mirror of
https://github.com/kairos-io/kairos.git
synced 2025-02-09 05:18:51 +00:00
Improve uki iso stuff (#1854)
This commit is contained in:
Itxaka
GitHub
parent
76ce20eebc
commit
05ed54115f
60
.github/workflows/uki.yaml
vendored
Normal file
60
.github/workflows/uki.yaml
vendored
Normal file
@ -0,0 +1,60 @@
|
||||
name: UKI tests
|
||||
on:
|
||||
pull_request:
|
||||
|
||||
concurrency:
|
||||
group: ci-uki-${{ github.head_ref || github.ref }}-${{ github.repository }}
|
||||
cancel-in-progress: true
|
||||
env:
|
||||
FORCE_COLOR: 1
|
||||
jobs:
|
||||
test-uki:
|
||||
runs-on: kvm
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
- name: Install Go
|
||||
uses: actions/setup-go@v4
|
||||
with:
|
||||
go-version-file: tests/go.mod
|
||||
cache-dependency-path: tests/go.sum
|
||||
- name: Enable KVM group perms
|
||||
run: |
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu qemu-system-x86 qemu-system-x86 qemu-utils qemu-kvm acl udev
|
||||
# https://github.blog/changelog/2023-02-23-hardware-accelerated-android-virtualization-on-actions-windows-and-linux-larger-hosted-runners/
|
||||
# echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
|
||||
# sudo udevadm control --reload-rules
|
||||
# sudo udevadm trigger --name-match=kvm
|
||||
# sudo usermod -a -G kvm,libvirt $USER
|
||||
#
|
||||
# TODO: Switch back to the above solution when we switch to the github runners
|
||||
# https://askubuntu.com/a/1081326
|
||||
sudo setfacl -m u:runner:rwx /dev/kvm
|
||||
- name: Install earthly
|
||||
uses: Luet-lab/luet-install-action@v1.1
|
||||
with:
|
||||
repository: quay.io/kairos/packages
|
||||
packages: utils/earthly
|
||||
- name: Build uki ISO 🔧
|
||||
run: |
|
||||
# Do fedora as its the smaller uki possible
|
||||
# Use immmucore master as it has patches not released for uki
|
||||
# Use kairos-agent main branch as it has patches not released for uki
|
||||
earthly +iso-uki --FLAVOR=opensuse-leap --KAIROS_AGENT_DEV=true --KAIROS_AGENT_DEV_BRANCH=main --IMMUCORE_DEV=true --IMMUCORE_DEV_BRANCH=master
|
||||
- name: Run tests
|
||||
env:
|
||||
USE_QEMU: true
|
||||
KVM: true
|
||||
MEMORY: 4000
|
||||
CPUS: 2
|
||||
FIRMWARE: /usr/share/OVMF/OVMF_CODE.fd
|
||||
run: |
|
||||
export ISO=$(ls $PWD/build/kairos-core-*opensuse-leap*.iso)
|
||||
cp tests/go.* .
|
||||
go run github.com/onsi/ginkgo/v2/ginkgo -v --label-filter "uki" --fail-fast -r ./tests/
|
||||
- uses: actions/upload-artifact@v3
|
||||
if: failure()
|
||||
with:
|
||||
name: ${{ inputs.flavor }}.logs.zip
|
||||
path: tests/**/logs/*
|
||||
if-no-files-found: warn
|
||||
162
Earthfile
162
Earthfile
@ -491,8 +491,10 @@ uki-artifacts:
|
||||
FROM +base-image --BUILD_INITRD=false
|
||||
RUN /usr/bin/immucore version
|
||||
RUN ln -s /usr/bin/immucore /init
|
||||
RUN mkdir -p /oem # be able to mount oem under here if found
|
||||
RUN mkdir -p /efi # mount the esp under here if found
|
||||
RUN find . \( -path ./sys -prune -o -path ./run -prune -o -path ./dev -prune -o -path ./tmp -prune -o -path ./proc -prune \) -o -print | cpio -R root:root -H newc -o | gzip -2 > /tmp/initramfs.cpio.gz
|
||||
RUN echo "console=tty1 console=ttyS0 net.ifnames=1 rd.immucore.debug rd.immucore.uki selinux=0" > /tmp/Cmdline
|
||||
RUN echo "console=tty1 console=ttyS0 net.ifnames=1 rd.immucore.oemlabel=COS_OEM rd.immucore.oemtimeout=2 rd.immucore.debug rd.immucore.uki selinux=0" > /tmp/Cmdline
|
||||
RUN basename $(ls /boot/vmlinuz-* |grep -v rescue | head -n1)| sed --expression "s/vmlinuz-//g" > /tmp/Uname
|
||||
SAVE ARTIFACT /boot/vmlinuz Kernel
|
||||
SAVE ARTIFACT /etc/os-release Osrelease
|
||||
@ -504,8 +506,25 @@ uki-artifacts:
|
||||
uki-tools-image:
|
||||
FROM fedora:38
|
||||
# objcopy from binutils and systemd-stub from systemd
|
||||
RUN dnf install -y binutils systemd-boot mtools efitools sbsigntools shim openssl
|
||||
RUN dnf install -y binutils systemd-boot mtools efitools sbsigntools shim openssl systemd-ukify
|
||||
|
||||
# HOW TO: Generate the keys
|
||||
# Platform key
|
||||
# RUN openssl req -new -x509 -subj "/CN=Kairos PK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout PK.key -out PK.crt
|
||||
# DER keys are for FW install
|
||||
# RUN openssl x509 -in PK.crt -out PK.der -outform DER
|
||||
# Key exchange
|
||||
# RUN openssl req -new -x509 -subj "/CN=Kairos KEK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout KEK.key -out KEK.crt
|
||||
# DER keys are for FW install
|
||||
# RUN openssl x509 -in KEK.crt -out KEK.der -outform DER
|
||||
# Signature DB
|
||||
# RUN openssl req -new -x509 -subj "/CN=Kairos DB/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout DB.key -out DB.crt
|
||||
# DER keys are for FW install
|
||||
# RUN openssl x509 -in DB.crt -out DB.der -outform DER
|
||||
# But for now just use test keys pre-generated for easy testing.
|
||||
# NOTE: NEVER EVER EVER use this keys for signing anything that its going outside your computer
|
||||
# This is for easy testing SecureBoot locally for development purposes
|
||||
# Installing this keys in other place than a VM for testing SecureBoot is irresponsible
|
||||
uki:
|
||||
ARG TARGETARCH
|
||||
COPY +version/VERSION ./
|
||||
@ -520,100 +539,40 @@ uki:
|
||||
COPY +uki-artifacts/Uname Uname
|
||||
COPY +uki-artifacts/Cmdline Cmdline
|
||||
ARG KVERSION=$(cat Uname)
|
||||
COPY tests/keys/* .
