diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml new file mode 100644 index 0000000..bf299d8 --- /dev/null +++ b/.github/workflows/check.yml @@ -0,0 +1,21 @@ +name: Check + +on: + workflow_dispatch: + push: + branches: [ "*" ] + +jobs: + + flake-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac + with: + nix_path: nixpkgs=channel:nixos-23.11 + github_access_token: ${{ secrets.GITHUB_TOKEN }} + + - uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 + + - run: nix flake check diff --git a/flake.nix b/flake.nix index 14f38b0..c1da1e6 100644 --- a/flake.nix +++ b/flake.nix @@ -202,6 +202,36 @@ checks = { # make sure we can build the eif-cli inherit (packages) eif-cli; + + # build a simple (non-bootable) EIF image for ARM64 as part of checks + test-make-eif = lib.mkEif { + arch = "x86_64"; + name = "test"; + ramdisks = [ + (lib.mkSysRamdisk { init = self.lib.x86_64-linux.blobs.init; nsmKo = self.lib.x86_64-linux.blobs.nsmKo; }) + (lib.mkUserRamdisk { entrypoint = "none"; env = ""; rootfs = pkgs.writeTextDir "etc/file" "hello world!"; }) + ]; + kernel = self.lib.x86_64-linux.blobs.kernel; + kernelConfig = self.lib.x86_64-linux.blobs.kernelConfig; + }; + + # check the PCR for this simple EIF is reproduced + test-eif-PCRs-match = pkgs.stdenvNoCC.mkDerivation { + buildInputs = [ pkgs.jq ]; + name = "test-eif-PCRs-match"; + src = checks.test-make-eif; + dontBuild = true; + doCheck = true; + checkPhase = '' + PCR0=$(jq -r < ./pcr.json ' .PCR0 ') + if echo "$PCR0" | grep -qv 'f585cae40c5d5d640a60d3c7f8c5dcf7276364c49f7d7fa8d08800b35c45825099688c2acc02bb2373ebfbd8a5ba10b4' + then + echo "PCR0 did not match, got instead:" $PCR0 + exit -1 + fi + ''; + installPhase = "mkdir $out"; + }; }; } ))