Skip to content

Commit bd63d75

Browse files
committed
tests, integration: PCR combination on bootloader+kernel update
Add an integration test in which 2 approved images with different bootloader and kernel are added to the cluster. This emulates the situation in which a coreos image could be undergoing a bootloader and kernel update. The test checks that 2 images are added to the image pcr config map, and then checks that the reference values contain all possible pcr4 combinations. pcr7 and pcr14 are constant in this case, so there are not combinations possible (apart from the original value). Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
1 parent cc41812 commit bd63d75

1 file changed

Lines changed: 71 additions & 0 deletions

File tree

tests/trusted_execution_cluster.rs

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,3 +82,74 @@ async fn test_image_disallow() -> anyhow::Result<()> {
8282
Ok(())
8383
}
8484
}
85+
86+
named_test! {
87+
async fn test_combined_image_pcrs_configmap_updates() -> anyhow::Result<()> {
88+
let test_ctx = setup!([
89+
DEFAULT_TEST_FCOS_IMAGE,
90+
"quay.io/trusted-execution-clusters/fedora-coreos@sha256:372a5db90a8695fafc2869d438bacd7f0ef7fd84f63746a450bfcd4b8b64ae83",
91+
]).await?;
92+
let client = test_ctx.client();
93+
let namespace = test_ctx.namespace();
94+
95+
let secondary_expected_pcr4_hash = "37517a1f76c4d5cf615f4690921c732ad31359aac55f3aaf66d65a8ed38655a9";
96+
97+
test_ctx.verify_expected_pcrs(
98+
&[&expected_base_pcrs!(),
99+
// In practical terms it emulates a grub + kernel upgrade
100+
&[
101+
Pcr {
102+
id: 4,
103+
value: hex::decode(secondary_expected_pcr4_hash).unwrap(),
104+
events: vec![
105+
pcr4_ev_efi_action_event!(),
106+
pcr_separator_event!(4, TPMEventID::Pcr4Separator),
107+
pcr4_shim_event!(),
108+
TPMEvent { pcr: 4, name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(), hash: hex::decode("f45c2c974192366a5391e077c3cbf91e735e86eba2037fd86a1f1501818f73f4").unwrap(), id: TPMEventID::Pcr4Grub },
109+
TPMEvent { pcr: 4, name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(), hash: hex::decode("f31e645e5e9ed131eea5dca0a18893a21e5625b4a56314fa39587ddc33a7fa91").unwrap(), id: TPMEventID::Pcr4Vmlinuz },
110+
],
111+
},
112+
expected_pcr7!(),
113+
expected_pcr14!(),
114+
]]
115+
).await?;
116+
117+
let expected_ref_values = [
118+
// PCR4
119+
expected_pcr4_hash!(),
120+
"0c4e52c0bc5d2fedbf83b2fee82664dbe5347a79cfb2cbcb9a37f64211add6e8",
121+
"cc5a5360e64b25718be370ca2056645a9ba9e9bae33df08308d6b8e05b8ebb87",
122+
secondary_expected_pcr4_hash,
123+
// PCR7
124+
expected_pcr7_hash!(),
125+
// PCR14
126+
expected_pcr14_hash!(),
127+
];
128+
129+
let configmap_api: Api<ConfigMap> = Api::namespaced(client.clone(), namespace);
130+
let poller = Poller::new()
131+
.with_timeout(Duration::from_secs(180))
132+
.with_interval(Duration::from_secs(5))
133+
.with_error_message("Reference value expectations not met".to_string());
134+
poller.poll_async(|| {
135+
let api = configmap_api.clone();
136+
async move {
137+
let cm = api.get("trustee-data").await?;
138+
if let Some(data) = &cm.data
139+
&& let Some(reference_values_json) = data.get("reference-values.json")
140+
{
141+
for value in expected_ref_values {
142+
if !reference_values_json.contains(value) {
143+
return Err(anyhow::anyhow!("Reference value expectations not met"));
144+
}
145+
}
146+
}
147+
Ok(())
148+
}
149+
}).await?;
150+
151+
test_ctx.cleanup().await?;
152+
153+
Ok(())
154+
}
155+
}

0 commit comments

Comments
 (0)