diff --git a/Library/test-helpers/Dockerfile.agent b/Library/test-helpers/Dockerfile.agent index 6b44aa69..e4c89d7e 100644 --- a/Library/test-helpers/Dockerfile.agent +++ b/Library/test-helpers/Dockerfile.agent @@ -1,9 +1,8 @@ FROM quay.io/centos/centos:stream9 -COPY id_*.pub /root/ -COPY lime_con_start.sh /usr/local/bin/lime_con_start -RUN dnf install -y keylime-agent-rust util-linux-core openssh openssh-server which && \ - dnf clean all && \ - ssh-keygen -A && mkdir -p /root/.ssh && \ - cat /root/id_*.pub > /root/.ssh/authorized_keys && \ - chmod 700 /root/.ssh/authorized_keys && \ - chmod a+x /usr/local/bin/lime_con_start +RUN dnf install -y keylime-agent-rust util-linux-core which && \ + dnf clean all + +EXPOSE 9002 +EXPOSE 8892 + +CMD ["keylime_agent"] diff --git a/Library/test-helpers/Dockerfile.registrar b/Library/test-helpers/Dockerfile.registrar index 1031086c..db2d8781 100644 --- a/Library/test-helpers/Dockerfile.registrar +++ b/Library/test-helpers/Dockerfile.registrar @@ -1,9 +1,8 @@ FROM quay.io/centos/centos:stream9 -COPY id_*.pub /root/ -COPY lime_con_start.sh /usr/local/bin/lime_con_start -RUN dnf install -y keylime-registrar openssh openssh-server which && \ - dnf clean all && \ - ssh-keygen -A && mkdir -p /root/.ssh && \ - cat /root/id_*.pub > /root/.ssh/authorized_keys && \ - chmod 700 /root/.ssh/authorized_keys && \ - chmod a+x /usr/local/bin/lime_con_start +RUN dnf install -y keylime-registrar which && \ + dnf clean all + +EXPOSE 8890 +EXPOSE 8891 + +CMD ["keylime_registrar"] diff --git a/Library/test-helpers/Dockerfile.upstream.c9s b/Library/test-helpers/Dockerfile.upstream.c9s index 260b036b..b7bbc8df 100644 --- a/Library/test-helpers/Dockerfile.upstream.c9s +++ b/Library/test-helpers/Dockerfile.upstream.c9s @@ -1,11 +1,6 @@ FROM quay.io/centos/centos:stream9 -COPY lime_con_start.sh /usr/local/bin/lime_con_start COPY lime_con_install_upstream.sh /usr/local/bin/lime_con_install_upstream -COPY id_*.pub /root/ RUN chmod a+x /usr/local/bin/lime_con_* && \ mkdir -p /mnt/keylime_sources && \ cp -r /mnt/keylime_sources /var/tmp/keylime_sources && \ - /usr/local/bin/lime_con_install_upstream && \ - ssh-keygen -A && mkdir -p /root/.ssh && \ - cat /root/id_*.pub > /root/.ssh/authorized_keys && \ - chmod 700 /root/.ssh/authorized_keys + /usr/local/bin/lime_con_install_upstream diff --git a/Library/test-helpers/Dockerfile.verifier b/Library/test-helpers/Dockerfile.verifier index fd51cdd4..6f3c195e 100644 --- a/Library/test-helpers/Dockerfile.verifier +++ b/Library/test-helpers/Dockerfile.verifier @@ -1,9 +1,7 @@ FROM quay.io/centos/centos:stream9 -COPY id_*.pub /root/ -COPY lime_con_start.sh /usr/local/bin/lime_con_start -RUN dnf install -y keylime-verifier openssh openssh-server which && \ - dnf clean all && \ - ssh-keygen -A && mkdir -p /root/.ssh && \ - cat /root/id_*.pub > /root/.ssh/authorized_keys && \ - chmod 700 /root/.ssh/authorized_keys && \ - chmod a+x /usr/local/bin/lime_con_start +RUN dnf install -y keylime-verifier which && \ + dnf clean all + +EXPOSE 8881 + +CMD ["keylime_verifier"] diff --git a/Library/test-helpers/lib.sh b/Library/test-helpers/lib.sh index e719b253..96e2be53 100644 --- a/Library/test-helpers/lib.sh +++ b/Library/test-helpers/lib.sh @@ -1968,7 +1968,6 @@ true <<'=cut' Prepare podman image. Specify docker file and name tag for building images. If /var/tmp/keylime_sources is present, it is copied to the container. -Also the ssh access is set up for the container. limeconPrepareImage DOCKER_FILE TAG @@ -2006,12 +2005,7 @@ limeconPrepareImage() { ARGS="--volume /var/tmp/keylime_sources:/mnt/keylime_sources:z" fi - #set up for ssh access - ls /root/.ssh/id_*.pub &>/dev/null || ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa - cp /root/.ssh/id_*.pub . - cp ${limeLibraryDir}/lime_con_* . - - CMDLINE="podman build $ARGS -t=$TAG --file $DOCKER_FILE ." + CMDLINE="podman build $ARGS -t=$TAG --file=$DOCKER_FILE" echo -e "\nRunning podman:\n$CMDLINE" $CMDLINE } @@ -2023,7 +2017,7 @@ true <<'=cut' Container run via podman with specified parameters. - limeconRun NAME TAG IP NETWORK COMMAND EXTRA_PODMAN_ARGS + limeconRun NAME TAG IP NETWORK EXTRA_PODMAN_ARGS [COMMAND] If cv_ca directory is present in the current directory, it will be copied to /var/lib/keylime/cv_ca of the running container. @@ -2044,14 +2038,14 @@ IP address of container. Name of used podman network. -=item COMMAND - -Specify running command at start of container. - =item EXTRA_PODMAN_ARGS Specify setup of starting container. +=item COMMAND + +Specify command to run on the container. + =back Returns 0. @@ -2064,14 +2058,10 @@ limeconRun() { local TAG=$2 local IP=$3 local NETWORK=$4 - local COMMAND=$5 - local EXTRA_PODMAN_ARGS=$6 + local EXTRA_PODMAN_ARGS=$5 + local COMMAND=$6 local CMDLINE - if [ -d cv_ca ]; then - EXTRA_PODMAN_ARGS="--volume $PWD/cv_ca:/mnt/cv_ca:z $EXTRA_PODMAN_ARGS" - fi - CMDLINE="podman run -d --name $NAME --net $NETWORK --ip $IP --cap-add CAP_AUDIT_WRITE --cap-add CAP_SYS_CHROOT $EXTRA_PODMAN_ARGS localhost/$TAG $COMMAND" echo -e "\nRunning podman:\n$CMDLINE" $CMDLINE @@ -2084,7 +2074,7 @@ true <<'=cut' Container run via podman with specified parameters. - limeconRunAgent NAME TAG IP NETWORK AGENT_FILE TESTDIR + limeconRunAgent NAME TAG IP NETWORK TESTDIR COMMAND [CONFDIR] [CERTDIR] [PORT] [REV_PORT] =item NAME @@ -2102,13 +2092,31 @@ IP address of container. Name of used podman network. -=item AGENT_FILE +=item TESTDIR -Mounted dir with configuration file. +Local directory to be mounted inside the container. -=item TESTDIR +=item COMMAND + +Command to run inside the container. + +=item CONFDIR + +Local directory containing the agent configuration file. -Mounted test dir. +=item CERTDIR + +Local directory containing the trusted ca certificate files. + +=item PORT + +The host port to map to the port the agent will listen for requests. +If not provided, no mapping will occur + +=item REV_PORT + +The host port to map to the port the agent will listen for revocation notifications. +If not provided, no mapping will occur =back @@ -2122,10 +2130,37 @@ limeconRunAgent() { local TAG=$2 local IP=$3 local NETWORK=$4 - local AGENT_FILE=$5 - local TESTDIR=$6 + local TESTDIR=$5 + local COMMAND=$6 + local CONFDIR=$7 + local CERTDIR=$8 + local PORT=$9 + local REV_PORT=${10} + + if [ -n "$PORT" ]; then + ADD_PORT="-p $PORT:9002" + PUBLISH_PORTS="-P" + fi + + if [ -n "$REV_PORT" ]; then + ADD_REV_PORT="-p $REV_PORT:8992" + PUBLISH_PORTS="-P" + fi - limeconRun $NAME $TAG $IP $NETWORK "/usr/local/bin/lime_con_start keylime_agent" "--privileged --volume=${AGENT_FILE}:/etc/keylime/ --volume=/sys/kernel/security/:/sys/kernel/security/:ro --volume=${TESTDIR}:${TESTDIR}:rw --device=/dev/tpmrm0" + local EXTRA_ARGS="--privileged $ADD_PORT $ADD_REV_PORT $PUBLISH_PORTS --volume=/sys/kernel/security/:/sys/kernel/security/:ro --tmpfs /var/lib/keylime/secure --volume=$TESTDIR:$TESTDIR --device=/dev/tpm0 --device=/dev/tpmrm0 -e RUST_LOG=keylime_agent=trace" + + if [ -n "$CONFDIR" ]; then + EXTRA_ARGS="--volume=${CONFDIR}:/etc/keylime/:z $EXTRA_ARGS" + fi + + if [ -n "$CERTDIR" ]; then + EXTRA_ARGS="--volume ${CERTDIR}:/var/lib/keylime/cv_ca/:z $EXTRA_ARGS" + # Find out better way to handle this: keylime inside the container needs access to the CA certificate + # On rootless container, this could be done with 'podman unshare' + podman run --rm --attach stdout $EXTRA_ARGS localhost/agent_image chown -R keylime:keylime /var/lib/keylime/cv_ca + fi + + limeconRun $NAME $TAG $IP $NETWORK "$EXTRA_ARGS" $COMMAND } true <<'=cut' @@ -2135,7 +2170,7 @@ true <<'=cut' Container run via podman with specified parameters. - limeconRunRegistrar NAME TAG IP NETWORK + limeconRunRegistrar NAME TAG IP NETWORK COMMAND [CONFDIR] [CERTDIR] [PORT] [TLS_PORT] =item NAME @@ -2153,6 +2188,24 @@ IP address of container. Name of used podman network. +=item COMMAND + +Command to run inside the container. + +=item CONFDIR + +Directory containing the registrar configuration. + +=item PORT + +The host port to map to the port the registrar will listen for agent registration requests. +If not provided, no mapping will occur + +=item TLS_PORT + +The host port to map to the port the registrar will listen for requests. +If not provided, no mapping will occur + =back Returns 0. @@ -2165,8 +2218,33 @@ limeconRunRegistrar() { local TAG=$2 local IP=$3 local NETWORK=$4 + local COMMAND=$5 + local CONFDIR=$6 + local CERTDIR=$7 + local PORT=$8 + local TLS_PORT=$9 + + if [ -n "$PORT" ]; then + ADD_PORT="-p $PORT:8890" + PUBLISH_PORTS="-P" + fi - limeconRun $NAME $TAG $IP $NETWORK "/usr/local/bin/lime_con_start keylime_registrar" "--volume=/etc/keylime/:/etc/keylime/" + if [ -n "$TLS_PORT" ]; then + ADD_TLS_PORT="-p $TLS_PORT:8991" + PUBLISH_PORTS="-P" + fi + + local EXTRA_ARGS="${ADD_PORT} ${ADD_TLS_PORT} ${PUBLISH_PORTS}" + + if [ -n "$CONFDIR" ]; then + EXTRA_ARGS="--volume $CONFDIR:/etc/keylime/:z $EXTRA_ARGS" + fi + + if [ -n "$CERTDIR" ]; then + EXTRA_ARGS="--volume $CERTDIR:/var/lib/keylime/cv_ca:z $EXTRA_ARGS" + fi + + limeconRun $NAME $TAG $IP $NETWORK "$EXTRA_ARGS" $COMMAND } true <<'=cut' @@ -2223,7 +2301,7 @@ true <<'=cut' Container run via podman with specified parameters. - limeconRunVerifier NAME TAG IP NETWORK + limeconRunVerifier NAME TAG IP NETWORK COMMAND [CONFDIR] [CERTDIR] [PORT] =item NAME @@ -2241,6 +2319,23 @@ IP address of container. Name of used podman network. +=item COMMAND + +Command to run inside the container. + +=item CONFDIR + +Directory containing the verifier configuration files. + +=item CERTDIR + +Local directory containing