Fix runtime issues with sign_hash API usage when engine support is missing #189

Workflow file for this run

	# Copyright (c) 2021 Petr Vorel <[email protected]>
	name: "distros"
	on: [push, pull_request]

	jobs:
	build:
	runs-on: ubuntu-latest
	outputs:
	LINUX_SHA: ${{ steps.last-commit.outputs.LINUX_SHA }}
	name: build
	timeout-minutes: 100
	strategy:
	fail-fast: false

	steps:
	- uses: actions/checkout@v4

	- name: Determine last kernel commit
	id: last-commit
	shell: bash
	run: \|
	mkdir linux-integrity
	pushd linux-integrity
	git init
	LINUX_URL=${{ vars.LINUX_URL }}
	if [ -z "$LINUX_URL" ]; then
	LINUX_URL=https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
	fi
	LINUX_BRANCH=${{ vars.LINUX_BRANCH }}
	if [ -z "$LINUX_BRANCH" ]; then
	LINUX_BRANCH=next-integrity
	fi
	echo "url : $LINUX_URL"
	echo "branch: $LINUX_BRANCH"
	git remote add origin $LINUX_URL
	LINUX_SHA=$(git ls-remote origin $GITHUB_REF_NAME \| awk '{print $1}')
	[ -z "$LINUX_SHA" ] && LINUX_SHA=$(git ls-remote origin $LINUX_BRANCH \| awk '{print $1}')
	echo "LINUX_SHA=$LINUX_SHA" >> $GITHUB_OUTPUT
	popd

	- name: Cache UML kernel
	id: cache-linux
	uses: actions/cache@v4
	with:
	path: linux
	key: linux-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('*/kernel-configs/') }}

	- name: Cache signing key
	id: cache-key
	uses: actions/cache@v4
	with:
	path: signing_key.pem
	key: signing_key.pem-${{ steps.last-commit.outputs.LINUX_SHA }}-${{ hashFiles('*/kernel-configs/') }}

	- name: Compile UML kernel
	if: steps.cache-linux.outputs.cache-hit != 'true' \|\| steps.cache-key.outputs.cache-hit != 'true'
	shell: bash
	run: \|
	if [ "$DEVTOOLSET" = "yes" ]; then
	source /opt/rh/devtoolset-10/enable
	fi
	if [ "$ARCH" = "i386" ]; then
	CROSS_COMPILE_OPT="CROSS_COMPILE=i686-linux-gnu-"
	fi
	pushd linux-integrity
	git pull --depth 1 origin ${{ steps.last-commit.outputs.LINUX_SHA }}
	make ARCH=um defconfig
	./scripts/kconfig/merge_config.sh -m .config $(ls ../kernel-configs/*)
	# Update manually, to specify ARCH=um
	make ARCH=um olddefconfig
	# Make everything built-in
	make ARCH=um localyesconfig
	make ARCH=um $CROSS_COMPILE_OPT -j$(nproc)
	chmod +x linux
	cp linux ..
	cp certs/signing_key.pem ..
	popd

	job:
	needs: build
	runs-on: ubuntu-latest

	strategy:
	fail-fast: false
	matrix:
	include:
	# 32bit build
	- container: "debian:stable"
	env:
	CC: gcc
	ARCH: i386
	TSS: tpm2-tss
	VARIANT: i386
	COMPILE_SSL: openssl-3.0.5

	# cross compilation builds
	- container: "debian:stable"
	env:
	ARCH: ppc64el
	CC: powerpc64le-linux-gnu-gcc
	TSS: ibmtss
	VARIANT: cross-compile

	- container: "debian:stable"
	env:
	ARCH: arm64
	CC: aarch64-linux-gnu-gcc
	TSS: tpm2-tss
	VARIANT: cross-compile

	- container: "debian:stable"
	env:
	ARCH: s390x
	CC: s390x-linux-gnu-gcc
	TSS: ibmtss
	VARIANT: cross-compile

	# musl (native)
	- container: "alpine:latest"
	env:
	CC: gcc
	TSS: tpm2-tss

	# glibc (gcc/clang)
	- container: "opensuse/tumbleweed"
	env:
	CC: clang
	TSS: ibmtss

	- container: "opensuse/leap"
	env:
	CC: gcc
	TSS: tpm2-tss

	- container: "ubuntu:noble"
	env:
	CC: gcc
	TSS: ibmtss

	- container: "ubuntu:jammy"
	env:
	CC: gcc
	TSS: ibmtss

	- container: "ubuntu:xenial"
	env:
	CC: clang
	TSS: tpm2-tss

	- container: "fedora:latest"
	env:
	CC: clang
	TSS: ibmtss

	- container: "fedora:latest"
	env:
	CC: clang
	TSS: ibmtss
	TST_ENV: um
	TST_KERNEL: ../linux
	TST_EVM_CHANGE_MODE: 1

	- container: "quay.io/centos/centos:stream9"
	env:
	CC: clang
	TSS: tpm2-tss

	- container: "debian:testing"
	env:
	CC: clang
	TSS: tpm2-tss

	- container: "debian:stable"
	env:
	CC: clang
	TSS: ibmtss

	- container: "alt:sisyphus"
	env:
	CC: gcc
	TSS: libtpm2-tss-devel

	container:
	image: ${{ matrix.container }}
	env: ${{ matrix.env }}
	options: --privileged --device /dev/loop-control -v /dev/shm:/dev/shm

	steps:
	- name: Show OS
	run: cat /etc/os-release

	- name: Git checkout
	uses: actions/checkout@v1

	- name: Install additional packages
	run: \|
	INSTALL=${{ matrix.container }}
	INSTALL="${INSTALL%%:*}"
	INSTALL="${INSTALL%%/*}"
	if [ "$VARIANT" ]; then ARCH="$ARCH" ./ci/$INSTALL.$VARIANT.sh; fi
	ARCH="$ARCH" CC="$CC" TSS="$TSS" ./ci/$INSTALL.sh

	- name: Build openSSL
	run: \|
	if [ "$COMPILE_SSL" ]; then
	COMPILE_SSL="$COMPILE_SSL" VARIANT="$VARIANT" ./tests/install-openssl3.sh; \
	fi

	- name: Build swtpm
	run: \|
	if [ ! "$VARIANT" ]; then
	which tpm_server \|\| which swtpm \|\| \
	if which tssstartup; then
	./tests/install-swtpm.sh;
	fi
	fi

	- name: Retrieve UML kernel
	if: ${{ matrix.env.TST_ENV }}
	uses: actions/cache@v4
	continue-on-error: false
	with:
	path: linux
	key: linux-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('*/kernel-configs/') }}

	- name: Retrieve signing key
	if: ${{ matrix.env.TST_ENV }}
	continue-on-error: false
	uses: actions/cache@v4
	with:
	path: signing_key.pem
	key: signing_key.pem-${{ needs.build.outputs.LINUX_SHA }}-${{ hashFiles('*/kernel-configs/') }}

	- name: Compiler version
	run: $CC --version

	- name: Compile
	run: CC="$CC" VARIANT="$VARIANT" COMPILE_SSL="$COMPILE_SSL" TST_ENV="$TST_ENV" TST_KERNEL="$TST_KERNEL" ./build.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix runtime issues with sign_hash API usage when engine support is missing #189

Workflow file

Fix runtime issues with sign_hash API usage when engine support is missing #189

Jobs

Run details

Workflow file for this run