Working on CI

2025-02-03 09:41:07 +00:00 · 2024-07-10 13:15:40 -04:00 · 2024-07-10 13:15:40 -04:00 · 5b5a8121c4
commit 5b5a8121c4
parent ac12e75403
8 changed files with 216 additions and 113 deletions
--- a/.ci/docker/docker-compose-system-test.yml
+++ b/.ci/docker/docker-compose-system-test.yml
@ -7,6 +7,7 @@ services:
      command: ["bash", "-c", "tail -f /dev/null;"]
      ports:
         - "${HIRS_ACA_PORTAL_PORT}:${HIRS_ACA_PORTAL_CONTAINER_PORT}"
+         - 9123:9123
      hostname: ${HIRS_ACA_HOSTNAME}
      networks:
         hirs_aca_system_tests:
@ -21,7 +22,7 @@ services:
         - aca
      volumes:
         - ../../:/HIRS
-      command: ["bash", "-c", "/ibmswtpm2/src/tpm_server && tail -f /dev/null"]
+      command: ["bash", "-c", "tail -f /dev/null"]
      networks:
         hirs_aca_system_tests:
            ipv4_address: ${HIRS_ACA_PROVISIONER_TPM2_IP}
@ -32,4 +33,4 @@ networks:
      ipam:
         driver: default
         config:
-            - subnet: ${HIRS_SUBNET}
+            - subnet: ${HIRS_SUBNET}
--- a/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
+++ b/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
@ -4,7 +4,8 @@
 #########################################################################################

 # Setting configurations
-. ./.ci/docker/.env
+. /HIRS/.ci/docker/.env
+source /HIRS/.ci/setup/container/tpm2_common.sh

 set -a

@ -12,112 +13,17 @@ set -e
 echo "*** Setting up TPM emulator for the TPM2 Provisioner *** "

 # Wait for ACA to boot
-echo "*** Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
-  until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do
-    sleep 1;
-  done
-  echo "*** ACA is up!"
+waitForAca

 ## Un-package Provisioner.NET RPM
 yes | dnf install HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm -y > /dev/null

 # Initiate startup for IBMTSS Tools
-pushd /ibmtss/utils
-tpm2_startup -T mssim -c &
-sleep 5
-tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002
-tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002
-popd
+startFreshTpmServer -f
+startupTpm
+installEkCert

-# Writing to Provisioner.Net configurations file for modified aca port and efi prefix
-cat <<APPSETTINGS_FILE > /usr/share/hirs/appsettings.json
-{
-  "auto_detect_tpm":  "TRUE",
-  "aca_address_port": "https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}",
-  "efi_prefix": "/ci_test/boot/efi",
-  "paccor_output_file": "",
-  "event_log_file":  "",
-  "hardware_manifest_collectors": "paccor_scripts",
-
-  "Serilog": {
-    "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
-    "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
-    "MinimumLevel": {
-      "Default": "Debug",
-      "Override": {
-        "Microsoft": "Warning",
-        "System": "Warning"
-      }
-    },
-    "WriteTo": [
-      {
-        "Name": "Console",
-        "Args": {
-          "outputTemplate": "{Message}{NewLine}",
-          "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
-          "restrictedToMinimumLevel": "Information"
-        }
-      },
-      {
-        "Name": "File",
-        "Args": {
-          "path": "hirs.log",
-          "rollingInterval": "Day",
-          "retainedFileCountLimit": 5
-        }
-      }
-    ]
-  }
-}
-APPSETTINGS_FILE
-cp /usr/share/hirs/appsettings.json /usr/share/hirs/appsettings_default.json
-cat <<APPSETTINGS_FILE_HW > /usr/share/hirs/appsettings_hw.json
-{
-  "auto_detect_tpm":  "TRUE",
-  "aca_address_port": "https://172.19.0.2:8443",
-  "efi_prefix": "/ci_test/boot/efi",
-  "paccor_output_file": "/ci_test/hw.json",
-  "event_log_file":  "/ci_test/binary_bios_measurements",
-  "hardware_manifest_collectors": "",
-  "linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor",
-  "linux_bios_version_file": "/ci_test/dmi/id/bios_version",
-  "linux_bios_date_file": "/ci_test/dmi/id/bios_date",
-  "linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor",
-  "linux_product_name_file": "/ci_test/dmi/id/product_name",
-  "linux_product_version_file": "/ci_test/dmi/id/product_version",
-  "linux_product_serial_file": "/ci_test/dmi/id/product_serial",
-
-  "Serilog": {
-    "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
-    "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
-    "MinimumLevel": {
-      "Default": "Debug",
-      "Override": {
-        "Microsoft": "Warning",
-        "System": "Warning"
-      }
-    },
-    "WriteTo": [
-      {
-        "Name": "Console",
-        "Args": {
-          "outputTemplate": "{Message}{NewLine}",
-          "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
-          "restrictedToMinimumLevel": "Information"
-        }
-      },
-      {
-        "Name": "File",
-        "Args": {
-          "path": "hirs.log",
-          "rollingInterval": "Day",
-          "retainedFileCountLimit": 5
-        }
-      }
-    ]
-  }
-}
-APPSETTINGS_FILE_HW
+setCiHirsAppsettingsFile