|
||||
RUN objcopy /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
|
||||
--add-section .osrel=Osrelease --set-section-flags .osrel=data,readonly \
|
||||
--add-section .cmdline=Cmdline --set-section-flags .cmdline=data,readonly \
|
||||
--add-section .initrd=Initrd --set-section-flags .initrd=data,readonly \
|
||||
--add-section .uname=Uname --set-section-flags .uname=data,readonly \
|
||||
--add-section .linux=Kernel --set-section-flags .linux=code,readonly \
|
||||
$ISO_NAME.unsigned.efi \
|
||||
uki.unsigned.efi \
|
||||
--change-section-vma .osrel=0x17000 \
|
||||
--change-section-vma .cmdline=0x18000 \
|
||||
--change-section-vma .initrd=0x19000 \
|
||||
--change-section-vma .uname=0x5a0ed000 \
|
||||
--change-section-vma .linux=0x5a0ee000
|
||||
SAVE ARTIFACT Uname Uname
|
||||
SAVE ARTIFACT $ISO_NAME.unsigned.efi uki.efi AS LOCAL build/$ISO_NAME.unsigned-$KVERSION.efi
|
||||
|
||||
|
||||
uki-signed:
|
||||
FROM +uki-tools-image
|
||||
# Platform key
|
||||
RUN openssl req -new -x509 -subj "/CN=Kairos PK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout PK.key -out PK.crt
|
||||
# CER keys are for FW install
|
||||
RUN openssl x509 -in PK.crt -out PK.cer -outform DER
|
||||
# Key exchange
|
||||
RUN openssl req -new -x509 -subj "/CN=Kairos KEK/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout KEK.key -out KEK.crt
|
||||
# CER keys are for FW install
|
||||
RUN openssl x509 -in KEK.crt -out KEK.cer -outform DER
|
||||
# Signature DB
|
||||
RUN openssl req -new -x509 -subj "/CN=Kairos DB/" -days 3650 -nodes -newkey rsa:2048 -sha256 -keyout DB.key -out DB.crt
|
||||
# CER keys are for FW install
|
||||
RUN openssl x509 -in DB.crt -out DB.cer -outform DER
|
||||
COPY +uki/uki.efi uki.efi
|
||||
COPY +uki/Uname Uname
|
||||
ARG KVERSION=$(cat Uname)
|
||||
COPY +version/VERSION ./
|
||||
RUN echo "version ${VERSION}"
|
||||
ARG VERSION=$(cat VERSION)
|
||||
ARG TARGETARCH
|
||||
ARG ISO_NAME=${OS_ID}-${VARIANT}-${FLAVOR}-${TARGETARCH}-${MODEL}-${VERSION}
|
||||
|
||||
RUN sbsign --key DB.key --cert DB.crt --output uki.signed.efi uki.efi
|
||||
|
||||
SAVE ARTIFACT /boot/efi/EFI/fedora/mmx64.efi MokManager.efi
|
||||
SAVE ARTIFACT PK.key PK.key AS LOCAL build/PK.key
|
||||
SAVE ARTIFACT PK.crt PK.crt AS LOCAL build/PK.crt
|
||||
SAVE ARTIFACT PK.cer PK.cer AS LOCAL build/PK.cer
|
||||
SAVE ARTIFACT KEK.key KEK.key AS LOCAL build/KEK.key
|
||||
SAVE ARTIFACT KEK.crt KEK.crt AS LOCAL build/KEK.crt
|
||||
SAVE ARTIFACT KEK.cer KEK.cer AS LOCAL build/KEK.cer
|
||||
SAVE ARTIFACT DB.key DB.key AS LOCAL build/DB.key
|
||||
SAVE ARTIFACT DB.crt DB.crt AS LOCAL build/DB.crt
|
||||
SAVE ARTIFACT DB.cer DB.cer AS LOCAL build/DB.cer
|
||||
SAVE ARTIFACT uki.signed.efi uki.efi AS LOCAL build/$ISO_NAME.signed-$KVERSION.efi
|
||||
|
||||
# This target will prepare a disk.img ready with the uki artifact on it for qemu. Just attach it to qemu and mark you vm to boot from that disk
|
||||
# here we take advantage of the uefi fallback method, which will load an efi binary in /EFI/BOOT/BOOTX64.efi if there is nothing
|
||||
# else that it can boot from :D Just make sure to have your disk.img set as boot device in qemu.
|
||||
prepare-uki-disk-image:
|
||||
FROM +uki-tools-image
|
||||
ARG SIGNED_EFI=false
|
||||
IF [ "$SIGNED_EFI" = "true" ]
|
||||
COPY +uki-signed/uki.efi .
|
||||
COPY +uki-signed/PK.key .
|
||||
COPY +uki-signed/PK.crt .
|
||||
COPY +uki-signed/PK.cer .
|
||||
COPY +uki-signed/KEK.key .
|
||||
COPY +uki-signed/KEK.crt .
|
||||
COPY +uki-signed/KEK.cer .
|
||||
COPY +uki-signed/DB.key .
|
||||
COPY +uki-signed/DB.crt .
|
||||
COPY +uki-signed/DB.cer .
|
||||
COPY +uki-signed/MokManager.efi .
|
||||
ELSE
|
||||
COPY +uki/uki.efi .
