Skip to content

Upstream Equivalence #101

Upstream Equivalence

Upstream Equivalence #101

name: Upstream Equivalence
on:
workflow_dispatch:
schedule:
# Run every Monday, Wednesday and Friday at 22:00.
# We want to learn somewhat quickly about changes in upstream.
# But we do not expect changes on a regular basis.
- cron: '0 22 * * 1,3,5'
jobs:
run:
runs-on: ubuntu-22.04
steps:
- name: Checkout repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
ref: ${{ github.head_ref }}
- name: Install necessary tools
run: |
sudo apt-get update
sudo apt-get install -y python3 python3-pip
sudo python3 -m pip install --user --require-hashes -r .github/workflows/upstream-equivalence-requirements.txt
- name: Install Nix
uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
with:
install_url: https://releases.nixos.org/nix/nix-2.9.2/install
nix_path: nixpkgs=channel:nixos-23.05
- name: Download Firmware release
id: download-firmware
uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # tag=v1.8
with:
repository: aws/uefi
latest: true
zipBall: true
- name: Build UEFI firmware
id: build-uefi
shell: bash
run: |
# Unzip into a extra dir so that we can find "default.nix" and make sure we end up in the right directory.
mkdir aws-uefi
zipLocation=$(find . -name "uefi-*.zip")
unzip -d aws-uefi "$zipLocation"
buildfilePath="$(find aws-uefi -name 'default.nix')"
pushd "$(dirname "$buildfilePath")" || exit 1
nix-build --pure
ovmfPath=$(realpath result/ovmf_img.fd)
echo "ovmfPath=${ovmfPath}" | tee -a "$GITHUB_OUTPUT"
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
repository: virtee/sev-snp-measure.git
ref: main
path: sev-snp-measure
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
repository: virtee/sev-snp-measure-go.git
ref: ${{ github.ref_name }}
path: sev-snp-measure-go
- name: Run sev-snp-measure
shell: bash
run: |
pushd sev-snp-measure || exit 1
echo '[]' > intermediate.json
for vcpus in 2 4 8 16 32 48 64;
do
measurement="$(./sev-snp-measure.py --guest-features 0x21 --mode snp --vmm-type=ec2 --vcpus="$vcpus" --ovmf=${{ steps.build-uefi.outputs.ovmfPath }})"
jq --arg vcpus "$vcpus" --arg measurement "$measurement" '. += [{"vcpus": $vcpus, "measurement": $measurement}]' intermediate.json > measurements.json
cp measurements.json intermediate.json
done
jq < measurements.json
popd || exit 1
- name: Test equivalence sevsnpmeasure & sev-snp-measure
shell: bash
run: |
pushd sev-snp-measure-go/e2e || exit 1
go test --tags=e2e --expected-values ../../sev-snp-measure/measurements.json --ovmf ${{ steps.build-uefi.outputs.ovmfPath }}
popd || exit 1