 # Triggering a single provision for test
 echo "==========="
--- a/.ci/setup/container/tpm2_common.sh
+++ b/.ci/setup/container/tpm2_common.sh
@ -149,12 +149,198 @@ DEFAULT_SITE_CONFIG_FILE
   cat /etc/hirs/hirs-site.config
 }

+# Function to update the hirs-site.config file
+function setCiHirsAppsettingsFile {
+  # Setting configurations
+  . /HIRS/.ci/docker/.env
+
+  HIRS_APPSETTINGS_FILE="/usr/share/hirs/appsettings.json"
+  ACA_ADDRESS="https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}"
+  EFI_PREFIX_PATH="/ci_test/boot/efi"
+  PACCOR_OUTPUT_FILE=""
+  EVENT_LOG_FILE=""
+  HARDWARE_MANIFEST_COLLECTORS="paccor_scripts"
+
+  # Process parameters Argument handling 
+  POSITIONAL_ARGS=()
+  ORIGINAL_ARGS=("$@")
+  while [[ $# -gt 0 ]]; do
+    case $1 in
+      --aca-address)
+        shift # past argument
+        ACA_ADDRESS=$1
+        shift # past parameter
+        ;;
+      --efi-prefix)
+        shift # past argument
+        EFI_PREFIX_PATH=$1
+	shift # past parameter
+        ;;
+      --paccor-output-file)
+        shift # past argument
+	PACCOR_OUTPUT_FILE=$1
+	HARDWARE_MANIFEST_COLLECTORS=""
+        shift # past parameter
+        ;;
+      --event-log-file)
+        shift # past argument
+        EVENT_LOG_FILE=$1
+        shift # past argument
+        ;;
+      --linux-dmi)
+	USE_LINUX_DMI=YES
+	shift # past argument
+	;;
+    -*|--*)
+        echo "setCiHirsAppsettingsFile: Unknown option $1"
+        shift # past argument
+        ;;
+      *)
+       POSITIONAL_ARGS+=("$1") # save positional arg
+       # shift # past argument
+       break
+        ;;
+    esac
+  done
+  echo ""
+  echo "===========Updating ${HIRS_APPSETTINGS_FILE}, using values from /HIRS/.ci/docker/.env file...==========="
+
+  cat <<DEFAULT_APPSETTINGS_FILE > $HIRS_APPSETTINGS_FILE
+{
+  "auto_detect_tpm":  "TRUE",
+  "aca_address_port": "$ACA_ADDRESS",
+  "efi_prefix": "$EFI_PREFIX_PATH",
+  "paccor_output_file": "$PACCOR_OUTPUT_FILE",
+  "event_log_file": "$EVENT_LOG_FILE",
+  "hardware_manifest_collectors": "$HARDWARE_MANIFEST_COLLECTORS",
+DEFAULT_APPSETTINGS_FILE
+  if [ "$USE_LINUX_DMI" = YES ]; then
+    cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
+  "linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor",
+  "linux_bios_version_file": "/ci_test/dmi/id/bios_version",
+  "linux_bios_date_file": "/ci_test/dmi/id/bios_date",
+  "linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor",
+  "linux_product_name_file": "/ci_test/dmi/id/product_name",
+  "linux_product_version_file": "/ci_test/dmi/id/product_version",
+  "linux_product_serial_file": "/ci_test/dmi/id/product_serial",
+DEFAULT_APPSETTINGS_FILE
+  fi
+  cat <<DEFAULT_APPSETTINGS_FILE >> $HIRS_APPSETTINGS_FILE
+  "Serilog": {
+    "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
+    "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
+    "MinimumLevel": {
+      "Default": "Debug",
+      "Override": {
+        "Microsoft": "Warning",
+        "System": "Warning"
+      }
+    },
+    "WriteTo": [
+      {
+        "Name": "Console",
+        "Args": {
+          "outputTemplate": "{Message}{NewLine}",
+          "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
+          "restrictedToMinimumLevel": "Information"
+        }
+      },
+      {
+        "Name": "File",