|
||||
END
|
||||
RUN dd if=/dev/zero of=disk.img bs=1G count=1
|
||||
RUN mformat -i disk.img -F ::
|
||||
RUN mmd -i disk.img ::/EFI
|
||||
RUN mmd -i disk.img ::/EFI/BOOT
|
||||
RUN mcopy -i disk.img uki.efi ::/EFI/BOOT/BOOTX64.efi
|
||||
IF [ "$SIGNED_EFI" = "true" ]
|
||||
RUN mcopy -i disk.img PK.key ::/EFI/BOOT/PK.key
|
||||
RUN mcopy -i disk.img PK.crt ::/EFI/BOOT/PK.crt
|
||||
RUN mcopy -i disk.img PK.cer ::/EFI/BOOT/PK.cer
|
||||
RUN mcopy -i disk.img KEK.key ::/EFI/BOOT/KEK.key
|
||||
RUN mcopy -i disk.img KEK.crt ::/EFI/BOOT/KEK.crt
|
||||
RUN mcopy -i disk.img KEK.cer ::/EFI/BOOT/KEK.cer
|
||||
RUN mcopy -i disk.img DB.key ::/EFI/BOOT/DB.key
|
||||
RUN mcopy -i disk.img DB.crt ::/EFI/BOOT/DB.crt
|
||||
RUN mcopy -i disk.img DB.cer ::/EFI/BOOT/DB.cer
|
||||
RUN mcopy -i disk.img MokManager.efi ::/EFI/BOOT/mmx64.efi
|
||||
END
|
||||
RUN mdir -i disk.img ::/EFI/BOOT
|
||||
SAVE ARTIFACT disk.img AS LOCAL build/disk.img
|
||||
|
||||
# example with ukify + measure
|
||||
#RUN /usr/lib/systemd/ukify Kernel Initrd \
|
||||
# --cmdline Cmdline \
|
||||
# --os-release Osrelease \
|
||||
# --uname Uname \
|
||||
# --stub /usr/lib/systemd/boot/efi/linuxx64.efi.stub \
|
||||
# --secureboot-private-key DB.key \
|
||||
# --secureboot-certificate DB.crt \
|
||||
# --sign-kernel \
|
||||
# --pcr-private-key private.pem \
|
||||
# --pcr-public-key public.pem \
|
||||
# --measure \
|
||||
# --output $ISO_NAME.signed.efi
|
||||
RUN sbsign --key DB.key --cert DB.crt --output systemd-bootx64.signed.efi /usr/lib/systemd/boot/efi/systemd-bootx64.efi
|
||||
RUN sbsign --key DB.key --cert DB.crt --output uki.signed.efi uki.unsigned.efi
|
||||
SAVE ARTIFACT PK.der PK.der
|
||||
SAVE ARTIFACT KEK.der KEK.der
|
||||
SAVE ARTIFACT DB.der DB.der
|
||||
SAVE ARTIFACT systemd-bootx64.signed.efi systemd-bootx64.efi
|
||||
SAVE ARTIFACT uki.signed.efi uki.signed.efi
|
||||
SAVE ARTIFACT uki.unsigned.efi uki.unsigned.efi
|
||||
|
||||
###
|
||||
### Artifacts targets (ISO, netboot, ARM)
|
||||
@ -642,16 +601,39 @@ iso-uki:
|
||||
ARG OSBUILDER_IMAGE
|
||||
FROM $OSBUILDER_IMAGE
|
||||
WORKDIR /build
|
||||
COPY +uki/uki.efi /build/uki.efi
|
||||
COPY +uki/uki.signed.efi .
|
||||
COPY +uki/PK.der .
|
||||
COPY +uki/KEK.der .
|
||||
COPY +uki/DB.der .
|
||||
COPY +uki/systemd-bootx64.efi .
|
||||
# Set the name for kairos manually as otherwise it picks it from the os-release automatically
|
||||
RUN printf "title Kairos ${FLAVOR} ${VERSION}\nefi /EFI/kairos/kairos.efi" > kairos.conf
|
||||
RUN printf "default kairos.conf" > loader.conf
|
||||
RUN mkdir -p /build/efi
|
||||
# TODO: Create the img size based ont eh actual efi size!
|
||||
# TODO: Create the img size based on the actual efi size!
|
||||
RUN dd if=/dev/zero of=/build/efi/efiboot.img bs=1G count=1
|
||||
RUN mkfs.msdos -F 32 -n 'EFIBOOTISO' /build/efi/efiboot.img
|
||||
RUN mkfs.msdos -F 32 /build/efi/efiboot.img
|
||||
RUN mmd -i /build/efi/efiboot.img ::EFI
|
||||
RUN mmd -i /build/efi/efiboot.img ::EFI/BOOT
|
||||
RUN mmd -i /build/efi/efiboot.img ::EFI/kairos
|
||||
RUN mmd -i /build/efi/efiboot.img ::EFI/tools
|
||||
RUN mmd -i /build/efi/efiboot.img ::loader
|
||||
RUN mmd -i /build/efi/efiboot.img ::loader/entries
|
||||
RUN mmd -i /build/efi/efiboot.img ::loader/keys
|
||||
RUN mmd -i /build/efi/efiboot.img ::loader/keys/kairos
|
||||
# Copy keys
|
||||
RUN mcopy -i /build/efi/efiboot.img /build/PK.der ::loader/keys/kairos/PK.der
|
||||
RUN mcopy -i /build/efi/efiboot.img /build/KEK.der ::loader/keys/kairos/KEK.der
|
||||
RUN mcopy -i /build/efi/efiboot.img /build/DB.der ::loader/keys/kairos/DB.der
|
||||
# Copy kairos efi. This dir would make system-boot autosearch and add to entries automatically /EFI/Linux/
|
||||
# but here we do it by using systemd-boot as fallback so it sets the proper efivars
|
||||
RUN mcopy -i /build/efi/efiboot.img /build/kairos.conf ::loader/entries/kairos.conf
|
||||
RUN mcopy -i /build/efi/efiboot.img /build/uki.signed.efi ::EFI/kairos/kairos.EFI
|
||||
# systemd-boot as bootloader
|
||||
RUN mcopy -i /build/efi/efiboot.img /build/loader.conf ::loader/loader.conf
|
||||
# TODO: TARGETARCH should change the output name to BOOTAA64.EFI in arm64!
|
||||
RUN mcopy -i /build/efi/efiboot.img /build/uki.efi ::EFI/BOOT/BOOTX64.EFI
|
||||
RUN xorriso -as mkisofs -V 'EFI_ISO_BOOT' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/
|
||||
RUN mcopy -i /build/efi/efiboot.img /build/systemd-bootx64.efi ::EFI/BOOT/BOOTX64.EFI
|
||||
RUN xorriso -as mkisofs -V 'UKI_ISO_INSTALL' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/
|
||||
SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
|
||||
|
||||
# This target builds an iso using a remote docker image as rootfs instead of building the whole rootfs
|
||||
|
||||
BIN
tests/assets/efivars.fd
Normal file
BIN
tests/assets/efivars.fd
Normal file
Binary file not shown.
165
tests/assets/efivars.json
Normal file
165
tests/assets/efivars.json
Normal file
File diff suppressed because one or more lines are too long
18
tests/assets/efivars.md
Normal file
18
tests/assets/efivars.md
Normal file
@ -0,0 +1,18 @@
|
||||
2 Files provided for testing efivars
|
||||
|
||||
efivars.fd is the compiled efivars in a format that qemu can understand
|
||||
efivars.json is the original json from where the efivars.fd file was created
|
||||
|
||||
efivars.fd can be recreated by using `virt-fw-vars` from the package `python3-virt-firmware` and is used to manipulate
|
||||
efivars files and generate new ones from templates.
|
||||
|
||||
Assuming the OVMF package is installed and the default firmware and efivars files are at /usr/share/OVMF you can run the following to regenerate the efivars file
|
||||
|
||||
```bash
|
||||
virt-fw-vars -i /usr/share/OVMF/OVMF_VARS.fd --set-json efivars.json -o efivars.fd
|
||||
```
|
||||
|
||||
This uses `/usr/share/OVMF/OVMF_VARS.fd` as the base template (is empty), loads the vars from `efivars.json` and outputs the efivars.fd file
|
||||
|
||||
|
||||
The current efivars enables SecureBoot with the default keys and also bundles the certs for our testing, available at $ROOT/tess/keys/ and what our test UKI EFI files are signed for.