the certificate files. + +=item PORT + +The host port to map to the port the verifier will listen for requests. +If not provided, no mapping will occur + =back Returns 0. @@ -2253,8 +2348,27 @@ limeconRunVerifier() { local TAG=$2 local IP=$3 local NETWORK=$4 + local COMMAND=$5 + local CONFDIR=$6 + local CERTDIR=$7 + local PORT=$8 + + if [ -n "$PORT" ]; then + ADD_PORT="-p $PORT:8881" + PUBLISH_PORTS="-P" + fi + + local EXTRA_ARGS="${ADD_PORT} ${PUBLISH_PORTS}" + + if [ -n "$CONFDIR" ]; then + EXTRA_ARGS="--volume=${CONFDIR}:/etc/keylime/:z" + fi + + if [ -n "$CERTDIR" ]; then + EXTRA_ARGS="--volume ${CERTDIR}:/var/lib/keylime/cv_ca:z $EXTRA_ARGS" + fi - limeconRun $NAME $TAG $IP $NETWORK "/usr/local/bin/lime_con_start keylime_verifier" "--volume=/etc/keylime/:/etc/keylime/" + limeconRun $NAME $TAG $IP $NETWORK "$EXTRA_ARGS" $COMMAND } true <<'=cut' diff --git a/Library/test-helpers/lime_con_install_upstream.sh b/Library/test-helpers/lime_con_install_upstream.sh index 5eebb081..15819165 100644 --- a/Library/test-helpers/lime_con_install_upstream.sh +++ b/Library/test-helpers/lime_con_install_upstream.sh @@ -69,11 +69,6 @@ yum -y install keylime-agent-rust curl -o /etc/keylime/keylime-agent.conf https://raw.githubusercontent.com/keylime/rust-keylime/master/keylime-agent.conf mkdir -p /etc/systemd/system/keylime_agent.service.d mkdir -p /etc/keylime/agent.conf.d -# configure agent to use sha256 in TPM -cat > /etc/keylime/agent.conf.d/tpm_hash_alg.conf <<_EOF -[agent] -tpm_hash_alg = "sha256" -_EOF # fix conf file ownership useradd keylime diff --git a/Library/test-helpers/lime_con_start.sh b/Library/test-helpers/lime_con_start.sh deleted file mode 100644 index cc22dd2f..00000000 --- a/Library/test-helpers/lime_con_start.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash -# runs sshd on a background and then runs program passed as an argument -/usr/sbin/sshd &> /var/log/sshd & -# copy cv_ca if mounted -mkdir -p /mnt/cv_ca -cp -r /mnt/cv_ca /var/lib/keylime/ -chown -R keylime:keylime /var/lib/keylime/cv_ca -# run requested program -RUST_LOG=keylime_agent=trace $( which $1 ) diff --git a/container/functional/keylime_agent_container-basic-attestation/test.sh b/container/functional/keylime_agent_container-basic-attestation/test.sh index 2c91d9ca..0f9dd4da 100755 --- a/container/functional/keylime_agent_container-basic-attestation/test.sh +++ b/container/functional/keylime_agent_container-basic-attestation/test.sh @@ -6,7 +6,7 @@ #tmt -c distro=rhel-9.1 -c agent=rust run plan --default discover -h fmf -t /setup/configure_kernel_ima_module/ima_policy_simple -t /functional/keylime_agent_container-basic-attestation -vv provision --how=connect --guest=testvm --user root prepare execute --how tmt --interactive login finish #Machine should have /dev/tpm0 or /dev/tpmrm0 device -[ -n "$DOCKERFILE_AGENT" ] || DOCKERFILE_AGENT=Dockerfile.upstream.c9s +[ -n "$AGENT_DOCKERFILE" ] || AGENT_DOCKERFILE=Dockerfile.upstream.c9s rlJournalStart @@ -46,21 +46,20 @@ rlJournalStart rlRun "limeWaitForVerifier" rlRun "limeStartRegistrar" rlRun "limeWaitForRegistrar" - + CONT_NETWORK_NAME="agent_network" - rlRun "limeconCreateNetwork ${CONT_NETWORK_NAME} 