packit-ci.fmf

# common test plan configuration

environment:
  RUST_IMA_EMULATOR: 1
  TPM_BINARY_MEASUREMENTS: /var/tmp/binary_bios_measurements

context:
  swtpm: yes
  agent: rust
  faked_measured_boot_log: yes

prepare:
 - how: shell
   script:
    - ln -s $(pwd) /var/tmp/keylime_sources
    - systemctl disable --now dnf-makecache.service || true
    - systemctl disable --now dnf-makecache.timer || true
    - dnf makecache
    - dnf -y update tpm2-tools tpm2-tss

execute:
  how: tmt

adjust:
 # prepare step adjustments
 - when: distro == centos-stream-9
   prepare+:
    - how: shell
      order: 30
      script:
       - rpm -Uv https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm
 - when: distro == centos-stream-8
   enabled: 0


## First test plan

/e2e-with-revocation:

  summary: run keylime e2e tests

  discover:
    how: fmf
    url: https://github.com/RedHat-SP-Security/keylime-tests
    ref: main
    test:
     - /setup/configure_tpm_emulator
     - /setup/install_upstream_keylime
     - /setup/install_rust_keylime_from_copr
     - /setup/enable_keylime_coverage
     # change IMA policy to simple and run one attestation scenario
     # this is to utilize also a different parser
     - /setup/configure_kernel_ima_module/ima_policy_simple
     - /functional/basic-attestation-on-localhost
     # now change IMA policy to signing and run all tests
     - /setup/configure_kernel_ima_module/ima_policy_signing
     - /functional/agent_UUID_assignment_options
     - /functional/basic-attestation-on-localhost
     - /functional/basic-attestation-with-custom-certificates
     - /functional/basic-attestation-with-ima-signatures
     - /functional/basic-attestation-without-mtls
     - /functional/basic-attestation-with-unpriviledged-agent
     - /functional/db-postgresql-sanity-on-localhost
     - /functional/db-mariadb-sanity-on-localhost
     - /functional/db-mysql-sanity-on-localhost
     - /functional/durable-attestion-sanity-on-localhost
     - /functional/ek-cert-use-ek_check_script
     - /functional/ek-cert-use-ek_handle-custom-ca_certs
     - /functional/install-rpm-with-ima-signature
     - /functional/keylime-non-default-ports
     - /functional/keylime_tenant-commands-on-localhost
     - /functional/keylime_tenant-ima-signature-sanity
     - /functional/measured-boot-swtpm-sanity
     - /functional/service-logfiles-logging
     - /functional/tenant-runtime-policy-sanity
     - /functional/tpm-issuer-cert-using-ecc
     - /functional/tpm_policy-sanity-on-localhost
     - /functional/use-multiple-ima-sign-verification-keys
     - /compatibility/basic-attestation-on-localhost-with-allowlist-excludelist
     - /sanity/keylime-secure_mount
     - /upstream/run_keylime_tests
     - /setup/generate_coverage_report

  adjust+:
   # discover step adjustments
   # disable code coverage measurement everywhere except F37
   - when: distro != fedora-37
     discover+:
       test-:
        - /setup/enable_keylime_coverage
        - /setup/generate_coverage_report


## Second test plan

/e2e-without-revocation:

  summary: run keylime e2e tests without revocation support

  environment+:
    KEYLIME_TEST_DISABLE_REVOCATION: 1

  discover:
    how: fmf
    url: https://github.com/RedHat-SP-Security/keylime-tests
    ref: main
    test:
     - /setup/configure_tpm_emulator
     - /setup/install_upstream_keylime
     - /setup/install_rust_keylime_from_copr
     - /functional/basic-attestation-on-localhost
     - /functional/basic-attestation-with-custom-certificates
     - /functional/basic-attestation-without-mtls
     - /functional/basic-attestation-with-unpriviledged-agent