|
||||
@ -12,7 +12,7 @@ require (
|
||||
github.com/mudler/go-processmanager v0.0.0-20220724164624-c45b5c61312d
|
||||
github.com/onsi/ginkgo/v2 v2.9.5
|
||||
github.com/onsi/gomega v1.27.7
|
||||
github.com/spectrocloud/peg v0.0.0-20230825092931-25d89833e022
|
||||
github.com/spectrocloud/peg v0.0.0-20231002135825-d1dc260381ac
|
||||
golang.org/x/mod v0.10.0
|
||||
gopkg.in/yaml.v3 v3.0.1
|
||||
)
|
||||
@ -29,6 +29,7 @@ require (
|
||||
github.com/codingsince1985/checksum v1.2.6 // indirect
|
||||
github.com/containerd/cgroups v1.1.0 // indirect
|
||||
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
|
||||
github.com/creachadair/otp v0.4.0 // indirect
|
||||
github.com/davidlazar/go-crypto v0.0.0-20200604182044-b73af7476f6c // indirect
|
||||
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
|
||||
@ -124,9 +125,11 @@ require (
|
||||
github.com/quic-go/quic-go v0.34.0 // indirect
|
||||
github.com/quic-go/webtransport-go v0.5.2 // indirect
|
||||
github.com/raulk/go-watchdog v1.3.0 // indirect
|
||||
github.com/russross/blackfriday/v2 v2.1.0 // indirect
|
||||
github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect
|
||||
github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091 // indirect
|
||||
github.com/spaolacci/murmur3 v1.1.0 // indirect
|
||||
github.com/urfave/cli v1.22.10 // indirect
|
||||
github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
|
||||
github.com/vishvananda/netns v0.0.4 // indirect
|
||||
github.com/whyrusleeping/go-keyspace v0.0.0-20160322163242-5b898ac5add1 // indirect
|
||||
|
||||
@ -45,6 +45,8 @@ github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8
|
||||
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
|
||||
github.com/creachadair/otp v0.4.0 h1:3PBnESxegU3hQ0D447D75lSnTtTVfw6Eny8GviOXcqM=
|
||||
github.com/creachadair/otp v0.4.0/go.mod h1:mDkCUSoWN8zqxFoDMw20Boe6xeDd1jJuy6pNQQ4lCy4=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
@ -430,8 +432,11 @@ github.com/raulk/go-watchdog v1.3.0 h1:oUmdlHxdkXRJlwfG0O9omj8ukerm8MEQavSiDTEtB
|
||||
github.com/raulk/go-watchdog v1.3.0/go.mod h1:fIvOnLbF0b0ZwkB9YU4mOW9Did//4vPZtDqv66NfsMU=
|
||||
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
|
||||
github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
|
||||
github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo=
|
||||
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
|
||||
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
|
||||
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
|
||||
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
|
||||
github.com/shurcooL/component v0.0.0-20170202220835-f88ec8f54cc4/go.mod h1:XhFIlyj5a1fBNx5aJTbKoIq0mNaPvOagO+HjB3EtxrY=
|
||||
github.com/shurcooL/events v0.0.0-20181021180414-410e4ca65f48/go.mod h1:5u70Mqkb5O5cxEA8nxTsgrgLehJeAw6Oc4Ab1c/P1HM=
|
||||
@ -471,6 +476,8 @@ github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0b
|
||||
github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
|
||||
github.com/spectrocloud/peg v0.0.0-20230825092931-25d89833e022 h1:/dw2RhgT412X7iXzGBrUNdwfV914VjGsakISm2Ual5Q=
|
||||
github.com/spectrocloud/peg v0.0.0-20230825092931-25d89833e022/go.mod h1:L2fIdtZqbQEagjOOXwkwH3t7MjJUd7fbt52cLSQGDBg=
|
||||
github.com/spectrocloud/peg v0.0.0-20231002135825-d1dc260381ac h1:2AQBW7nOjdTy11UvomVwltuYPQyviEw+zOQ3IOO8P1g=
|
||||
github.com/spectrocloud/peg v0.0.0-20231002135825-d1dc260381ac/go.mod h1:L2fIdtZqbQEagjOOXwkwH3t7MjJUd7fbt52cLSQGDBg=
|
||||
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
|
||||
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
|
||||
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
|
||||
@ -490,6 +497,7 @@ github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVM
|
||||
github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs=
|
||||
github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
|
||||
github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
|
||||
github.com/urfave/cli v1.22.10 h1:p8Fspmz3iTctJstry1PYS3HVdllxnEzTEsgIgtxTrCk=
|
||||
github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
|
||||
github.com/viant/assertly v0.4.8/go.mod h1:aGifi++jvCrUaklKEKT0BU95igDNaqkvz+49uaYMPRU=
|
||||
github.com/viant/toolbox v0.24.0/go.mod h1:OxMCG57V0PXuIP2HNQrtJf2CjqdmbrOx5EkMILuUhzM=
|
||||
|
||||
19
tests/keys/DB.crt
Normal file
19
tests/keys/DB.crt
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDCTCCAfGgAwIBAgIUQ8Ef+QHp6mLYXXvX8/9YsKJDINYwDQYJKoZIhvcNAQEL
|
||||
BQAwFDESMBAGA1UEAwwJS2Fpcm9zIERCMB4XDTIzMDkyNTE5NDg1NFoXDTMzMDky
|
||||
MjE5NDg1NFowFDESMBAGA1UEAwwJS2Fpcm9zIERCMIIBIjANBgkqhkiG9w0BAQEF
|
||||
AAOCAQ8AMIIBCgKCAQEA7yiYejq/rA33hFx4D2pg8pbCfZFpA2r1CGgJpaOw0emY
|
||||
m9pe6PmHhfT+mifXUao3mC9hjtB+cD/LQNlu6gR4x6UMs3c6+i+y1PMldsO/F2vS
|
||||
0mNz759BEawiO4x0bopr+oPJSvpkP5UUjYvJ8Cd5q5ON4rBEeCT9d8E9nG9uH3XQ
|
||||
oQPAvzo9ehhnzAAmHS35i2hSl6rUMgwp6S24CKcGbwl1pNvoU528W0xr1hYOazba
|
||||
/+rZQtuGqscUYUAbOLE1hOp/UWGms/m0ezTBsVkQ1RyQn6cWGrKVpTzaaN+1e5ai
|
||||
xYyXc9/QzY5Rqd4qisTmwYBsHdeVhXp3ihJkWnTzrwIDAQABo1MwUTAdBgNVHQ4E
|
||||
FgQU1McSdX5TgJ/FcIjI+SNwm6ss4MwwHwYDVR0jBBgwFoAU1McSdX5TgJ/FcIjI
|
||||
+SNwm6ss4MwwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAzO5C
|
||||
E5BjEhwq050bxqqVDYGYXXaLHQsTBDeJGSnJnggODz4o5aKCiBjOAvNeT46maHAe
|
||||
g7jJ4eNw5Beiqu2LQoTFQC/eCFs6frYRBNCewPMezmT+i+YqZvc/RZfgTY+64SRx
|
||||
AHvfJuelU3pAS2gWAeg7gQZa0KTJG0ZWnULwy+pAcN2yckz5NOZ7Hl2PPTCUGyhz
|
||||
uIgoZp1ds4xd6LmGssuMZB6phyhAdvhokrYesJT9BT8tCGgiqjUZWSpG8gJBoJXC
|
||||
2KHn5iE70B4V/LICBa20PucH7rDgaJTJaKOJ5hp51S6dCUAt3prgPsD0sx+42LvN
|
||||
OLolFoaI8pH5yJOehQ==
|
||||
-----END CERTIFICATE-----
|
||||
BIN
tests/keys/DB.der
Normal file
BIN
tests/keys/DB.der
Normal file
Binary file not shown.