+        "Args": {
+          "path": "hirs.log",
+          "rollingInterval": "Day",
+          "retainedFileCountLimit": 5
+        }
+      }
+    ]
+  }
+}
+DEFAULT_APPSETTINGS_FILE
+}
+
+# These functions work on the tpm2provisioner_dotnet image 
+# They assume the IBM sw tpm server repo is cloned to /ibmswtpm2
+# They assume the IBM tss repo is cloned to /ibmtss
+# They assume tpm2-tools are installed.
+# They assume the HIRS repo is cloned to /hirs.
+function startFreshTpmServer {
+  # Process parameters Argument handling 
+  POSITIONAL_ARGS=()
+  ORIGINAL_ARGS=("$@")
+  while [[ $# -gt 0 ]]; do
+    case $1 in
+      -f|--force|--restart)
+	echo "Forcing a restart of the TPM server."
+	stopTpmServer
+	sleep 5
+	shift # past argument
+	;;
+    -*|--*)
+        echo "setCiHirsAppsettingsFile: Unknown option $1"
+        shift # past argument
+        ;;
+      *)
+       POSITIONAL_ARGS+=("$1") # save positional arg
+       # shift # past argument
+       break
+        ;;
+    esac
+  done
+
+  if isTpmServerRunning ; then
+    echo "TPM server already running."
+  else
+    echo -n "Starting TPM server..."
+    /ibmswtpm2/src/tpm_server -rm &> /dev/null &
+    sleep 5
+    pid=$(findTpmServerPid)
+    echo "...running with pid: $pid"
+  fi
+}
+
+function startupTpm {
+  echo "Running tpm2_startup"
+  tpm2_startup -T mssim -c
+  sleep 5
+}
+
+function installEkCert {
+  echo "Installing EK Cert /hirs/.ci/setup/certs/ek_cert.der into TPM NVRAM at index 0x1c00002"
+  tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002
+  tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002
+  echo "Finished installing EK cert."
+}
+
+function findTpmServerPid {
+  pid=$(pgrep -f /ibmswtpm2/src/tpm_server 2> /dev/null)
+  echo -n "$pid"
+}
+
+# ex usage: isTpmServerRunning && echo "up" || echo "down"
+function isTpmServerRunning {
+  tpmUp=$(findTpmServerPid)
+  if [ -n "$tpmUp" ]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+function stopTpmServer {
+  tpmUp=$(findTpmServerPid)
+  if [ -n "$tpmUp" ]; then
+    echo "Stopping TPM server with pid: $tpmUp"
+    kill -9 $tpmUp
+  fi
+}
+
 # Wait for ACA to boot
 function waitForAca {
  echo "Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${HIRS_ACA_PORTAL_PORT} ..."
-  until [ "`curl --silent --connect-timeout 1 -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep '302 Found'`" != "" ]; do
+  until [ "`curl --silent -I -k https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal | grep 'HTTP/1.1 200'`" != "" ]; do
    sleep 1;
-  #echo "Checking on the ACA..."
  done
  echo "ACA is up!"
 }
+
--- a/.ci/system-tests/container/rim_setup.sh
+++ b/.ci/system-tests/container/rim_setup.sh
--- a/.ci/system-tests/setup_system_tests.sh
+++ b/.ci/system-tests/setup_system_tests.sh
@ -18,16 +18,18 @@ docker exec $aca_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
                                  && echo 'ACA Container Current Branch: ' && git branch \
                                  && /hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \
                                  && /tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \
-                                  && /hirs/package/linux/aca/aca_bootRun.sh 1> /dev/null" &
+                                  && /hirs/package/linux/aca/aca_bootRun.sh -d 1> /dev/null" &