172.18.0.0/16" + rlRun "limeconCreateNetwork ${CONT_NETWORK_NAME} 172.18.0.0/16" rlRun "limeUpdateConf agent registrar_ip '\"$SERVER_IP\"'" #container image build and preparation rlRun "cp -r /var/lib/keylime/cv_ca ." + rlAssertExists ./cv_ca/cacert.crt IMAGE="agent_image" - rlRun "limeconPrepareImage ${limeLibraryDir}/$DOCKERFILE_AGENT ${IMAGE}" + rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"$AGENT_DOCKERFILE") ${IMAGE}" TESTDIR_FIRST=$(limeCreateTestDir) TESTDIR_SECOND=$(limeCreateTestDir) rlRun "echo -e '#!/bin/bash\necho ok' > $TESTDIR_FIRST/good-script.sh && chmod a+x $TESTDIR_FIRST/good-script.sh" rlRun "echo -e '#!/bin/bash\necho ok' > $TESTDIR_SECOND/good-script.sh && chmod a+x $TESTDIR_SECOND/good-script.sh" - #mandatory for access agent containers to tpm - rlRun "chmod o+rw /dev/tpmrm0" #setup of first agent #possible could be automated setup as function together with building @@ -70,7 +69,7 @@ rlJournalStart rlRun "limeconPrepareAgentConfdir $AGENT_ID_FIRST $IP_AGENT_FIRST confdir_$CONT_AGENT_FIRST" #run of first agent - rlRun "limeconRunAgent $CONT_AGENT_FIRST $IMAGE $IP_AGENT_FIRST $CONT_NETWORK_NAME $PWD/confdir_$CONT_AGENT_FIRST $TESTDIR_FIRST" + rlRun "limeconRunAgent $CONT_AGENT_FIRST $IMAGE $IP_AGENT_FIRST $CONT_NETWORK_NAME $TESTDIR_FIRST keylime_agent $PWD/confdir_$CONT_AGENT_FIRST $PWD/cv_ca" rlRun "limeWaitForAgentRegistration ${AGENT_ID_FIRST}" #setup of second agent @@ -80,7 +79,7 @@ rlJournalStart rlRun "limeconPrepareAgentConfdir $AGENT_ID_SECOND $IP_AGENT_SECOND confdir_$CONT_AGENT_SECOND" #run of second agent - rlRun "limeconRunAgent $CONT_AGENT_SECOND $IMAGE $IP_AGENT_SECOND $CONT_NETWORK_NAME $PWD/confdir_$CONT_AGENT_SECOND $TESTDIR_SECOND" + rlRun "limeconRunAgent $CONT_AGENT_SECOND $IMAGE $IP_AGENT_SECOND $CONT_NETWORK_NAME $TESTDIR_SECOND keylime_agent $PWD/confdir_$CONT_AGENT_SECOND $PWD/cv_ca" rlRun "limeWaitForAgentRegistration ${AGENT_ID_SECOND}" # create allowlist and excludelist for each agent diff --git a/container/functional/keylime_ipv6_multihost/test.sh b/container/functional/keylime_ipv6_multihost/test.sh index d7f8b8de..dc95a274 100755 --- a/container/functional/keylime_ipv6_multihost/test.sh +++ b/container/functional/keylime_ipv6_multihost/test.sh @@ -7,6 +7,10 @@ HTTP_SERVER_PORT=8080 # set REVOCATION_NOTIFIER=zeromq to use the zeromq notifier [ -n "$REVOCATION_NOTIFIER" ] || REVOCATION_NOTIFIER=agent +[ -n "$VERIFIER_DOCKERFILE" ] || VERIFIER_DOCKERFILE=Dockerfile.upstream.c9s +[ -n "$REGISTRAR_DOCKERFILE" ] || REGISTRAR_DOCKERFILE=Dockerfile.upstream.c9s +[ -n "$AGENT_DOCKERFILE" ] || AGENT_DOCKERFILE=Dockerfile.upstream.c9s + rlJournalStart rlPhaseStartSetup "Do the keylime setup" @@ -36,11 +40,11 @@ rlJournalStart #build verifier container TAG_VERIFIER="verifier_image" - rlRun "limeconPrepareImage ${limeLibraryDir}/${DOCKERFILE_VERIFIER} ${TAG_VERIFIER}" + rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${VERIFIER_DOCKERFILE}") ${TAG_VERIFIER}" #build registrar container TAG_REGISTRAR="registrar_image" - rlRun "limeconPrepareImage ${limeLibraryDir}/${DOCKERFILE_REGISTRAR} ${TAG_REGISTRAR}" + rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${REGISTRAR_DOCKERFILE}") ${TAG_REGISTRAR}" # if