \
 	which \
-	xxd
+	xxd \
+	curl
 
 if [ ! "$TSS" ]; then
 	apk add git
diff --git a/ci/alt.sh b/ci/alt.sh
index 884c9951ca98..6b2aa08bd228 100755
--- a/ci/alt.sh
+++ b/ci/alt.sh
@@ -21,4 +21,5 @@ apt-get install -y \
 		wget \
 		xsltproc \
 		xxd \
+		curl \
 	&& control openssl-gost enabled
diff --git a/ci/debian.sh b/ci/debian.sh
index ad7d2c026735..07ef28c3a2f0 100755
--- a/ci/debian.sh
+++ b/ci/debian.sh
@@ -49,6 +49,8 @@ $apt \
 	sudo \
 	wget \
 	xsltproc \
+	curl \
+	ca-certificates
 
 $apt xxd || $apt vim-common
 $apt libengine-gost-openssl1.1$ARCH || true
diff --git a/ci/fedora.sh b/ci/fedora.sh
index 2d80915ecd77..f07c678130ae 100755
--- a/ci/fedora.sh
+++ b/ci/fedora.sh
@@ -38,7 +38,8 @@ yum -y install \
 	sudo \
 	vim-common \
 	wget \
-	which
+	which \
+	curl
 
 yum -y install docbook5-style-xsl || true
 yum -y install swtpm || true
diff --git a/ci/tumbleweed.sh b/ci/tumbleweed.sh
index dfc478bed5dd..b6a42df7bfca 100755
--- a/ci/tumbleweed.sh
+++ b/ci/tumbleweed.sh
@@ -40,7 +40,8 @@ zypper --non-interactive install --force-resolution --no-recommends \
 	vim \
 	wget \
 	which \
-	xsltproc
+	xsltproc \
+	curl
 
 if [ -f /usr/lib/ibmtss/tpm_server -a ! -e /usr/local/bin/tpm_server ]; then
 	ln -s /usr/lib/ibmtss/tpm_server /usr/local/bin
-- 
2.25.1