diff --git a/.ci/docker/Dockerfile.tpm2provisioner-dotnet-ci b/.ci/docker/Dockerfile.tpm2provisioner-dotnet-ci index ebd81ef5..88119e23 100644 --- a/.ci/docker/Dockerfile.tpm2provisioner-dotnet-ci +++ b/.ci/docker/Dockerfile.tpm2provisioner-dotnet-ci @@ -5,13 +5,10 @@ LABEL org.opencontainers.image.description Tools for testing the build and deplo # Purpose: This image is designed for HIRS Provisioner.Net testing on Rocky 9. It is meant to be used in # the .ci, and does not automatically start the Provisioner upon running the container. -# Date Modified: 4/15/24 +# Date Modified: 5/31/24 # Notes: The image to be built should be named "tpm2provisioner-dotnet-ci:latest". # For local image build, use this command from the /HIRS/ directory to build the image: # $ docker build -f ./.ci/docker/Dockerfile.tpm2provisioner_dotnet -t tpm2provisioner-dotnet-ci:latest . -# For manually running the Provisioner.Net using the TPM Simulator, first ensure that an ACA -# is running on port 8443. Then, run the setup script within this container using this command: -# $ ./.ci/setup/container/setup_tpm2provisioner_dotnet.sh # REF can be specified as a docker run environment variable to select the HIRS branch to work with ENV REF=main @@ -97,8 +94,4 @@ RUN echo "#!/bin/bash" > /tmp/auto_clone_branch && \ chmod 755 /tmp/auto_clone_branch # Reset working directory -WORKDIR /hirs - -# Copy script for running TPM Simulator -COPY ./.ci/setup/container/setup_tpm2provisioner_dotnet.sh /.ci/setup/container/ -RUN chmod 755 /.ci/setup/container/setup_tpm2provisioner_dotnet.sh \ No newline at end of file +WORKDIR /hirs \ No newline at end of file diff --git a/.ci/docker/docker-compose-system-test.yml b/.ci/docker/docker-compose-system-test.yml index 3413e91a..fa6a5af1 100644 --- a/.ci/docker/docker-compose-system-test.yml +++ b/.ci/docker/docker-compose-system-test.yml @@ -21,7 +21,7 @@ services: - aca volumes: - ../../:/HIRS - command: ["bash", "-c", "tail -f /dev/null;"] + command: ["bash", "-c", "/ibmswtpm2/src/tpm_server && tail -f /dev/null"] networks: hirs_aca_system_tests: ipv4_address: ${HIRS_ACA_PROVISIONER_TPM2_IP} diff --git a/.ci/setup/container/setup_tpm2provisioner_dotnet.sh b/.ci/setup/container/setup_tpm2provisioner_dotnet.sh old mode 100644 new mode 100755 index eb399124..6ccb9055 --- a/.ci/setup/container/setup_tpm2provisioner_dotnet.sh +++ b/.ci/setup/container/setup_tpm2provisioner_dotnet.sh @@ -18,27 +18,23 @@ echo "*** Waiting for ACA to spin up at address ${HIRS_ACA_PORTAL_IP} on port ${ done echo "*** ACA is up!" -# Un-package Provisioner.NET RPM -cd / -yes | dnf install /hirs/HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm 1> /dev/null +## Un-package Provisioner.NET RPM +yes | dnf install HIRS_Provisioner.NET/hirs/bin/Release/net6.0/linux-x64/HIRS_Provisioner.NET.2.2.0.linux-x64.rpm -y > /dev/null -# Start TPM simulator server -./ibmswtpm2/src/tpm_server 1> /dev/null & -echo "*** TPM Simulator Server has started" - -# Create EK Certificate -cd /ibmtss/utils || exit -./startup 1> /dev/null -./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null -cd / || exit -echo "*** EK certificate has been created using IBMTSS CA Key" +# Initiate startup for IBMTSS Tools +pushd /ibmtss/utils +tpm2_startup -T mssim -c & +sleep 5 +tpm2_nvdefine -T mssim -C o -a 0x2000A -s $(cat /hirs/.ci/setup/certs/ek_cert.der | wc -c) 0x1c00002 +tpm2_nvwrite -T mssim -C o -i /hirs/.ci/setup/certs/ek_cert.der 0x1c00002 +popd # Writing to Provisioner.Net configurations file for modified aca port and efi prefix cat < /usr/share/hirs/appsettings.json { "auto_detect_tpm": "TRUE", "aca_address_port": "https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}", - "efi_prefix": "/boot/efi", + "efi_prefix": "/ci_test/boot/efi", "paccor_output_file": "", "event_log_file": "", "hardware_manifest_collectors": "paccor_scripts", @@ -74,10 +70,57 @@ cat < /usr/share/hirs/appsettings.json } } APPSETTINGS_FILE +cp /usr/share/hirs/appsettings.json /usr/share/hirs/appsettings_default.json +cat < /usr/share/hirs/appsettings_hw.json +{ + "auto_detect_tpm": "TRUE", + "aca_address_port": "https://172.19.0.2:8443", + "efi_prefix": "/ci_test/boot/efi", + "paccor_output_file": "/ci_test/hw.json", + "event_log_file": "/ci_test/binary_bios_measurements", + "hardware_manifest_collectors": "", + "linux_bios_vendor_file": "/ci_test/dmi/id/bios_vendor", + "linux_bios_version_file": "/ci_test/dmi/id/bios_version", + "linux_bios_date_file": "/ci_test/dmi/id/bios_date", + "linux_sys_vendor_file": "/ci_test/dmi/id/sys_vendor", + "linux_product_name_file": "/ci_test/dmi/id/product_name", + "linux_product_version_file": "/ci_test/dmi/id/product_version", + "linux_product_serial_file": "/ci_test/dmi/id/product_serial", -# Uploading