TPM emulator is present if limeTPMEmulated; then @@ -53,12 +57,9 @@ rlJournalStart rlRun "limeStartIMAEmulator" fi - #mandatory for access agent containers to tpm - rlRun "chmod o+rw /dev/tpmrm0" - #run verifier container CONT_VERIFIER="verifier_container" - rlRun "limeconRunVerifier $CONT_VERIFIER $TAG_VERIFIER $IP_VERIFIER $CONT_NETWORK_NAME" + rlRun "limeconRunVerifier $CONT_VERIFIER $TAG_VERIFIER $IP_VERIFIER $CONT_NETWORK_NAME keylime_verifier /etc/keylime" rlRun "limeWaitForVerifier 8881 $IP_VERIFIER" #wait for generating of certs sleep 5 @@ -69,7 +70,7 @@ rlJournalStart #run registrar container CONT_REGISTRAR="registrar_container" - rlRun "limeconRunRegistrar $CONT_REGISTRAR $TAG_REGISTRAR $IP_REGISTRAR $CONT_NETWORK_NAME" + rlRun "limeconRunRegistrar $CONT_REGISTRAR $TAG_REGISTRAR $IP_REGISTRAR $CONT_NETWORK_NAME keylime_registrar /etc/keylime $(realpath ./cv_ca)" rlRun "limeWaitForRegistrar 8891 $IP_REGISTRAR" # tenant @@ -81,7 +82,7 @@ rlJournalStart TAG_AGENT="agent_image" CONT_AGENT="agent_container" rlRun "cp cv_ca/cacert.crt ." - rlRun "limeconPrepareImage ${limeLibraryDir}/${DOCKERFILE_AGENT} ${TAG_AGENT}" + rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${AGENT_DOCKERFILE}") ${TAG_AGENT}" rlRun "limeUpdateConf agent registrar_ip '\"[$IP_REGISTRAR]\"'" rlRun "limeconPrepareAgentConfdir $AGENT_ID $IP_AGENT confdir_$CONT_AGENT" @@ -92,7 +93,7 @@ rlJournalStart # create allowlist and excludelist rlRun "limeCreateTestPolicy ${TESTDIR}/*" - rlRun "limeconRunAgent $CONT_AGENT $TAG_AGENT '2001:db8:8000::' $CONT_NETWORK_NAME $PWD/confdir_$CONT_AGENT $TESTDIR" + rlRun "limeconRunAgent $CONT_AGENT $TAG_AGENT '2001:db8:8000::' $CONT_NETWORK_NAME $TESTDIR keylime_agent $PWD/confdir_$CONT_AGENT $(realpath ./cv_ca)" rlRun "limeWaitForAgentRegistration ${AGENT_ID}" rlRun "podman exec -t $CONT_AGENT chmod a+r /etc/keylime/agent.conf" rlRun "podman exec -t $CONT_AGENT dnf install -y python3-toml" diff --git a/container/functional/keylime_verifier_registrar_container-basic-attestation/main.fmf b/container/functional/keylime_verifier_registrar_container-basic-attestation/main.fmf index b9bc43be..b3d816ad 100644 --- a/container/functional/keylime_verifier_registrar_container-basic-attestation/main.fmf +++ b/container/functional/keylime_verifier_registrar_container-basic-attestation/main.fmf @@ -26,4 +26,4 @@ recommend: duration: 10m enabled: true extra-nitrate: TC#0614624 -id: d36f0263-0c8a-4615-bdf4-7b80bf870fe3 \ No newline at end of file +id: d36f0263-0c8a-4615-bdf4-7b80bf870fe3 diff --git a/container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh b/container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh index c468ba1b..7d84993f 100755 --- a/container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh +++ b/container/functional/keylime_verifier_registrar_container-basic-attestation/test.sh @@ -7,9 +7,9 @@ #Machine should have /dev/tpm0 or /dev/tpmrm0 device AGENT_ID="d432fbb3-d2f1-4a97-9ef7-75bd81c00000" -[ -n "$DOCKERFILE_VERIFIER" ] || DOCKERFILE_VERIFIER=Dockerfile.upstream.c9s -[ -n "$DOCKERFILE_REGISTRAR" ] || DOCKERFILE_REGISTRAR=Dockerfile.upstream.c9s -[ -n "$DOCKERFILE_AGENT" ] || DOCKERFILE_AGENT=Dockerfile.upstream.c9s +[ -n "$VERIFIER_DOCKERFILE" ] || VERIFIER_DOCKERFILE=Dockerfile.upstream.c9s +[ -n "$REGISTRAR_DOCKERFILE" ] || REGISTRAR_DOCKERFILE=Dockerfile.upstream.c9s +[ -n "$AGENT_DOCKERFILE" ] || AGENT_DOCKERFILE=Dockerfile.upstream.c9s rlJournalStart @@ -36,11 +36,11 @@ rlJournalStart #build verifier container TAG_VERIFIER="verifier_image" - rlRun "limeconPrepareImage ${limeLibraryDir}/${DOCKERFILE_VERIFIER} ${TAG_VERIFIER}" + rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${VERIFIER_DOCKERFILE}") ${TAG_VERIFIER}" #build registrar container TAG_REGISTRAR="registrar_image" - rlRun "limeconPrepareImage ${limeLibraryDir}/${DOCKERFILE_REGISTRAR} ${TAG_REGISTRAR}" + rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${REGISTRAR_DOCKERFILE}") ${TAG_REGISTRAR}" # if TPM emulator is present if limeTPMEmulated; then @@ -54,12 +54,9 @@ rlJournalStart fi sleep 5 - #mandatory for access agent containers to tpm - rlRun "chmod o+rw /dev/tpmrm0" - #run verifier container CONT_VERIFIER="verifier_container" - rlRun "limeconRunVerifier $CONT_VERIFIER $TAG_VERIFIER $IP_VERIFIER $CONT_NETWORK_NAME" + rlRun "limeconRunVerifier $CONT_VERIFIER $TAG_VERIFIER $IP_VERIFIER $CONT_NETWORK_NAME keylime_verifier /etc/keylime" rlRun "limeWaitForVerifier 8881 $IP_VERIFIER" #wait for generating of certs sleep 5 @@ -70,7 +67,7 @@ rlJournalStart #run registrar container CONT_REGISTRAR="registrar_container" - rlRun "limeconRunRegistrar $CONT_REGISTRAR $TAG_REGISTRAR $IP_REGISTRAR $CONT_NETWORK_NAME" + rlRun "limeconRunRegistrar $CONT_REGISTRAR $TAG_REGISTRAR $IP_REGISTRAR $CONT_NETWORK_NAME keylime_registrar /etc/keylime $(realpath ./cv_ca)" rlRun "limeWaitForRegistrar 8891 $IP_REGISTRAR" # tenant @@ -81,7 +78,7 @@ rlJournalStart #setup of agent TAG_AGENT="agent_image" CONT_AGENT="agent_container" - rlRun "limeconPrepareImage ${limeLibraryDir}/${DOCKERFILE_AGENT} ${TAG_AGENT}" + rlRun "limeconPrepareImage $(realpath "${limeLibraryDir}"/"${AGENT_DOCKERFILE}") ${TAG_AGENT}" rlRun "limeUpdateConf agent registrar_ip '\"$IP_REGISTRAR\"'" rlRun "limeconPrepareAgentConfdir $AGENT_ID $IP_AGENT confdir_$CONT_AGENT" @@ -92,7 +89,7 @@ rlJournalStart # create allowlist and excludelist rlRun "limeCreateTestPolicy ${TESTDIR}/*" - rlRun "limeconRunAgent $CONT_AGENT $TAG_AGENT $IP_AGENT $CONT_NETWORK_NAME $PWD/confdir_$CONT_AGENT $TESTDIR" + rlRun "limeconRunAgent $CONT_AGENT $TAG_AGENT $IP_AGENT $CONT_NETWORK_NAME $TESTDIR keylime_agent $PWD/confdir_$CONT_AGENT $(realpath ./cv_ca)" rlRun "limeWaitForAgentRegistration ${AGENT_ID}" rlPhaseEnd diff --git a/plans/upstream-keylime-swtpm-dev.fmf b/plans/upstream-keylime-swtpm-dev.fmf index 7a416b48..7bf6e88d 100644 --- a/plans/upstream-keylime-swtpm-dev.fmf +++ b/plans/upstream-keylime-swtpm-dev.fmf @@ -4,9 +4,9 @@ summary: environment+: TPM_BINARY_MEASUREMENTS: /var/tmp/binary_bios_measurements KEYLIME_RUST_CODE_COVERAGE: 1 - DOCKERFILE_AGENT: Dockerfile.upstream.c9s - DOCKERFILE_VERIFIER: Dockerfile.upstream.c9s - DOCKERFILE_REGISTRAR: Dockerfile.upstream.c9s + AGENT_DOCKERFILE: Dockerfile.upstream.c9s + VERIFIER_DOCKERFILE: Dockerfile.upstream.c9s + REGISTRAR_DOCKERFILE: Dockerfile.upstream.c9s discover: how: fmf