test: Add test for kernel build

JackThomson2 · roypat · commit 08ee93ca0c74 · 2025-03-24T17:28:44.000Z
Adding a new integration test to assert that the kernel build script
will succeed.

Signed-off-by: Jack Thomson &lt;jackabt@amazon.com&gt;
diff --git a/.buildkite/pipeline_pr.py b/.buildkite/pipeline_pr.py
@@ -68,6 +68,15 @@
     for step in kani_grp["steps"]:
         step["label"] = "🔍 Kani"
 
+if any(x.parent.name == "hiding_ci" for x in changed_files):
+    pipeline.build_group_per_arch(
+        "🕵️ Build Secret Hiding Kernel",
+        pipeline.devtool_test(
+            pytest_opts="-m secret_hiding integration_tests/build/test_hiding_kernel.py",
+        ),
+        depends_on_build=False,
+    )
+
 if run_all_tests(changed_files):
     pipeline.build_group(
         "📦 Build",
diff --git a/tests/README.md b/tests/README.md
@@ -340,6 +340,8 @@ which tests are run in which context:
   in separate pipelines according to various cron schedules.
 - Tests marked as `no_block_pr` are run in the "optional" PR CI pipeline. This
   pipeline is not required to pass for merging a PR.
+- Tests marked as `secret_hiding` are secret hiding specifc tests. They don't
+  run by default.
 
 All tests without markers are run for every pull request, and are required to
 pass for the PR to be merged.
diff --git a/tests/integration_tests/build/test_hiding_kernel.py b/tests/integration_tests/build/test_hiding_kernel.py
@@ -0,0 +1,29 @@
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""A test which checks that the secret hiding enable kernel builds successfully."""
+
+import pytest
+
+from framework import utils
+
+
+@pytest.mark.timeout(600)
+@pytest.mark.secret_hiding
+def test_build_hiding_kernel():
+    """
+    In the test we will run our kernel build script to check it succeeds and builds the hidden kernel
+    """
+
+    # We have some extra deps for building the kernel that are not in the dev contaner
+    utils.check_output(
+        "apt install -y build-essential libncurses-dev bison flex libssl-dev libelf-dev bc dwarves libncurses5-dev kmod fakeroot"
+    )
+
+    # We have to configure git otherwise patch application fails
+    # the git log still credits the original author
+    utils.check_output('git config --global user.name "Firecracker CI"')
+    utils.check_output('git config --global user.email "ci@email.com"')
+
+    utils.check_output(
+        "cd ../resources/hiding_ci; ./build_and_install_kernel.sh --no-install --tidy"
+    )
diff --git a/tests/pytest.ini b/tests/pytest.ini
@@ -5,12 +5,13 @@ addopts =
     -vv
     --durations=10
     --showlocals
-    -m 'not nonci and not no_block_pr'
+    -m 'not nonci and not no_block_pr and not secret_hiding'
     --json-report --json-report-file=../test_results/test-report.json
 
 markers =
     no_block_pr: tests whose failure does not block PR merging.
     nonci: mark test as nonci.
+    secret_hiding: tests related to secret hiding.
 
 ; Overwrite the default norecursedirs, which includes 'build'.
 norecursedirs = .*
