-
Notifications
You must be signed in to change notification settings - Fork 651
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make emulation-check rule is broken #1865
Comments
The solution seems to be just to remove the pipe to I'll send a patch |
Replying here to #1861 (comment), given that it's not on-topic for that pull request anymore.
I don't think we have the same definition of "install". Sure, this isn't installed as To me, the following facts are problematic.
There's no form of cryptographic verification anywhere, so if All in all, I'd trust more some Don't get me wrong, I definitely support your work in adding QEMU-based tests to Tock. But there needs to be safeguards on Tock's side. Otherwise, Tock fails at its mission of providing a secure OS.
I don't think the Makefile should install these packages either (which would require And it would be useful to document what packages are needed, for example starting from a minimal Docker image with |
I agree that cloning from some strange person's git repo is not ideal. Having the patches merged into mainline (no one has reviewed them) and git submodules would fix this. Git submodules are a bit of pain though, but would that be a better solution? As for package detection that is really hard. There are lots of different distros that you have to support. QEMU's configure script does this for you already, I don't think we should re-implement that. QEMU has documentation on what is required: https://wiki.qemu.org/Hosts/Linux#Building_QEMU_for_Linux we could link to that? Eventually I would like to say "just install it from your package manager", but I think we are a long way from that. It looks like QEMU 5.1 will have what we need, but for some of the slower moving distros that will take years to update to 5.1+ in their packages for most users. |
I've generally used submodules with good success. I'd be curious what pain points you have with them? |
You are just lucky and haven't had to deal with keeping them updated and in sync. It quickly becomes a hassle and can be hard for new users to figure out. When the patches are merged to mainline I'll convert it over to a submodule. |
1866: Small improvements to QEMU Make step r=ppannuto a=alistair23 ### Pull Request Overview This PR addresses concerns raised in: #1865 ### Testing Strategy Pushed to Git. ### TODO or Help Wanted ### Documentation Updated - [X] Updated the relevant files in `/docs`, or no updates are required. ### Formatting - [X] Ran `make format`. - [X] Fixed errors surfaced by `make clippy`. Co-authored-by: Alistair Francis <alistair.francis@wdc.com>
Given the containment question and the non-zero environment to set up for qemu, would it possibly make sense to put the qemu parts into a docker container? That way we don't have to maintain separate install support for the various packages and such needed to build on every local machine. From the 'just run it' perspective, I think it would be reasonable to (a) install and use the docker image if docker is installed, or (b) print a "skipping qemu checks, please install docker to run locally" message. |
I don't feel that Docker is really any easier. It's just as easy to install Docker as it is build-essentials. To me build essentials is more likely to be installed already as well. If others disagree I'm open to moving it into Docker. |
I think it's less about the ease of install as it is about the sandboxing. Putting the qemu build into a docker container means all of the possibly untrusted bits (the repo from |
Fair, but once we swap over to mainline QEMU and submodules I don't see the issue as it's from a trusted source. It would be the same as apt installing it. |
This was my point as well. I care much more about the security, trust & sandboxing of it than the installation process. I also think that a prompt is necessary before cloning & installing the external qemu repository (whether it comes from https://github.com/username or https://github.com/qemu).
Your concerns are still not very specific. There is some extensive documentation (https://git-scm.com/book/en/v2/Git-Tools-Submodules) and StackOverflow is full of questions (with answers!) related to git in general. FWIW, OpenSK has been using Tock as a submodule and I haven't seen any complaints.
How far are we to be able to swap to mainline? https://github.com/alistair23/qemu is described as "a fork" although it's not forked from the GitHub UI, which makes it hard to even see a diff with the mainline. Are there pending pull requests (or the equivalent for whatever qemu's code review is) to add what we need? I would also support putting it all in a Docker container by default, for the sake of sandboxing. But it could be installed directly on the current system provided some flag or environment variable is present (so that e.g. we don't need to make the Travis-CI workflow even slower by having to install Docker). Would that be a good compromise? |
There are patches on the QEMU mailing list, you can see the latest version here: https://patchew.org/QEMU/cover.1589923785.git.alistair.francis@wdc.com/ I have been pushing for reviews, you could help speed up the process by reviewing the code. I can look at adding it to Docker, but I don't use Docker often so it might take a while to figure out. |
Should be fixed with #1880 merged. |
As mentioned in #1861 (comment), the
make emulation-check
is broken when relevant Debian packages are missing.As a newcomer, it's unclear what to do after the following steps.
The text was updated successfully, but these errors were encountered: