From ce2bb2420654f5c4039c9360032bf13a5a6685ef Mon Sep 17 00:00:00 2001 From: Cottand Date: Wed, 21 Feb 2024 11:48:02 +0000 Subject: [PATCH 1/9] add gha CI check --- .github/workflows/check.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/check.yml diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml new file mode 100644 index 0000000..e6c7de9 --- /dev/null +++ b/.github/workflows/check.yml @@ -0,0 +1,21 @@ +name: Test Nix Flake build + +on: + workflow_dispatch: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + + flake-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: cachix/install-nix-action@v22 + with: + nix_path: nixpkgs=channel:nixos-23.11 + github_access_token: ${{ secrets.GITHUB_TOKEN }} + + - run: nix flake check \ No newline at end of file From fdae3b1b2f9b017b1f97efa9908ed9580e0325a3 Mon Sep 17 00:00:00 2001 From: Cottand Date: Wed, 21 Feb 2024 12:38:12 +0000 Subject: [PATCH 2/9] add cache step --- .github/workflows/check.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index e6c7de9..1fa0765 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -17,5 +17,7 @@ jobs: with: nix_path: nixpkgs=channel:nixos-23.11 github_access_token: ${{ secrets.GITHUB_TOKEN }} + + - uses: DeterminateSystems/magic-nix-cache-action@main - - run: nix flake check \ No newline at end of file + - run: nix flake check From 402cadddfebc741233f0270b19c1134329c73661 Mon Sep 17 00:00:00 2001 From: Cottand Date: Fri, 23 Feb 2024 08:48:46 +0000 Subject: [PATCH 3/9] pin actions' versions --- .github/workflows/check.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 1fa0765..5f3edb1 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -13,11 +13,11 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: cachix/install-nix-action@v22 + - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac with: nix_path: nixpkgs=channel:nixos-23.11 github_access_token: ${{ secrets.GITHUB_TOKEN }} - - uses: DeterminateSystems/magic-nix-cache-action@main + - uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 - run: nix flake check From e2b975738de139d5df6fbfbdde4a8a15fa72063c Mon Sep 17 00:00:00 2001 From: Cottand Date: Fri, 23 Feb 2024 09:41:21 +0000 Subject: [PATCH 4/9] emtpy commit From f5ce211c6afc32eeb152521eedaa6a2715baf3c3 Mon Sep 17 00:00:00 2001 From: Cottand Date: Fri, 23 Feb 2024 09:50:17 +0000 Subject: [PATCH 5/9] run check on all pushes --- .github/workflows/check.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 5f3edb1..71cbcb2 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -1,9 +1,9 @@ -name: Test Nix Flake build +name: On push on: workflow_dispatch: push: - branches: [ master ] + branches: [ "*" ] pull_request: branches: [ master ] @@ -19,5 +19,5 @@ jobs: github_access_token: ${{ secrets.GITHUB_TOKEN }} - uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7 - + - run: nix flake check From a820c5f249ee784760e494f619858193121ecbe5 Mon Sep 17 00:00:00 2001 From: Cottand Date: Fri, 23 Feb 2024 09:52:12 +0000 Subject: [PATCH 6/9] don't run check on PR --- .github/workflows/check.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 71cbcb2..bf299d8 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -1,11 +1,9 @@ -name: On push +name: Check on: workflow_dispatch: push: branches: [ "*" ] - pull_request: - branches: [ master ] jobs: From dbb5676468f8d5cc16e06ce0949c960df9018737 Mon Sep 17 00:00:00 2001 From: Cottand Date: Fri, 23 Feb 2024 10:32:45 +0000 Subject: [PATCH 7/9] add flake check that builds a EIF --- flake.nix | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/flake.nix b/flake.nix index 14f38b0..a953f5a 100644 --- a/flake.nix +++ b/flake.nix @@ -202,6 +202,35 @@ checks = { # make sure we can build the eif-cli inherit (packages) eif-cli; + + # build a simple (non-bootable) EIF image for ARM64 as part of checks + test-make-eif = lib.mkEif { + name = "test"; + ramdisks = [ + (lib.mkSysRamdisk { init = self.lib.aarch64-linux.blobs.init; nsmKo = self.lib.aarch64-linux.blobs.nsmKo; }) + (lib.mkUserRamdisk { entrypoint = "none"; env = ""; rootfs = pkgs.writeTextDir "etc/file" "hello world!"; }) + ]; + kernel = self.lib.aarch64-linux.blobs.kernel; + kernelConfig = self.lib.aarch64-linux.blobs.kernelConfig; + }; + + # check the PCR for this simple EIF is reproduced + test-eif-PCRs-match = pkgs.stdenvNoCC.mkDerivation { + buildInputs = [ pkgs.jq ]; + name = "test-eif-PCRs-match"; + src = checks.test-make-eif; + dontBuild = true; + doCheck = true; + checkPhase = '' + PCR0=$(jq -r < ./pcr.json ' .PCR0 ') + if echo "$PCR0" | grep -qv 'a15c9d65991e44f63827e506d519b9107cc81844a8745a315a1d543b8788ea58254c7b17bc0003d2fa7322142a47e007' + then + echo "PCR0 did not match, got instead:" $PCR0 + exit -1 + fi + ''; + installPhase = "mkdir $out"; + }; }; } )) From 1325eda14aba4cef49799aea65d323ec0400b81b Mon Sep 17 00:00:00 2001 From: Cottand Date: Fri, 23 Feb 2024 10:38:08 +0000 Subject: [PATCH 8/9] check for x86 --- flake.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index a953f5a..ddcdcee 100644 --- a/flake.nix +++ b/flake.nix @@ -207,7 +207,7 @@ test-make-eif = lib.mkEif { name = "test"; ramdisks = [ - (lib.mkSysRamdisk { init = self.lib.aarch64-linux.blobs.init; nsmKo = self.lib.aarch64-linux.blobs.nsmKo; }) + (lib.mkSysRamdisk { init = self.lib.x86_64-linux.blobs.init; nsmKo = self.lib.x86_64-linux.blobs.nsmKo; }) (lib.mkUserRamdisk { entrypoint = "none"; env = ""; rootfs = pkgs.writeTextDir "etc/file" "hello world!"; }) ]; kernel = self.lib.aarch64-linux.blobs.kernel; @@ -223,7 +223,7 @@ doCheck = true; checkPhase = '' PCR0=$(jq -r < ./pcr.json ' .PCR0 ') - if echo "$PCR0" | grep -qv 'a15c9d65991e44f63827e506d519b9107cc81844a8745a315a1d543b8788ea58254c7b17bc0003d2fa7322142a47e007' + if echo "$PCR0" | grep -qv '7b93be4b98ac97f444f4bd80d5a3c86ad34d0382ba7fb9b3d0001d9e55c360f067bab523113ef565f277ecdc2dde20c2' then echo "PCR0 did not match, got instead:" $PCR0 exit -1 From 16b8c9c6b4b2869facfc862ec13ba866b704fce0 Mon Sep 17 00:00:00 2001 From: Cottand Date: Fri, 23 Feb 2024 10:41:34 +0000 Subject: [PATCH 9/9] check for x86, fix bad path --- flake.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index ddcdcee..c1da1e6 100644 --- a/flake.nix +++ b/flake.nix @@ -205,13 +205,14 @@ # build a simple (non-bootable) EIF image for ARM64 as part of checks test-make-eif = lib.mkEif { + arch = "x86_64"; name = "test"; ramdisks = [ (lib.mkSysRamdisk { init = self.lib.x86_64-linux.blobs.init; nsmKo = self.lib.x86_64-linux.blobs.nsmKo; }) (lib.mkUserRamdisk { entrypoint = "none"; env = ""; rootfs = pkgs.writeTextDir "etc/file" "hello world!"; }) ]; - kernel = self.lib.aarch64-linux.blobs.kernel; - kernelConfig = self.lib.aarch64-linux.blobs.kernelConfig; + kernel = self.lib.x86_64-linux.blobs.kernel; + kernelConfig = self.lib.x86_64-linux.blobs.kernelConfig; }; # check the PCR for this simple EIF is reproduced @@ -223,7 +224,7 @@ doCheck = true; checkPhase = '' PCR0=$(jq -r < ./pcr.json ' .PCR0 ') - if echo "$PCR0" | grep -qv '7b93be4b98ac97f444f4bd80d5a3c86ad34d0382ba7fb9b3d0001d9e55c360f067bab523113ef565f277ecdc2dde20c2' + if echo "$PCR0" | grep -qv 'f585cae40c5d5d640a60d3c7f8c5dcf7276364c49f7d7fa8d08800b35c45825099688c2acc02bb2373ebfbd8a5ba10b4' then echo "PCR0 did not match, got instead:" $PCR0 exit -1