28
tests/keys/DB.key
Normal file
28
tests/keys/DB.key
Normal file
@ -0,0 +1,28 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDvKJh6Or+sDfeE
|
||||
XHgPamDylsJ9kWkDavUIaAmlo7DR6Zib2l7o+YeF9P6aJ9dRqjeYL2GO0H5wP8tA
|
||||
2W7qBHjHpQyzdzr6L7LU8yV2w78Xa9LSY3Pvn0ERrCI7jHRuimv6g8lK+mQ/lRSN
|
||||
i8nwJ3mrk43isER4JP13wT2cb24fddChA8C/Oj16GGfMACYdLfmLaFKXqtQyDCnp
|
||||
LbgIpwZvCXWk2+hTnbxbTGvWFg5rNtr/6tlC24aqxxRhQBs4sTWE6n9RYaaz+bR7
|
||||
NMGxWRDVHJCfpxYaspWlPNpo37V7lqLFjJdz39DNjlGp3iqKxObBgGwd15WFeneK
|
||||
EmRadPOvAgMBAAECggEAAcwXzT9YxmW6ePOq8U622MvaPVBU7jIlEkGZ5PVEdGdh
|
||||
frZW5UBOzOpo6WaoPxRc45djj8uwT46jK+MWasrKz5FFdanNNykZmnETVH+nFXl5
|
||||
dZxKuD/FoOjevvzQuS3wHstTvW0BSNsJcwDcbSIWz3vF4rC5av+4Kei5Wk4aEUFx
|
||||
Ll/mwtDNbkXPRK1xXWg8Z69BwPIxIo9CESNkwRAQZr/1btBUXaMpHjmF8c76vj8z
|
||||
ayD9gsDLGNYnU11cVbdlREi0J5CIVyPbBFuOoU27U9scTBJfrRBCCRLe19N6B0cQ
|
||||
LEoLCdaG4CJz3kGX2ErBRWBu2w7qHZd3rD0JdE9KfQKBgQD3vHlT34+MFVG/4+z2
|
||||
8kfThHA/EfseK7KDy5FUGMomFXVlR5+6UbWmWcbjN9wl/iB+FfkYYSbX+gS0gYuq
|
||||
hwlecIIM+sbPly0xjVvTXf8iihzaZsRx+fCfctHi087ZvbhCHXgYHRSBZ1u0dKoA
|
||||
y4rnpeWP0I9ZGBvNznah2baCrQKBgQD3It+Z+7Pr1O1cBdqBHRJtzO1z1s2Opj5L
|
||||
NICjHXCEcU1GzR1rGc20FXXaDcMbgisRob1w92ESrxHRsypUlboKtMfcf0/HbckN
|
||||
FZLDxkxZENBUql9DenT69m4hEFn3KKOqi2D/RVjYBZrU+joWkv3tXcXiBjB+srgw
|
||||
xeU1+j+3SwKBgQDoWPKKAZFGVvB3QrQK4C0RapND8/9LyrwA9Dn3X9Coa1PRi515
|
||||
SA1QWb85eDiXwYKD/uPDQ8sEoU8sZJuzcjcNRgQTXFh+dlFCuku3L9+Ma3CoPd5c
|
||||
74gIY84KKZFFkrRv/eeW5h9HRsMxuoF/gWdj36owefEYJI5fNhb5sZGFeQKBgHxr
|
||||
ICtDnuchwYXMpJ7P5hFFVF43TDF+3Gm8Ou7jyVvENuVoKmFbEkaRb02iFBHrTIeJ
|
||||
5/fRcxuW69+o1azT3F+7d8s4hQ+f49IkhEjvskw8vMWDKIauRep62iLnOoPF/+/C
|
||||
T8j0PrAy0ipa95eZ1SEFTrRl7VA75aMYXjb4j89VAoGAK+7UBmtTOLTVNUxNFXIP
|
||||
66Ue0ZX+FOLollJYx42QvXmoqXayOb2H5EjZIIW3narom5Ox454zlWbty4Luncqr
|
||||
bhfKBLhPqeoOw05h6Z+s9lfr++7rR6ZC8Q+r3m8W2MiEAVDxPIucwB1FPoy2zFG2
|
||||
jOLVMOsPlJ9FcRQKWupurdo=
|
||||
-----END PRIVATE KEY-----
|
||||
19
tests/keys/KEK.crt
Normal file
19
tests/keys/KEK.crt
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDCzCCAfOgAwIBAgIUFElXQYJNL9OmNok3nLKNWzDExuUwDQYJKoZIhvcNAQEL
|
||||
BQAwFTETMBEGA1UEAwwKS2Fpcm9zIEtFSzAeFw0yMzA5MjUxOTQ4NDVaFw0zMzA5
|
||||
MjIxOTQ4NDVaMBUxEzARBgNVBAMMCkthaXJvcyBLRUswggEiMA0GCSqGSIb3DQEB
|
||||
AQUAA4IBDwAwggEKAoIBAQCapyZdRd6TFgnrJJtYYUAgfCfFSzpRQLorYgqUfaY1
|
||||
UnNxlE1ngcBs1GHRQAO7jdYPvL3QiIY+qKoDGJ12/UKs6SpfNHLQtHQ2NrQrVDXF
|
||||
gt+ttauhsa+T0ll46qDc3H6x9s1jUhGIFZgkmQ+aXj5YFHwjDtoxw5vtJw/p77rj
|
||||
e4bEs58Fr0ovrlDm2en2kpiVvXSQdWxy1pLBt1QahfZf4jqgQJ13A+oURx7pgyoM
|
||||
ayvtVjG4lLtkkPm5L5JXImGG03XkjOehckKoQR88oAmhzzDat96i+18dMd3HR2gk
|
||||
V4/hXQnPPtCffHBV5r26kqe4KojCx9riz3yEylvMMtE5AgMBAAGjUzBRMB0GA1Ud
|
||||
DgQWBBQ8+vEr6ovmH40ZA5FJiT+zYLBitDAfBgNVHSMEGDAWgBQ8+vEr6ovmH40Z
|
||||
A5FJiT+zYLBitDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw
|
||||
sjmqYzHnQF06SlICMh06obnXSkzf06whvkhl+mWUMBKVtMFR6D3sHs7pznNhMkpY
|
||||
Fa9j6hY44fjU+6tkQaMccz/KOMDKpJlPmILKuixraYgCV7HcoBmpKE32xwCzEId3
|
||||
NZ38JDxRFmijIDtdCUspHxeMn+PpHDhkvBdEK60+bA7BZis9b2qDoiAo6NpxjdVL
|
||||
kMBVzdGgqGcN6SPNujgy78/N/vndxGRxyN2fscmnvf0qzs1OP696AyTDQ9VZ/4fP
|
||||
Q/kmLfL9JNu8d4cx1wdgV/20FtMnHhr1Q7f1/Gqr5S2zt3L9WLwnTDOrLd3UZ9wl
|
||||
wtpRye1107RaagwlTnvh
|
||||
-----END CERTIFICATE-----
|
||||
BIN
tests/keys/KEK.der
Normal file
BIN
tests/keys/KEK.der
Normal file
Binary file not shown.