 # Switching to current/desired branch in Provisioner Container
 docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \
                                   && echo 'Provisioner Container Current Branch: ' && git branch"
-
+			  
+echo "Copying temporary changes to files in $tpm2_container"
+docker cp ./.ci/setup/container/setup_tpm2provisioner_dotnet.sh $tpm2_container:/hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh
 # Install HIRS Provisioner.Net and setup tpm2 simulator.
 # In doing so, tests a single provision between Provisioner.Net and ACA.
 echo "Launching provisioner setup"
 docker exec $tpm2_container sh /hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh

 # Initiating System Tests
-echo "******** Setup Complete. Beginning HIRS System Tests. ******** "
+echo "******** Setup Complete. Beginning HIRS System Tests. ******** "
--- a/.ci/system-tests/sys_test_common.sh
+++ b/.ci/system-tests/sys_test_common.sh
@ -106,6 +106,10 @@ provisionTpm2() {
  fi
 }

+resetTpmForNewTest() {
+  docker exec $tpm2_container -it bash -c "source /hirs/.ci/setup/container/tpm2_common.sh; startFreshTpmServer -f; startupTpm; installEkCert"
+}
+
 # Places platform cert(s) held in the test folder(s) in the provisioners tcg folder
 # setPlatCert <profile> <test>
 setPlatformCerts() {
@ -120,8 +124,9 @@ docker exec $tpm2_container sh /hirs/.ci/system-tests/container/rim_setup.sh $1
 #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer"
 }

-setPlatformOutput() {
-    docker exec $tpm2_container cp /usr/share/hirs/appsettings_hw.json /usr/share/hirs/appsettings.json
+setAppsettings() {
+  OPTIONS=$@
+  docker exec $tpm2_container -it bash -c "source /hirs/.ci/setup/container/tpm2_common.sh; setCiHirsAppsettingsFile $OPTIONS"
 }

 # Writes to the Action ouput, ACA log, and Provisioner Log
--- a/.ci/system-tests/tests/aca_policy_tests.sh
+++ b/.ci/system-tests/tests/aca_policy_tests.sh
@ -24,6 +24,7 @@ esac

 if [ "$test" = "1" ] || [ "$test" = "all" ]; then
    writeToLogs "### ACA POLICY TEST 1: Test ACA default policy  ###"
+    writeToLogs "Now using default appsettings"
    setPlatformCerts "laptop" "empty"
    provisionTpm2 "pass"
 fi
@ -57,11 +58,12 @@ if [ "$test" = "6" ] || [ "$test" = "all" ]; then
 fi
 if [ "$test" = "7" ] || [ "$test" = "all" ]; then
    writeToLogs "### ACA POLICY TEST 7: Test PC Validation Policy with valid PC with Attribute Check ###"
+    writeToLog "Now using appsettings with hardware information"
    clearAcaDb
    setPolicyEkPc
    uploadTrustedCerts
    setPlatformCerts "laptop" "default"
-    setPlatformOutput
+    setAppsettings --paccor-output-file /ci_test/hw.json --event-log-file /ci_test/binary_bios_measurements --linux-dmi
    provisionTpm2 "pass"
 fi
 if [ "$test" = "8" ] || [ "$test" = "all" ]; then
@ -80,4 +82,4 @@ if [[ $failedTests != 0 ]]; then
    echo "****  $failedTests out of $totalTests ACA Policy Tests Failed! ****"
  else
    echo "****  $totalTests ACA Policy Tests Passed! ****"
-fi
+fi
--- a/.ci/system-tests/tests/rim_system_tests.sh
+++ b/.ci/system-tests/tests/rim_system_tests.sh
@ -21,6 +21,7 @@ esac
 if [ "$test" = "1" ] || [ "$test" = "all" ]; then
    writeToLogs "### ACA RIM TEST 1: Test a RIM from an OEM and a Supplemental RIM from a VAR ###"
    clearAcaDb
+    resetTpmForNewTest
    uploadTrustedCerts
    setPolicyEkPcFw
    setPlatformCerts "laptop" "varOsInstall"
@ -52,4 +53,4 @@ if [[ $failedTests != 0 ]]; then
    echo "****  $failedTests out of $totalTests ACA RIM Tests Failed! ****"
  else
    echo "****  $totalTests ACA RIM Tests Passed! ****"
-fi
+fi