Re: [PATCH ima-evm-utils] Experimental fsverity.test related GA CI improvements

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Vitaly,

On Mon, 2022-12-05 at 17:44 +0300, Vitaly Chikunov wrote:
> On Mon, Dec 05, 2022 at 08:39:32AM -0500, Mimi Zohar wrote:
> > 
> > On Thu, 2022-12-01 at 03:26 +0300, Vitaly Chikunov wrote:
> > > From: Mimi Zohar <zohar@linux.ibm.com>
> > > 
> > > This does not make fsverity.test working on GA CI, though.
> > > 
> > > - `--device /dev/loop-control' is required for losetup(8) to work.
> > > - `--privileged' is required foo mount(8) to work, and this makes
> > >   `--security-opt seccomp=unconfined' redundant.
> > > - GA container does not have `/sys/kernel/security' mounted which is
> > >   needed for `/sys/kernel/security/integrity/ima/policy'.
> > > - Enable `set -x` in CI as the logs is everything we have to analyze on
> > >   failures.
> > > 
> > 
> > Agreed, even with these changes the fsverity test will not be executed,
> > but skipped.
> > 
> > However, the reason for them being skipped is totally different than
> > prior to this patch.   Once the distros have enabled both fsverity
> > support and are running a recent enough kernel with IMA support for
> > fsverity, the fsverity test should succeed.
> > 
> > So the problem isn't the GitHub actions architecture or the fsverity
> > test itself, but the lack of IMA kernel support for it.  In addition to
> > the ima-evm-utils distro tests, there needs to be a way for testing new
> > kernel integrity features.  Roberto's proposed ima-evm-utils UML patch
> > set downloads and uses a UML kernel for this purpose.
> > 
> > Unless someone can recommend a better alternative, a single UML
> > "distro" test could be defined and would be executed if a UML kernel is
> > supplied.   Additional UML tests could be specified.
> 
> Just as an idea. I did some CI testing for LKRG on GA,
>   https://github.com/lkrg-org/lkrg/blob/main/.github/workflows/docker-boot.yml
>   https://github.com/lkrg-org/lkrg/blob/main/.github/workflows/docker-boot.sh
> 
> It's possible to boot in QEMU system created in Docker (alas without
> KVM as GA does not support it). But this will install distribution's kernel.
> So it would need to find distribution with the appropriate kernel.
> 
> Also, GA have cache functionality, so there could be dependent job
> to build the kernel with required options and then save it into a cache
> (to save time, bandwidth, and CPU resources).
> 
> And another possibility is, instead of using Docker it's possible to use
> cloud images that many distributions have, and then same as with docker
> (install or build kernel, save into cache and use in next CI runs).
> Never tried this method myself. AFAIK this will require to use cloud-init
> to set up system on first boot.

Roberto's v3 "Support testing in new enviroments" patch adds the UML
support, but leaves open the option for using other environments like
virtual machines.

With the support for building a UML kernel with the appropriate Kconfig
options, the fsverity.test is now working properly.  I just posted "ci:
cleanup build.sh test log output".   With these changes, I'd appreciate
your updating this patch accordingly.

-- 
thanks,

Mimi