28
tests/keys/KEK.key
Normal file
28
tests/keys/KEK.key
Normal file
@ -0,0 +1,28 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCapyZdRd6TFgnr
|
||||
JJtYYUAgfCfFSzpRQLorYgqUfaY1UnNxlE1ngcBs1GHRQAO7jdYPvL3QiIY+qKoD
|
||||
GJ12/UKs6SpfNHLQtHQ2NrQrVDXFgt+ttauhsa+T0ll46qDc3H6x9s1jUhGIFZgk
|
||||
mQ+aXj5YFHwjDtoxw5vtJw/p77rje4bEs58Fr0ovrlDm2en2kpiVvXSQdWxy1pLB
|
||||
t1QahfZf4jqgQJ13A+oURx7pgyoMayvtVjG4lLtkkPm5L5JXImGG03XkjOehckKo
|
||||
QR88oAmhzzDat96i+18dMd3HR2gkV4/hXQnPPtCffHBV5r26kqe4KojCx9riz3yE
|
||||
ylvMMtE5AgMBAAECggEAJCuz7VzKEdy1tSl6q9ETDoX7R0mw+hAJetwTXWeF2DLQ
|
||||
jWACOpM+TjXeKvKt7M/foQ6j1oIX48/O86puKcZSMd7W6i16LRYHmCZzPS8U5H0X
|
||||
k6lJ2yeTyR8Jjh5SQVXQzA7NOs2XDB0A2I5z98bTDga8gfaXUcxOS8k3D5/iNhHw
|
||||
oBWjk9MSkxXPDS67mFOZGeia+CcG/k3r/GXrakBj8Iq183X0GH53VJr+y6DLXJax
|
||||
tHdg0mio57HFvG7LvzODy25Ymr/r8RFIuSqrCEjgeQQt/oERqVToZDFB0pELgSK/
|
||||
A1JuPvPWT2CXPymXHl9uBJvNQS1eaoI+wKZ0ui7BgQKBgQDZpo6fdMR88Z9RDLgk
|
||||
E6PfVNxq4KHIVtSErpGYKVx56CIVrhOu9Jk66kJq7eQma6UCUZd6qHMx9CG/ligZ
|
||||
yk4u51kDM2btqRdtsnXbKiqONcoorn6E8UZHSJxDBrRSAUIruaJC+zxwACVtwasz
|
||||
4Pc5HNvqFGqpMi7ujs8rP1/hZwKBgQC15v3sKv54KZwOxEGxdabRE/T/hQmiasG/
|
||||
34qdNV/DRDLxIpyBPbKR/EjJyNsFzzySLG2oeDCUY7JX1B9iZ24RgT8OmTka0nSW
|
||||
yi4RhH99hzLglDCHe55Zrr6oDK9xwhxWKIHU98hNVCKGDptd5HQ140sdZTwQsJ26
|
||||
RYbbj/j0XwKBgQCQjEpqYj1gkYPyaxUceKK73vsoTBmGGQy5NcriGI4fNGj2pw7R
|
||||
ggcGFrCXnXiJf7IuEQweXSNsSKvlNo9ZWX+FLQZz1r6EFmnF4+Db9mwe2GBzljfW
|
||||
iPrYusN0zE4TrFxK99Vo0Lw50g8JjrbqFH18Q8tV8ctIpVh//P5fxY4i/wKBgDhk
|
||||
2shDNA1Q6R7y3WMFFKixRT2Ko0gFTPgNd83xZDUHibuUfWzcEeaMjoxwhuawLxkq
|
||||
SPz39ierGPl9vBUn98nZhhEik7+rC5ZMLCgmKdhi9/UEPF9khd1L/bPf6uybv2k+
|
||||
ubGq+CBxOxrQoH5le1nRk9ITNqH9/4hmUb70TbyFAoGAC0w4pJM8R3kaFqKdDVo8
|
||||
bD3buojiE0ORPeLdnhe5yc9XaLsM6Ti3MPCeiQ3gZRCuvOlsy4noDnATUXYusNfa
|
||||
u7WLPO56ne5ewAWWmtywQ/D8IZHWHkNM1n8yHWCZXyZgF7sh1CXsIXOam7F9Syzm
|
||||
8uZGoFciL4vV9F5x3CBk70M=
|
||||
-----END PRIVATE KEY-----
|
||||
19
tests/keys/PK.crt
Normal file
19
tests/keys/PK.crt
Normal file
@ -0,0 +1,19 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDCTCCAfGgAwIBAgIUeKRpRkHvYxAffzrfw90J8MAlTDIwDQYJKoZIhvcNAQEL
|
||||
BQAwFDESMBAGA1UEAwwJS2Fpcm9zIFBLMB4XDTIzMDkyNTE5NDgyOFoXDTMzMDky
|
||||
MjE5NDgyOFowFDESMBAGA1UEAwwJS2Fpcm9zIFBLMIIBIjANBgkqhkiG9w0BAQEF
|
||||
AAOCAQ8AMIIBCgKCAQEAqfXx/rkk1TPZTWisQFnhRr5T8t6I7i9zK3DO+URrsg6V
|
||||
7+5ztM8udc1RUg1VndkZRNMKazgVqH7ZfKHkxUdQc4Xq+EKscywJirtcjsMKVAUt
|
||||
IEt9M/NeQN+CIEsSgOyEqJZGazcVPpL8Q7x4xcZ4SewJyobS5u+txY9Ei/EA40ih
|
||||
AxycYmhoUHLLwjtO9O1UKf/6HW3KgkMYpAualrJjd70g0WsV0lFGUCG4rpSEN6Dn
|
||||
p17zF1y5USCCstgxp3KSMuBFlBFzFChjy6w8v0LUlFADYj6Z83oPOD/2x+UeJui8
|
||||
Hxcrgu3VnXVmLoQaggml1EqbW7cu8S3YxlbAH5pQrwIDAQABo1MwUTAdBgNVHQ4E
|
||||
FgQUHzloQNy/RNHN71Ihn0YaxwhdcrgwHwYDVR0jBBgwFoAUHzloQNy/RNHN71Ih
|
||||
n0YaxwhdcrgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAASMw
|
||||
sw9kOeNNhcA4o5MnIG6uqH/4jIMG8UjcqyuNKtH/2eLs/xNCSDIJG0VVuY2y3kzw
|
||||
GLZmphdxvtvWW6c9A9+mdM/JBi3AeGyIGk2hfFVoFcV/7VuGgphAJcTKY6KXgj7e
|
||||
F6hjatCCUUYiRkiPL50X5wJQ/COAOe7/5BzeAZhbxNQ9z6IG4StdS31uSE7Vl2Nn
|
||||
G+V1Gkqmc/6Z3Nkd2iGPiLIiqkDn8Xcincn/f0ybgnOdVljtXlzJm0pN4FrVkdPa
|
||||
en/HLiMCjKTSWl1wXF3GUZkmCITryJ4O6SWtsuWTqmvohb2QAMqdnybFW7hjzGoG
|
||||
A0UKl8yqRzdGBa0mHg==
|
||||
-----END CERTIFICATE-----
|
||||
BIN
tests/keys/PK.der
Normal file
BIN
tests/keys/PK.der
Normal file
Binary file not shown.
