| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
tools: lint Python scripts
|
| | |
| |
| |
| | |
Also, drop the respective disable directives from existing files.
|
| |/
|
|
|
|
|
| |
This way we check that the appropriate exception is raised,
not just ignore it.
Follow-up for e3c04a5c84af5a39794a0a4963bc9916787aa5b4.
|
| | |
|
| | |
|
| |\
| |
| | |
ukify: add an option to read the PE sections
|
| | |
| |
| |
| | |
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
|
| | |
| |
| |
| |
| | |
And skip tests if systemd-measure is not found.
Then, we can safely run test_ukify.py directly.
|
| | |
| |
| |
| |
| |
| | |
Follow-up for d7d36252e5fdc345b110f824031e20f41ee75e86.
Fixes #28464.
|
| |/ |
|
| |
|
|
|
|
| |
For confidential computing they want to be able to revoke initrds too, so allow
passing a specific --sbat section when building a UKI too, not just an addon.
Merge it with the stub and kernel sections.
|
| |
|
|
|
| |
I'll add the dep in Fedora spec so it does get tested at least
in some cases.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The idea is to make it easy to generate all the signing key and certs
that can be used for local signing. The verb is the modeled after
'mkosi genkey', but there are some important differences: we generate
the keys to the paths where they will be read from, both pcr signing
keys and the SecureBoot certificate+key.
If any of the outputs exist, operation is refused. Maybe we could add a
--force option in the future, but this operation should be rare, so I think
it's better to refuse to overwrite anything initially.
I'm only doing a token man page change here.
https://github.com/systemd/systemd/pull/27621 reworks the man page,
and the changes done here would conflict heavily with that work. I'll
submit a follow-up patch later.
|
| |
|
|
|
|
|
| |
This simplifies the logic: finalize_options() is the step that does the
checks and the mangling. The checks for consistency are done in more places,
so we need to pass a verb (we only have 'build', but once we add other verbs,
any would do).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The old syntax with linux + initrds as positional arguments is still accepted,
but a warning is emitted. We should remove the support for this after the
next release or so.
Adding a single verb by itself is not very useful, but opens the door to adding
other verbs.
|
| |
|
|
|
|
| |
Without this, the tests would generally be skipped, since we haven't made a
release with the addon stub yet. But even if the file is there, we always want
to test the freshly-built item.
|
| |
|
|
| |
C.f. b2efe286587e11e2aa4a6c7e4a2c15da3bb58a2a.
|
| |
|
|
|
| |
00e5933f57c6e336ebed18601299acc6855bb3c2 made all the positional arguments
optional, so let's take advantage of this to simplify variuos callers.
|
| |\
| |
| | |
ukify: support pesign as alternative to sbsign
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Some tests are skipped because initrd extracted from bootctl
is "/boot/initramfs-5.14.0-284.el9.x86_64.img $tuned_initrd"
and not just "/boot/initramfs-5.14.0-284.el9.x86_64.img".
Therefore split and remove the additional garbage.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
| | |
| |
| |
| | |
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
|
| |/ |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The usual approach is to put 'addopts = --flakes' in setup.cfg. Unfortunately
this fails badly when pytest-flakes is not installed:
ERROR: usage: test_ukify.py [options] [file_or_dir] [file_or_dir] [...]
test_ukify.py: error: unrecognized arguments: --flakes
pytest-flakes is not packaged everywhere, and this test is not very important,
so let's just do it only if pytest-flakes is available. We now detect if
pytest-flakes is available and only add '--flakes' conditionally. This
unfortunately means that when invoked via 'pytest' or directly as
'src/ukify/test/test_ukify.py', '--flakes' will not be appended automatically.
But I don't see a nice way to achieve previous automatic behaviour.
(I first considered making 'setup.cfg' templated. But then it is created
in the build directory, but we would need it in the source directory for
pytest to load it automatically. So to load the file, we'd need to give an
argument to pytest anyway, so we don't gain anything with this more complex
approach.)
|
| |
|
|
|
| |
Oops. This explains why the tests were "passing" in CI even
though a direct pytest invocation would fail.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Fixup for 22ad038ac6e4fe5e4a68555f0e70bd0a16fb5616 and
3fc5eed47091363247012454df458e1a3303bf12. It seems that the tests are
not executed properly in CI. Nevertheless, test-ukify appears in logs:
rpm-build:fedora-rawhide-x86_64:
409/1191 systemd / test-ukify OK 0.16s
This is strange.
|
| |
|
|
| |
We'd try to access 'linux' or 'initrd' after failing to set it.
|
| |
|
|
|
| |
Make the kernel optional too, so that we can easily build and sign a PE addon,
that can be used to carry extra command line options.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If given, multiple initrds are concatenated into a temporary file which then
becomes the .initrd section.
It is also possible to give no initrd. After all, some machines boot without an
initrd, and it should be possible to use the stub without requiring an initrd.
(The stub might not like this, but this is something to fix there.)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The approach is based on mkinicpio's autodetection.
This is hacky as hell. Some cases are actually fairly nice: ppc64el images have
a note that contains 'uname -r'. (The note is not uniquely labeled at all, and
only contains the release part instead of the full version-hostname-release
string, and we don't actually care about ppc, and it's very hard to read the
note from Python, but in general that'd be the approach I'd like.)
I opted to simply read and decompress the full linux binary in some cases.
Python doesn't make it easy to do streaming decompression with regexp matching,
and it doesn't seem to matter much: the image decompresses in a fraction of a
second.
|
|
|
Some gymnastics were needed to import ukify as a module. Before the file
was templated, this was trivial: insert the directory in sys.path, call import.
But it's a real pain to import the unsuffixed file after processing. Instead,
the untemplated file is imported, which works well enough for tests and is
very simple.
The tests can be called via pytest:
PATH=build/:$PATH pytest -v src/ukify/test/test_ukify.py
or directly:
PATH=build/:$PATH src/ukify/test/test_ukify.py
or via the meson test machinery output:
meson test -C build test-ukify -v
or without verbose output:
meson test -C build test-ukify
Zekret files are obfuscated using base64.
|
