tests, integration: PCR combination on bootloader+kernel update

bgartzi · bgartzi · commit bd63d75673a7 · 2026-02-03T17:04:09.000+01:00
Add an integration test in which 2 approved images with different
bootloader and kernel are added to the cluster. This emulates the
situation in which a coreos image could be undergoing a bootloader and
kernel update.

The test checks that 2 images are added to the image pcr config map, and
then checks that the reference values contain all possible pcr4
combinations. pcr7 and pcr14 are constant in this case, so there are not
combinations possible (apart from the original value).

Signed-off-by: Beñat Gartzia Arruabarrena &lt;bgartzia@redhat.com&gt;
diff --git a/tests/trusted_execution_cluster.rs b/tests/trusted_execution_cluster.rs
@@ -82,3 +82,74 @@ async fn test_image_disallow() -> anyhow::Result<()> {
     Ok(())
 }
 }
+
+named_test! {
+async fn test_combined_image_pcrs_configmap_updates() -> anyhow::Result<()> {
+    let test_ctx = setup!([
+        DEFAULT_TEST_FCOS_IMAGE,
+        "quay.io/trusted-execution-clusters/fedora-coreos@sha256:372a5db90a8695fafc2869d438bacd7f0ef7fd84f63746a450bfcd4b8b64ae83",
+    ]).await?;
+    let client = test_ctx.client();
+    let namespace = test_ctx.namespace();
+
+    let secondary_expected_pcr4_hash = "37517a1f76c4d5cf615f4690921c732ad31359aac55f3aaf66d65a8ed38655a9";
+
+    test_ctx.verify_expected_pcrs(
+        &[&expected_base_pcrs!(),
+        // In practical terms it emulates a grub + kernel upgrade
+        &[
+            Pcr {
+                id: 4,
+                value: hex::decode(secondary_expected_pcr4_hash).unwrap(),
+                events: vec![
+                    pcr4_ev_efi_action_event!(),
+                    pcr_separator_event!(4, TPMEventID::Pcr4Separator),
+                    pcr4_shim_event!(),
+                    TPMEvent { pcr: 4, name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(), hash: hex::decode("f45c2c974192366a5391e077c3cbf91e735e86eba2037fd86a1f1501818f73f4").unwrap(), id: TPMEventID::Pcr4Grub },
+                    TPMEvent { pcr: 4, name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(), hash: hex::decode("f31e645e5e9ed131eea5dca0a18893a21e5625b4a56314fa39587ddc33a7fa91").unwrap(), id: TPMEventID::Pcr4Vmlinuz },
+                ],
+            },
+            expected_pcr7!(),
+            expected_pcr14!(),
+        ]]
+    ).await?;
+
+    let expected_ref_values = [
+        // PCR4
+        expected_pcr4_hash!(),
+        "0c4e52c0bc5d2fedbf83b2fee82664dbe5347a79cfb2cbcb9a37f64211add6e8",
+        "cc5a5360e64b25718be370ca2056645a9ba9e9bae33df08308d6b8e05b8ebb87",
+        secondary_expected_pcr4_hash,
+        // PCR7
+        expected_pcr7_hash!(),
+        // PCR14
+        expected_pcr14_hash!(),
+    ];
+
+    let configmap_api: Api<ConfigMap> = Api::namespaced(client.clone(), namespace);
+    let poller = Poller::new()
+        .with_timeout(Duration::from_secs(180))
+        .with_interval(Duration::from_secs(5))
+        .with_error_message("Reference value expectations not met".to_string());
+    poller.poll_async(|| {
+        let api = configmap_api.clone();
+        async move {
+            let cm = api.get("trustee-data").await?;
+            if let Some(data) = &cm.data
+                && let Some(reference_values_json) = data.get("reference-values.json")
+            {
+                    for value in expected_ref_values {
+                        if !reference_values_json.contains(value) {
+                            return Err(anyhow::anyhow!("Reference value expectations not met"));
+                        }
+                    }
+            }
+            Ok(())
+        }
+    }).await?;
+
+    test_ctx.cleanup().await?;
+
+    Ok(())
+}
+}