CA Certificate to HIRS ACA Portal -curl -k -s -F "file=@/ibmtss/utils/certificates/cacert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload -echo "*** CA Certificate has been uploaded to HIRS ACA Portal" + "Serilog": { + "Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ], + "Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ], + "MinimumLevel": { + "Default": "Debug", + "Override": { + "Microsoft": "Warning", + "System": "Warning" + } + }, + "WriteTo": [ + { + "Name": "Console", + "Args": { + "outputTemplate": "{Message}{NewLine}", + "theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console", + "restrictedToMinimumLevel": "Information" + } + }, + { + "Name": "File", + "Args": { + "path": "hirs.log", + "rollingInterval": "Day", + "retainedFileCountLimit": 5 + } + } + ] + } +} +APPSETTINGS_FILE_HW -# Starting Provisioning -./usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim \ No newline at end of file +# Triggering a single provision for test +echo "===========" +echo "*** INITIAL TEST: Single Provision with Default Policy:" +echo "===========" +/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim diff --git a/.ci/system-tests/container/pc_setup.sh b/.ci/system-tests/container/pc_setup.sh old mode 100644 new mode 100755 index 660c69f1..d6efca28 --- a/.ci/system-tests/container/pc_setup.sh +++ b/.ci/system-tests/container/pc_setup.sh @@ -7,40 +7,35 @@ profile=$1 test=$2 -tcgDir="/boot/tcg" -compscript="$profile"_"$test"_allcomponents.sh -hwlist="$profile"_"$test"_hw.json -testDir="/HIRS/.ci/system-tests/profiles/$profile/$test" -pcDir=$testDir/platformcerts -profileDir="/HIRS/.ci/system-tests/profiles/$profile" +ciTestDir="/ci_test" +tcgDir="$ciTestDir/boot/efi/EFI/tcg/cert/platform/" -# Current TCG folder for platform certs, likely to change with release of the next FIM specification -tcgDir=/boot/tcg/cert/platform/ +# Profile selections +profileDir="/hirs/.ci/system-tests/profiles/$profile" +testDir="$profileDir/$test" +pcDir="$testDir/platformcerts" +dmiZip="$profileDir/$profile"_dmi.zip +hwJsonFileName="$profile"_"$test"_hw.json +hwJsonFile="$testDir/$hwJsonFileName" +ciTestHwJsonFile="$ciTestDir/hw.json" + +# Current TCG folder for platform certs mkdir -p $tcgDir; # Create the platform cert folder if its not there rm -f $tcgDir*; # Clear out any previous data echo "Test is using platform cert(s) from $profile : $test" - -# Step 1: Copy allcomponents script to the paccor/scripts folder if there is one. -# Use the default if test does not have a test specific file. - -allCompScript=/HIRS/.ci/system-tests/profiles/$profile/$test/$compscript -if [ ! -f "$allCompScript" ]; then - allCompScript=/HIRS/.ci/system-tests/profiles/"$profile"/default/"$profile"_default_allcomponents.sh +# Step 1: Copy hw json file, if it exists. +if [ -f "$hwJsonFile" ]; then + cp "$hwJsonFile" "$ciTestHwJsonFile" fi -cp -f $allCompScript /opt/paccor/scripts/allcomponents.sh; -# Step 2: Copy allcomponents json file to the paccor/scripts folder if there is one -# Use the default if test does not have a test specific file. +# Can remove this once unzip is added to the image +dnf install -y unzip &> /dev/null -allCompJson=/HIRS/.ci/system-tests/profiles/$profile/$test/$hwlist; -if [ ! -f "$allCompJson" ]; then - allCompJson=/HIRS/.ci/system-tests/profiles/"$profile"/default/"$profile"_default_hw.json -fi -cp -f $allCompJson /opt/paccor/scripts/$hwlist ; +# Step 2: Unpack the dmi files. +unzip -o "$dmiZip" -d "$ciTestDir" -# Step 3: Copy the platform cert to tcg folder on boot drive -# a: See if test specific swidtag folder exists, if not use the defualt folder +# Step 3: Copy the platform cert to tcg folder if [[ ! -d $pcDir ]]; then pcDir=$profileDir/default/platformcerts; fi @@ -53,6 +48,3 @@ if [[ ! -f ".gitignore" ]]; then fi popd > /dev/null - -# Step 4: Make some data available for debugging -bash /opt/paccor/scripts/allcomponents.sh > /var/log/hirs/provisioner/allcomponents.output.log \ No newline at end of file diff --git a/.ci/system-tests/container/rim_setup.sh b/.ci/system-tests/container/rim_setup.sh index 7a93114a..3901a354 100644 --- a/.ci/system-tests/container/rim_setup.sh +++ b/.ci/system-tests/container/rim_setup.sh @@ -7,9 +7,10 @@ profile=$1 test=$2 -options=$3 -tcgDir="/boot/tcg" -propFile="/etc/hirs/tcg_boot.properties"; +ciTestDir="/ci_test" +tcgDir="$ciTestDir/boot/efi/EFI/tcg" + +# Profile selections profileDir="/HIRS/.ci/system-tests/profiles/$profile" defaultDir="$profileDir/default" testDir="/HIRS/.ci/system-tests/profiles/$profile/$test" @@ -17,8 +18,7 @@ eventLog="$testDir"/"$profile"_"$test"_binary_bios_measurements swidDir="$testDir/swidtags" rimDir="$testDir/rims" pcrScript="$testDir/"$profile"_"$test"_setpcrs.sh" - -source /HIRS/.ci/setup/container/tpm2_common.sh +ciTestEventLog="$ciTestDir/binary_bios_measurements" echo "Test is using RIM files from $profile : $test" @@ -29,15 +29,9 @@ rm -f $tcgDir/manifest/rim/*; # clear out any previous data mkdir -p $tcgDir/manifest/swidtag/; # Create the platform cert folder if its not there rm -f $tcgDir/manifest/swidtag/*; # clear out any previous data -# Step 1: Update the tcg_boot.properties to use test specific binary_bios_measurement file -# a: if file does not exist in the test folder then use the default measurement file -# b: change the property file to point to the the test file - -if [[ ! -f "$eventLog" ]]; then - eventLog="$defaultDir"/"$profile"_default_binary_bios_measurements -fi -sed -i "s:tcg.event.file=.*:tcg.event.file=$eventLog:g" "$propFile" -#echo "eventLog used was $eventLog" +# Step 1: Copy binary_bios_measurement file +echo "eventLog used was $eventLog" +cp "$eventLog" "$ciTestEventLog" # Step 2: Copy Base RIM files to the TCG folder # a: See if test specific swidtag folder exists, if not use the defualt folder @@ -64,16 +58,10 @@ pushd $rimDir > /dev/null fi popd > /dev/null -# echo "Contents of tcg swidtag folder $tcgDir/manifest/swidtag/ : $(ls $tcgDir/manifest/swidtag/)" -# echo "Contents of tcg rim folder tcgDir/manifest/rim/: $(ls $tcgDir/manifest/rim/)" - #Step 4, run the setpcr script to make the TPM emulator hold values that correspond the binary_bios_measurement file # a: Clear the TPM PCR registers vi a call to the tss clear # b: Check if a test specific setpcr.sh file exists. If not use the profiles default script -if [[ $options == "clear" ]]; then - resetTpm2Emulator -fi if [[ ! -f $pcrScript ]]; then pcrScript="$profileDir/default/"$profile"_default_setpcrs.sh" @@ -82,4 +70,4 @@ sh $pcrScript; #echo "PCR script was $pcrScript" #tpm2_pcrlist -g sha256 -# Done with rim_setup \ No newline at end of file +# Done with rim_setup diff --git a/.ci/system-tests/profiles/laptop/default/laptop_default_setpcrs.sh b/.ci/system-tests/profiles/laptop/default/laptop_default_setpcrs.sh index 7ee85905..e8b0213b 100644 --- a/.ci/system-tests/profiles/laptop/default/laptop_default_setpcrs.sh +++ b/.ci/system-tests/profiles/laptop/default/laptop_default_setpcrs.sh @@ -2,44 +2,44 @@ # This file will set the tpm emulators PCR values to match the dell8850 event log. -tpm2_pcrextend 0:sha256=38dc62a7c4ba6f19930538c1704b5a97f20f19e802951aab7e78ced610a3df5f -Q -tpm2_pcrextend 0:sha256=d4720b4009438213b803568017f903093f6bea8ab47d283db32b6eabedbbf155 -Q -tpm2_pcrextend 0:sha256=2649fffc46f2044e2d683712fb59ce10ccfcbeb91d541cbe117d9c2d459da273 -Q -tpm2_pcrextend 0:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q +tpm2_pcrextend 0:sha256=38dc62a7c4ba6f19930538c1704b5a97f20f19e802951aab7e78ced610a3df5f -T mssim +tpm2_pcrextend 0:sha256=d4720b4009438213b803568017f903093f6bea8ab47d283db32b6eabedbbf155 -T mssim +tpm2_pcrextend 0:sha256=2649fffc46f2044e2d683712fb59ce10ccfcbeb91d541cbe117d9c2d459da273 -T mssim +tpm2_pcrextend 0:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim -tpm2_pcrextend 1:sha256=cbb15df37b131921890da0973ed097d567123b08e3fa6449e33a6acd15385be0 -Q -tpm2_pcrextend 1:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q -tpm2_pcrextend 1:sha256=4e93b6abf5532ff7a4da93769c41874f62cef02a9abc60b6baa62227762e5964 -Q -tpm2_pcrextend 1:sha256=9ad0d8e4e4b6b80386f43e747d0e8f4a55a860bae1fbbf54c588fd474b30a1da -Q -tpm2_pcrextend 1:sha256=fd662842e607c5800389f2d3073cb26100ce4b5f93d9e62e6b139813141a4173 -Q +tpm2_pcrextend 1:sha256=cbb15df37b131921890da0973ed097d567123b08e3fa6449e33a6acd15385be0 -T mssim +tpm2_pcrextend 1:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim +tpm2_pcrextend 1:sha256=4e93b6abf5532ff7a4da93769c41874f62cef02a9abc60b6baa62227762e5964 -T mssim +tpm2_pcrextend 1:sha256=9ad0d8e4e4b6b80386f43e747d0e8f4a55a860bae1fbbf54c588fd474b30a1da -T mssim +tpm2_pcrextend 1:sha256=fd662842e607c5800389f2d3073cb26100ce4b5f93d9e62e6b139813141a4173 -T mssim -tpm2_pcrextend 2:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q +tpm2_pcrextend 2:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim -tpm2_pcrextend 3:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q +tpm2_pcrextend 3:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim -tpm2_pcrextend 4:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q -tpm2_pcrextend 