28
tests/keys/PK.key
Normal file
28
tests/keys/PK.key
Normal file
@ -0,0 +1,28 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCp9fH+uSTVM9lN
|
||||
aKxAWeFGvlPy3ojuL3MrcM75RGuyDpXv7nO0zy51zVFSDVWd2RlE0wprOBWoftl8
|
||||
oeTFR1Bzher4QqxzLAmKu1yOwwpUBS0gS30z815A34IgSxKA7ISolkZrNxU+kvxD
|
||||
vHjFxnhJ7AnKhtLm763Fj0SL8QDjSKEDHJxiaGhQcsvCO0707VQp//odbcqCQxik
|
||||
C5qWsmN3vSDRaxXSUUZQIbiulIQ3oOenXvMXXLlRIIKy2DGncpIy4EWUEXMUKGPL
|
||||
rDy/QtSUUANiPpnzeg84P/bH5R4m6LwfFyuC7dWddWYuhBqCCaXUSptbty7xLdjG
|
||||
VsAfmlCvAgMBAAECggEABfVOzgC8l1LRf+K3AyyDdsDuXXnKsBruvSufveJVqjDT
|
||||
tc0UtlZ7CPsxKiC4iyeUuLJzT43wSG9l/XYJeJcG7X3Y3mor9H+rN/dYh9Kzln11
|
||||
9wdedMdH2xtayvoGxIlGH0jhYBnWv1JU0KUXUMuj5OeG8lgmpZzqaR4cJ5HD17Ph
|
||||
3e4kMdtSdNVvV4UxTp7oiX9KYrNueAnqh09O2Hq23+6LV2yB5gs+wBlzpXECLma/
|
||||
UmNJOzFpLIi1HHIDgfdwTS0JnP4lGPEV+R/VHdHfy9W9WB8jyyONPewCtaUMqgxY
|
||||
W7kZCrjRmpMVzQwA/60SIaFZpdSQjEDNIMssl4bozQKBgQDtTQX6LyT/RoOKbv5I
|
||||
n6Uqi5XFU+k3SnDHN/8sTSwK7r4xC4n+2MjR0YS2tDYgaAvqvnG3dCRP0/NYluSG
|
||||
0Ih2g2t1ct+feWbvd/a6On8f2UoNGC0X4xoLmNOe/ToqcAFTW7TJ6l6oQ5fGq+QV
|
||||
UczwkkKToYmjFjgY5GMCUTbGRQKBgQC3Wn7p9V1WadQMPGRu0LegTCV4QZlkiLqw
|
||||
OE9Ezg8GgnyJ0ny3FmBPIPAMS/h6Rex83fBzds0uDLSkRSpTprqcbLr6lFL3Mf7N
|
||||
uPXxUHOFvc4P7sHK57jVYlV8bu+OQC3XLaIkjguMIVoZZR57q1rCN3KwZ8FPXyCb
|
||||
GgVqRTlUYwKBgQDTSAPtaHJpc3AFHqP7J2FYiyWTpw17tCTLy9i/qgpvxXfDlUGN
|
||||
jZjn78NZJQUYP2t025HGRHtcNBtzog3g1uTZmFNiJCBlDiOPTWF5GEI9qirbk836
|
||||
ebKj5rNs2IwkYstbW8iRCsKy0FPfiQYv0UBGZgMvDOHOOidCSn64/nRlfQKBgDYB
|
||||
EpaIbYhxPUKpWw+ErEErjHHCKJMC7rHOtBJY+vX44wOZGqC2l4FW+z0z9yjUhZY1
|
||||
rIfluwNQPLiRoqjm19oQ8HWz0Ef80sb3LoF4J76BrDrnIO9JlxhKkVFIP4jPgHD7
|
||||
gOFxcRdCD46hSPw1+VJxEHfC554gL7NfU678WqlvAoGAMeeVuDlCbqxehBMdbtMA
|
||||
Z74LhilPklqgvF36p3l3PIqO4427Rg49m5KxiBttoofq3nYFikrYPnVY1mYFnhSl
|
||||
hwZG/eXLpRaYb/yDGdzHxzsQFYjxD3InLSfvd67fRG/T5+R8M5bDs+IZCFlGFvG/
|
||||
fA0uGH0fKEPUy7Ijex9cXag=
|
||||
-----END PRIVATE KEY-----
|
||||
8
tests/keys/README.md
Normal file
8
tests/keys/README.md
Normal file
@ -0,0 +1,8 @@
|
||||
This are TEST keys, used for development purposes.
|
||||
|
||||
You can install this keys on a VM EFI and test secureboot.
|
||||
|
||||
They are pregenerated so you can iterate building Kairos UKI EFI and use the same signature without generating keys
|
||||
all the time.
|
||||
|
||||
They should never be installed anywhere different than a VM.
|
||||
@ -7,6 +7,7 @@ import (
|
||||
"os"
|
||||
"os/exec"
|
||||
"path"
|
||||
"path/filepath"
|
||||
"strconv"
|
||||
"testing"
|
||||
"time"
|
||||
@ -103,6 +104,7 @@ func gatherLogs(vm VM) {
|
||||
"/run/immucore/immucore.log",
|
||||
"/run/immucore/initramfs_stage.log",
|
||||
"/run/immucore/rootfs_stage.log",
|
||||
"/tmp/ovmf_debug.log",
|
||||
})
|
||||
}
|
||||
|
||||
@ -191,24 +193,24 @@ func startVM() (context.Context, VM) {
|
||||
func(m *types.MachineConfig) error {
|
||||
FW := os.Getenv("FIRMWARE")
|
||||
if FW != "" {
|
||||
m.Args = append(m.Args,
|
||||
"-bios", FW)
|
||||
getwd, err := os.Getwd()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
m.Args = append(m.Args, "-drive",
|
||||
fmt.Sprintf("file=%s,if=pflash,format=raw,readonly=on", FW),
|
||||
)
|
||||
|
||||
// Set custom vars file for efi config so we boot first from disk then from DVD
|
||||
m.Args = append(m.Args, "-drive",
|
||||
fmt.Sprintf("file=%s,if=pflash,format=raw", filepath.Join(getwd, "assets/efivars.fd")),
|
||||
)
|
||||
// Needed to be set for secureboot!
|
||||
m.Args = append(m.Args, "-machine", "q35,smm=on")
|
||||
}
|
||||
|
||||
return nil
|
||||
},
|
||||
// UKI boot
|
||||
func(m *types.MachineConfig) error {
|
||||
drive := os.Getenv("UKI_DRIVE")
|
||||
// UKI drive needs to be set with bootindex=0 to be able to boot from that disk directly
|
||||
// Otherwise it won't boot
|
||||
if drive != "" {
|
||||
m.Args = append(m.Args,
|
||||
"-drive", fmt.Sprintf("file=%s,if=none,index=0,media=disk,format=raw,id=disk1", drive),
|
||||
"-device", "virtio-blk-pci,drive=disk1,bootindex=0")
|
||||
}
|
||||
return nil
|
||||
},
|
||||
types.WithDataSource(os.Getenv("DATASOURCE")),
|
||||
}
|
||||
if os.Getenv("KVM") != "" {
|
||||
|
||||
@ -13,9 +13,6 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
|
||||
var vm VM
|
||||
|
||||
BeforeAll(func() {
|
||||
if os.Getenv("UKI_DRIVE") == "" {
|
||||
Fail("UKI_DRIVE environment variable set to a UKI disk is needed for UKI test")
|
||||
}
|
||||
if os.Getenv("FIRMWARE") == "" {
|
||||
Fail("FIRMWARE environment variable set to a EFI firmware is needed for UKI test")
|
||||
}
|
||||
@ -23,7 +20,7 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
|
||||
|
||||
BeforeEach(func() {
|
||||
_, vm = startVM()
|
||||
vm.EventuallyConnects(1200)
|
||||
vm.EventuallyConnects(300)
|
||||
})
|
||||
|
||||
AfterEach(func() {
|
||||
@ -35,6 +32,49 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
})
|
||||
It("passes checks", func() {
|
||||
By("Checking SecureBoot is enabled", func() {
|
||||
out, err := vm.Sudo(`dmesg|grep -i secure| grep -i enabled`)
|
||||
Expect(err).ToNot(HaveOccurred(), out)
|
||||
})
|
||||
By("Checking the boot mode (install)", func() {
|
||||
out, err := vm.Sudo("stat /run/cos/uki_install_mode")
|
||||
Expect(err).ToNot(HaveOccurred(), out)
|
||||
})
|
||||
By("Checking OEM/PERSISTENT are not mounted", func() {
|
||||
out, err := vm.Sudo("mount")
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
Expect(out).ToNot(ContainSubstring("/dev/disk/by-label/COS_OEM"))
|
||||
Expect(out).ToNot(ContainSubstring("/dev/disk/by-label/COS_PERSISTENT"))
|
||||
})
|
||||
By("installing kairos", func() {
|
||||
out, err := vm.Sudo(`kairos-agent --debug uki install --device /dev/vda`)
|
||||
Expect(err).ToNot(HaveOccurred(), out)
|
||||
Expect(out).Should(ContainSubstring("Running after-install hook"))
|
||||
vm.Sudo("sync")
|
||||
})
|
||||
|
||||
By("Ejecting Cdrom", func() {
|
||||
vm.DetachCD()
|
||||
})
|
||||
|
||||
By("waiting for VM to reboot", func() {
|
||||
vm.Reboot()
|
||||
vm.EventuallyConnects(1200)
|
||||
})
|
||||
By("Checking the boot mode (boot)", func() {
|
||||
out, err := vm.Sudo("stat /run/cos/uki_boot_mode")
|
||||
Expect(err).ToNot(HaveOccurred(), out)
|
||||
})
|
||||
By("Checking SecureBoot is enabled", func() {
|
||||
out, err := vm.Sudo(`dmesg|grep -i secure| grep -i enabled`)
|
||||
Expect(err).ToNot(HaveOccurred(), out)
|
||||
})
|
||||
By("Checking OEM/PERSISTENT are mounted", func() {
|
||||
out, err := vm.Sudo("df -h") // Shows the disk by label which is easier to check
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
Expect(out).To(ContainSubstring("/dev/disk/by-label/COS_OEM"))
|
||||
Expect(out).To(ContainSubstring("/dev/disk/by-label/COS_PERSISTENT"))
|
||||
})
|
||||
|
||||
By("checking custom cmdline", func() {
|
||||
out, err := vm.Sudo("cat /proc/cmdline")
|
||||
@ -81,7 +121,7 @@ var _ = Describe("kairos UKI test", Label("uki"), Ordered, func() {
|
||||
By("checking corresponding state", func() {
|
||||
out, err := vm.Sudo("kairos-agent state")
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
// TODO: make agetn report uki_mode or something?
|
||||
// TODO: make agent report uki_mode or something?
|
||||
Expect(out).To(ContainSubstring("boot: unknown"))
|
||||
currentVersion, err := vm.Sudo(getVersionCmd)
|
||||
Expect(err).ToNot(HaveOccurred(), currentVersion)
|
||||
|
||||
@ -47,8 +47,6 @@ var _ = Describe("k3s upgrade manual test", Label("upgrade-with-cli"), func() {
|
||||
Expect(out).Should(ContainSubstring("Running after-install hook"))
|
||||
vm.Sudo("sync")
|
||||
|
||||
err = vm.DetachCD()
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
By("Rebooting")
|
||||
vm.Reboot()
|
||||
})
|
||||
|
||||
@ -48,8 +48,6 @@ var _ = Describe("k3s upgrade manual test", Label("upgrade-latest-with-cli"), fu
|
||||
Expect(installOutput).Should(ContainSubstring("Running after-install hook"))
|
||||
vm.Sudo("sync")
|
||||
|
||||
err = vm.DetachCD()
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
By("Rebooting")
|
||||
vm.Reboot()
|
||||
})
|
||||
|
||||
@ -28,8 +28,7 @@ var _ = Describe("kairos zfs test", Label("zfs"), func() {
|
||||
Expect(err).ToNot(HaveOccurred(), out)
|
||||
out, err = vm.Sudo("sync")
|
||||
Expect(err).ToNot(HaveOccurred(), out)
|
||||
err = vm.DetachCD()
|
||||
Expect(err).ToNot(HaveOccurred())
|
||||
|
||||
vm.Reboot()
|
||||
})
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user