4:sha256=dda0121dcf167db1e2622d10f454701837ac6af304a03ec06b3027904988c56b -Q -tpm2_pcrextend 4:sha256=afb8038e914c99969dd828b58289ff2f820fb785025f21a92cc48651ebc13005 -Q -tpm2_pcrextend 4:sha256=f80bdf3a58ec348742486e439f3c75a962043931f7cacd1e9bb8e6bf0cb2df9a -Q +tpm2_pcrextend 4:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim +tpm2_pcrextend 4:sha256=dda0121dcf167db1e2622d10f454701837ac6af304a03ec06b3027904988c56b -T mssim +tpm2_pcrextend 4:sha256=afb8038e914c99969dd828b58289ff2f820fb785025f21a92cc48651ebc13005 -T mssim +tpm2_pcrextend 4:sha256=f80bdf3a58ec348742486e439f3c75a962043931f7cacd1e9bb8e6bf0cb2df9a -T mssim -tpm2_pcrextend 5:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q -tpm2_pcrextend 5:sha256=ef4c76c6a2226cb891be17a65f5a3035889979b5a1b1a246224ee7120dda3efa -Q +tpm2_pcrextend 5:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim +tpm2_pcrextend 5:sha256=ef4c76c6a2226cb891be17a65f5a3035889979b5a1b1a246224ee7120dda3efa -T mssim -tpm2_pcrextend 6:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q +tpm2_pcrextend 6:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim -tpm2_pcrextend 7:sha256=ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e -Q -tpm2_pcrextend 7:sha256=2abfe9865a654102acb12f0fefe52dc4d01bce40901410eb3dadaf212700a2b7 -Q -tpm2_pcrextend 7:sha256=63a525134bfbc242058c0e6b42794f8b1d142d13029a9aa38a3272c5ca2390c5 -Q -tpm2_pcrextend 7:sha256=ad1850a4885628d86273bad743779c9e665db060236270b5d24dd98f3a22fe86 -Q -tpm2_pcrextend 7:sha256=f0bf49c6a2d3e170077f1f66875d6cb9b2aa382060cac5c0b645660bb95bc058 -Q -tpm2_pcrextend 7:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -Q -tpm2_pcrextend 7:sha256=4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 -Q -tpm2_pcrextend 7:sha256=87ee47938723178072c0b0ed3ff7575e82ca37f0634a1a67d15d4d5ce53e8dab -Q -tpm2_pcrextend 7:sha256=194c8cf6648963b6574271d6c86d250a381ea0346749a355576fa95f5b6e1dae -Q +tpm2_pcrextend 7:sha256=ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e -T mssim +tpm2_pcrextend 7:sha256=2abfe9865a654102acb12f0fefe52dc4d01bce40901410eb3dadaf212700a2b7 -T mssim +tpm2_pcrextend 7:sha256=63a525134bfbc242058c0e6b42794f8b1d142d13029a9aa38a3272c5ca2390c5 -T mssim +tpm2_pcrextend 7:sha256=ad1850a4885628d86273bad743779c9e665db060236270b5d24dd98f3a22fe86 -T mssim +tpm2_pcrextend 7:sha256=f0bf49c6a2d3e170077f1f66875d6cb9b2aa382060cac5c0b645660bb95bc058 -T mssim +tpm2_pcrextend 7:sha256=df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119 -T mssim +tpm2_pcrextend 7:sha256=4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9 -T mssim +tpm2_pcrextend 7:sha256=87ee47938723178072c0b0ed3ff7575e82ca37f0634a1a67d15d4d5ce53e8dab -T mssim +tpm2_pcrextend 7:sha256=194c8cf6648963b6574271d6c86d250a381ea0346749a355576fa95f5b6e1dae -T mssim -tpm2_pcrextend 14:sha256=9fa163e06ff76a9f0d0262151328aa38f903495bc81ebcbd5bc40fcdbebb4a63 -Q -tpm2_pcrextend 14:sha256=8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0 -Q +tpm2_pcrextend 14:sha256=9fa163e06ff76a9f0d0262151328aa38f903495bc81ebcbd5bc40fcdbebb4a63 -T mssim +tpm2_pcrextend 14:sha256=8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0 -T mssim diff --git a/.ci/system-tests/run_system_tests.sh b/.ci/system-tests/run_system_tests.sh old mode 100644 new mode 100755 index 45afec09..1b028739 --- a/.ci/system-tests/run_system_tests.sh +++ b/.ci/system-tests/run_system_tests.sh @@ -1,11 +1,12 @@ #!/bin/bash ######################################################################################### -# Script to run the System Tests for HIRS TPM 2.0 Provisoner -# Notes for running manually/locally (not from GitHub Actions) +# Script to Locally run the System Tests for HIRS TPM 2.0 Provisoner +# *** INTENDED FOR LOCAL SYSTEM TESTING, NOT FOR WORKFLOW RUNS *** +# Notes for running manually/locally # 1. Uncomment the "cd ../.." line below to make working directory = /HIRS/ # 2. Run with the desired HIRS branch as an argument (i.e. $./run_system_tests.sh main) ######################################################################################### -# cd ../.. +#cd ../.. # Setting variables aca_container=hirs-aca1 @@ -16,28 +17,33 @@ echo "******** Setting up for HIRS System Tests for TPM 2.0 ******** " docker compose -f ./.ci/docker/docker-compose-system-test.yml up -d # Setting up and Starting ACA + Switching to current/desired branch in ACA Container -docker exec $aca_container sh -c "cd / && ./tmp/auto_clone_branch $1 > /dev/null 2>&1 \ - && cd hirs && echo 'ACA Container Current Branch: ' && git branch \ - && cd / && ./hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \ - && ./tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \ - && cd hirs && ./package/linux/aca/aca_bootRun.sh 1> /dev/null" & +docker exec $aca_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \ + && echo 'ACA Container Current Branch: ' && git branch \ + && /hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \ + && /tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \ + && /hirs/package/linux/aca/aca_bootRun.sh 1> /dev/null" & # Switching to current/desired branch in Provisioner Container -docker exec $tpm2_container sh -c "cd / && ./tmp/auto_clone_branch $1 > /dev/null 2>&1 \ - && cd hirs && echo 'Provisioner Container Current Branch: ' && git branch" +docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \ + && echo 'Provisioner Container Current Branch: ' && git branch" # Install HIRS Provisioner.Net and setup tpm2 simulator. # In doing so, tests a single provision between Provisioner.Net and ACA. -docker exec $tpm2_container /.ci/setup/container/setup_tpm2provisioner_dotnet.sh +echo "Launching provisioner setup" +docker exec $tpm2_container sh /hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh + +# Initiating System Tests +echo "******** Setup Complete. Beginning HIRS System Tests. ******** " +./.ci/system-tests/tests/aca_policy_tests.sh +#./.ci/system-tests/tests/platform_cert_tests.sh +#./.ci/system-tests/tests/rim_system_tests.sh -# HERE is where other system tests will be called, including: -# aca_policy_tests.sh, platform_cert_tests.sh, rim_system_tests.sh echo "******** HIRS System Tests Complete ******** " # Collecting ACA and Provisioner.Net logs for workflow artifact echo "*** Extracting ACA and Provisioner.Net logs ..." -docker exec $aca_container sh -c "cd .. && mkdir -p /HIRS/logs/aca/ && cp -arp /var/log/hirs/* /HIRS/logs/aca/" -docker exec $tpm2_container sh -c "cd .. && mkdir -p /HIRS/logs/provisioner/ && cp -ap hirs*.log /HIRS/logs/provisioner/ && chmod -R 777 /HIRS/logs" +docker exec $aca_container sh -c "mkdir -p /HIRS/logs/aca/ && cp -arp /var/log/hirs/* /HIRS/logs/aca/" +docker exec $tpm2_container sh -c "mkdir -p /HIRS/logs/provisioner/ && cp -ap hirs*.log /HIRS/logs/provisioner/ && chmod -R 777 /HIRS/logs" # Clean up services and network echo "*** Exiting and removing Docker containers and network ..." @@ -52,4 +58,4 @@ if [[ ${TEST_STATUS} == "0" ]]; then echo "******** FAILURE: System Tests for TPM 2.0 failed ********" echo "TEST_STATUS=1" >> $GITHUB_ENV exit 1 -fi \ No newline at end of file +fi diff --git a/.ci/system-tests/setup_system_tests.sh b/.ci/system-tests/setup_system_tests.sh new file mode 100755 index 00000000..b363f7ea --- /dev/null +++ b/.ci/system-tests/setup_system_tests.sh @@ -0,0 +1,33 @@ +#!/bin/bash +######################################################################################### +# Script to run the System Tests for HIRS TPM 2.0 Provisoner from GitHub Workflow +# *** INTENDED FOR WORKFLOW RUNS, NOT FOR LOCAL SYSTEM TESTING *** +# For local system testing, use run_system_tests.sh instead +######################################################################################### + +# Setting variables +aca_container=hirs-aca1 +tpm2_container=hirs-provisioner1-tpm2 + +# Start System Testing Docker Environment +echo "******** Setting up for HIRS System Tests for TPM 2.0 ******** " +docker compose -f ./.ci/docker/docker-compose-system-test.yml up -d + +# Setting up and Starting ACA + Switching to current/desired branch in ACA Container +docker exec $aca_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \ + && echo 'ACA Container Current Branch: ' && git branch \ + && /hirs/package/linux/aca/aca_setup.sh --unattended 1> /dev/null \ + && /tmp/hirs_add_aca_tls_path_to_os.sh 1> /dev/null \ + && /hirs/package/linux/aca/aca_bootRun.sh 1> /dev/null" & + +# Switching to current/desired branch in Provisioner Container +docker exec $tpm2_container sh -c "/tmp/auto_clone_branch $1 > /dev/null 2>&1 \ + && echo 'Provisioner Container Current Branch: ' && git branch" + +# Install HIRS Provisioner.Net and setup tpm2 simulator. +# In doing so, tests a single provision between Provisioner.Net and ACA. +echo "Launching provisioner setup" +docker exec $tpm2_container sh /hirs/.ci/setup/container/setup_tpm2provisioner_dotnet.sh + +# Initiating System Tests +echo "******** Setup Complete. Beginning HIRS System Tests. ******** " \ No newline at end of file diff --git a/.ci/system-tests/sys_test_common.sh b/.ci/system-tests/sys_test_common.sh index 2db556c3..eb3a160a 100644 --- a/.ci/system-tests/sys_test_common.sh +++ b/.ci/system-tests/sys_test_common.sh @@ -3,6 +3,11 @@ # Common functions used for HIRS system tests # ######################################################################################### +. ./.ci/docker/.env && set -a + +# Setting variables +aca_container=hirs-aca1 +tpm2_container=hirs-provisioner1-tpm2 # Check container status and abort if container is not running checkContainerStatus() { @@ -21,53 +26,57 @@ fi # clear all policy settings setPolicyNone() { -docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0, - enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=0, pcAttributeValidationEnabled=0, pcValidationEnabled=0, + utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;" } # Policy Settings for tests ... setPolicyEkOnly() { -docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0, - enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=0, + utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;" } setPolicyEkPc_noAttCheck() { -docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1, - enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=0, pcValidationEnabled=1, + utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;" } setPolicyEkPc() { -docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1, - enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1, + utcValidationEnabled=0, firmwareValidationEnabled=0, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=0, ignoretBootEnabled=0;" } setPolicyEkPcFw() { -docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1, - enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;" +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update PolicySettings set ecValidationEnabled=1, pcAttributeValidationEnabled=1, pcValidationEnabled=1, + utcValidationEnabled=0, firmwareValidationEnabled=1, expiredCertificateValidationEnabled=0, ignoreGptEnabled=0, ignoreImaEnabled=1, ignoretBootEnabled=0;" } -# Clear all ACA DB items including policy +# Clear all ACA DB items excluding policy clearAcaDb() { -docker exec $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate - AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate - ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate - ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate - RepoPackage_IMABaselineRecord;truncate Report;truncate ReportMapper;truncate ReportRequestState;truncate ReportSummary;truncate - State;truncate SupplyChainValidation;truncate SupplyChainValidationSummary;truncate ReferenceManifest;truncate - ReferenceDigestRecord; truncate ReferenceDigestValue; truncate - SupplyChainValidationSummary_SupplyChainValidation;truncate TPM2ProvisionerState;truncate TPMBaselineRecords;truncate - TPMDeviceState;truncate TPMReport;truncate TPMReport_pcrValueList; set foreign_key_checks=1;" +docker exec hirs-aca1 mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Appraiser; + truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate ComponentAttributeResult; + truncate ComponentInfo;truncate ComponentResult;truncate Device;truncate DeviceInfoReport;truncate PortalInfo; + truncate ReferenceDigestValue;truncate ReferenceManifest;truncate Report;truncate SupplyChainValidation; + truncate SupplyChainValidationSummary;truncate SupplyChainValidationSummary_SupplyChainValidation; + truncate TPM2ProvisionerState;set foreign_key_checks=1;" } # Upload Certs to the ACA DB uploadTrustedCerts() { -pushd ../setup/certs > /dev/null - - curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload - curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload - curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:8443/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload - -popd > /dev/null + # Create EK Cert from IBMTSS Tools +# docker exec $tpm2_container sh -c "pushd /ibmtss/utils > /dev/null \ +# && ./createekcert -rsa 2048 -cakey cakey.pem -capwd rrrr -v 1> /dev/null \ +# && popd > /dev/null" + # Upload CA Cert from IBMTSS Tools + docker exec $tpm2_container sh -c "pushd /ibmtss/utils/certificates > /dev/null \ + && curl -k -s -F 'file=@cacert.pem' https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload \ + && popd > /dev/null" + # Upload Trusted Certs from HIRS + pushd .ci/setup/certs > /dev/null + curl -k -s -F "file=@ca.crt" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload + curl -k -s -F "file=@RIMCaCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload + curl -k -s -F "file=@RimSignCert.pem" https://${HIRS_ACA_PORTAL_IP}:${HIRS_ACA_PORTAL_PORT}/HIRS_AttestationCAPortal/portal/certificate-request/trust-chain/upload + popd > /dev/null } # provision_tpm2 takes one parameter which is the expected result of the provion: "pass" or "fail" @@ -76,23 +85,23 @@ popd > /dev/null provisionTpm2() { expected_result=$1 ((totalTests++)) - provisionOutput=$(docker exec $tpm2_container tpm_aca_provision); + provisionOutput=$(docker exec $tpm2_container sh -c "/usr/share/hirs/tpm_aca_provision --tcp --ip 127.0.0.1:2321 --sim"); echo "===========" echo "$provisionOutput"; echo "==========="; if [[ $provisionOutput == *"failed"* ]]; then if [[ $expected_result == "pass" ]]; then ((failedTests++)) - echo "!!! Provisiong failed, but was expected to pass" + echo "!!! Provisioning failed, but was expected to pass" else - echo "Provisiong failed as expected." + echo "Provisioning failed as expected." fi else # provisioning succeeded if [[ $expected_result == "fail" ]]; then ((failedTests++)) - echo "!!! Provisiong passed, but was expected to fail" + echo "!!! Provisioning passed, but was expected to fail" else - echo "Provisiong passed as expected." + echo "Provisioning passed as expected." fi fi } @@ -100,23 +109,27 @@ provisionTpm2() { # Places platform cert(s) held in the test folder(s) in the provisioners tcg folder # setPlatCert setPlatformCerts() { - docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/pc_setup.sh $1 $2 + docker exec $tpm2_container sh /hirs/.ci/system-tests/container/pc_setup.sh $1 $2 #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer" } # Places RIM files held in the test folder in the provisioners tcg folder # setRims setRims() { -docker exec $tpm2_container sh /HIRS/.ci/system-tests/container/rim_setup.sh $1 $2 $3 +docker exec $tpm2_container sh /hirs/.ci/system-tests/container/rim_setup.sh $1 $2 $3 #docker exec $tpm2_container bash -c "find / -name oem_platform_v1_Base.cer" } +setPlatformOutput() { + docker exec $tpm2_container cp /usr/share/hirs/appsettings_hw.json /usr/share/hirs/appsettings.json +} + # Writes to the Action ouput, ACA log, and Provisioner Log # Used for marking the start of system tests and noting the result # write_to_logs writeToLogs() { line=$1 echo $line; - docker exec $aca_container sh -c "echo '$line' >> /var/log/tomcat/HIRS_AttestationCA.log" + docker exec $aca_container sh -c "cd .. && echo '$line' >> /var/log/hirs/HIRS_AttestationCA_Portal.log" # docker exec $tpm2_container sh -c "echo '$line' >> /var/log/hirs/provisioner/HIRS_provisionerTPM2.log" } diff --git a/.ci/system-tests/tests/aca_policy_tests.sh b/.ci/system-tests/tests/aca_policy_tests.sh old mode 100644 new mode 100755 index fdd70ce3..ad752979 --- a/.ci/system-tests/tests/aca_policy_tests.sh +++ b/.ci/system-tests/tests/aca_policy_tests.sh @@ -3,44 +3,76 @@ # HIRS ACA Policy System Tests # ######################################################################################### +source ./.ci/system-tests/sys_test_common.sh testResult=false totalTests=0; failedTests=0; +test="all" +case $1 in + 1) test="1" ;; + 2) test="2" ;; + 3) test="3" ;; + 4) test="4" ;; + 5) test="5" ;; + 6) test="6" ;; + 7) test="7" ;; + 8) test="8" ;; +esac # Start ACA Policy Tests # provisionTpm2 takes 1 parameter (the expected result): "pass" or "fail" -writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###" -setPlatformCerts "laptop" "empty" -provisionTpm2 "pass" - -writeToLogs "### ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store ###" -setPolicyEkOnly -provisionTpm2 "fail" - -writeToLogs "### ACA POLICY TEST 3: Test EK Only Validation Policy ###" -uploadTrustedCerts -provisionTpm2 "pass" - -writeToLogs "### ACA POLICY TEST 4: Test PC Validation Policy with no PC ###" -setPolicyEkPc_noAttCheck -provisionTpm2 "fail" - -writeToLogs "### ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC ###" -setPolicyEkPcFw -provisionTpm2 "fail" - -writeToLogs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC ###" -clearAcaDb -setPolicyEkPc -uploadTrustedCerts -setPlatformCerts "laptop" "default" -provisionTpm2 "pass" - -writeToLogs "### ACA POLICY TEST 7: Test PC with RIM Validation Policy with valid PC and RIM ###" -setPolicyEkPcFw -setRims "laptop" "default" "none" -provisionTpm2 "pass" +if [ "$test" = "1" ] || [ "$test" = "all" ]; then + writeToLogs "### ACA POLICY TEST 1: Test ACA default policy ###" + setPlatformCerts "laptop" "empty" + provisionTpm2 "pass" +fi +if [ "$test" = "2" ] || [ "$test" = "all" ]; then + writeToLogs "### ACA POLICY TEST 2: Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store ###" + setPolicyEkOnly + provisionTpm2 "fail" +fi +if [ "$test" = "3" ] || [ "$test" = "all" ]; then + writeToLogs "### ACA POLICY TEST 3: Test EK Only Validation Policy ###" + uploadTrustedCerts + provisionTpm2 "pass" +fi +if [ "$test" = "4" ] || [ "$test" = "all" ]; then + writeToLogs "### ACA POLICY TEST 4: Test PC Validation Policy with no PC ###" + setPolicyEkPc_noAttCheck + provisionTpm2 "fail" +fi +if [ "$test" = "5" ] || [ "$test" = "all" ]; then + writeToLogs "### ACA POLICY TEST 5: Test FW and PC Validation Policy with no PC ###" + setPolicyEkPcFw + provisionTpm2 "fail" +fi +if [ "$test" = "6" ] || [ "$test" = "all" ]; then + writeToLogs "### ACA POLICY TEST 6: Test PC Validation Policy with valid PC with no Attribute Check ###" + clearAcaDb + setPolicyEkPc_noAttCheck + uploadTrustedCerts + setPlatformCerts "laptop" "default" + provisionTpm2 "pass" +fi +if [ "$test" = "7" ] || [ "$test" = "all" ]; then + writeToLogs "### ACA POLICY TEST 7: Test PC Validation Policy with valid PC with Attribute Check ###" + clearAcaDb + setPolicyEkPc + uploadTrustedCerts + setPlatformCerts "laptop" "default" + setPlatformOutput + provisionTpm2 "pass" +fi +if [ "$test" = "8" ] || [ "$test" = "all" ]; then + writeToLogs "### ACA POLICY TEST 8: Test PC with RIM Validation Policy with valid PC and RIM ###" + clearAcaDb + setPolicyEkPcFw + uploadTrustedCerts + setPlatformCerts "laptop" "default" + setRims "laptop" "default" + provisionTpm2 "pass" +fi # Process Test Results, any single failure will send back a failed result. if [[ $failedTests != 0 ]]; then diff --git a/.github/workflows/system_test.yml b/.github/workflows/system_test.yml index 1002fff0..b45e20fc 100644 --- a/.github/workflows/system_test.yml +++ b/.github/workflows/system_test.yml @@ -1,5 +1,5 @@ # This workflow will build HIRS, run system tests, and create artifacts consisting of ACA and Provisioner logs. -# Updated: 04/18/2024 +# Updated: 06/05/2024 # name: HIRS System Tests on: @@ -21,14 +21,81 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - name: ACA TPM2 Tests + - name: ACA TPM2 System Tests Setup continue-on-error: true shell: bash run: | # If on a forked repo, ensure that it has a new secret for the PAT # and replace secrets.GITHUB_TOKEN with the secret in the fork echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin - bash .ci/system-tests/run_system_tests.sh ${GITHUB_REF#refs/heads/} + .ci/system-tests/setup_system_tests.sh ${GITHUB_REF#refs/heads/} + - name: ACA POLICY TEST 1 - Test ACA default policy + continue-on-error: true + shell: bash + run: | + .ci/system-tests/tests/aca_policy_tests.sh 1 + - name: ACA POLICY TEST 2 - Test EK cert Only Validation Policy without a EK Issuer Cert in the trust store + continue-on-error: true + shell: bash + run: | + .ci/system-tests/tests/aca_policy_tests.sh 2 + - name: ACA POLICY TEST 3 - Test EK Only Validation Policy + continue-on-error: true + shell: bash + run: | + .ci/system-tests/tests/aca_policy_tests.sh 3 + - name: ACA POLICY TEST 4 - Test PC Validation Policy with no PC + continue-on-error: true + shell: bash + run: | + .ci/system-tests/tests/aca_policy_tests.sh 4 + - name: ACA POLICY TEST 5 - Test FW and PC Validation Policy with no PC + continue-on-error: true + shell: bash + run: | + .ci/system-tests/tests/aca_policy_tests.sh 5 + - name: ACA POLICY TEST 6 - Test PC Validation Policy with valid PC with no Attribute Check + continue-on-error: true + shell: bash + run: | + .ci/system-tests/tests/aca_policy_tests.sh 6 + - name: ACA POLICY TEST 7 - Test PC Validation Policy with valid PC with Attribute Check + continue-on-error: true + shell: bash + run: | + .ci/system-tests/tests/aca_policy_tests.sh 7 + - name: ACA POLICY TEST 8 - Test PC with RIM Validation Policy with valid PC and RIM + continue-on-error: true + shell: bash + run: | + .ci/system-tests/tests/aca_policy_tests.sh 8 + # - name: All ACA Policy Tests 1-8 + # continue-on-error: true + # shell: bash + # run: | + # .ci/system-tests/tests/aca_policy_tests.sh + - name: Copy System Test Log files + continue-on-error: true + shell: bash + run: | + echo "*** Extracting ACA and Provisioner.Net logs ..." + docker exec hirs-aca1 bash -c "mkdir -p /HIRS/logs/aca/ && cp -arp /var/log/hirs/* /HIRS/logs/aca/" + docker exec hirs-provisioner1-tpm2 bash -c "mkdir -p /HIRS/logs/provisioner/ && cp -ap hirs*.log /HIRS/logs/provisioner/ && chmod -R 777 /HIRS/logs" + - name: Docker Compose Down + continue-on-error: true + shell: bash + run: | + echo "*** Exiting and removing Docker containers and network ..." + docker compose -f .ci/docker/docker-compose-system-test.yml down -v + if [[ ${TEST_STATUS} == "0" ]]; then + echo "******** SUCCESS: System Tests for TPM 2.0 passed ********" + echo "TEST_STATUS=0" >> $GITHUB_ENV + exit 0; + else + echo "******** FAILURE: System Tests for TPM 2.0 failed ********" + echo "TEST_STATUS=1" >> $GITHUB_ENV + exit 1 + fi - name: Archive System Test Log files uses: actions/upload-artifact@v4 with: