Skip to content

trustee: Configure reference values based on all possible PCR combinations#116

Open
bgartzi wants to merge 14 commits into
trusted-execution-clusters:mainfrom
bgartzi:pcr_combination
Open

trustee: Configure reference values based on all possible PCR combinations#116
bgartzi wants to merge 14 commits into
trusted-execution-clusters:mainfrom
bgartzi:pcr_combination

Conversation

@bgartzi

@bgartzi bgartzi commented Dec 22, 2025

Copy link
Copy Markdown
Member

Now the compute-pcrs library supports computing PCR value combinations. In other words, given all events from image A and image B (where some of the components got updated), it computes all possible PCRs of the intermediate states that a node could go through during an update from image A to image B.

While implementing this I found a compute-pcrs bug that this PR relies on: trusted-execution-clusters/compute-pcrs#56

For now, I added a workaround commit that is not signed-off-by me. Once the compute-pcrs library gets merged, I will update this PR.

Another discussion topic that comes to my mind is how unit tests are implemented to face this new integration. They sure could be way more isolated from compute-pcrs, which I will update if relevant.

@Jakob-Naucke

Copy link
Copy Markdown
Member

@bgartzi because the recent changes to compute-pcrs-lib are incompatible, I am ignoring it for dependabot or it keeps updating (see #121). Hoping that none of us forget it, reminder for you and myself to unignore it after this PR (@dependabot unignore compute-pcrs-lib, not sure if required to be upon a dependabot PR). Thanks!

@bgartzi

bgartzi commented Jan 16, 2026

Copy link
Copy Markdown
Member Author

Except for the flagged commit that I will remove as soon as the fix (trusted-execution-clusters/compute-pcrs#62) lands compute-pcrs and I update the pointer to the right lib version, I think this is finally ready for review.

@bgartzi bgartzi changed the title DRAFT: trustee: Configure reference values based on all possible PCR combinations trustee: Configure reference values based on all possible PCR combinations Jan 16, 2026
@bgartzi

bgartzi commented Jan 16, 2026

Copy link
Copy Markdown
Member Author

Note that the followed approach just impacts the amount of reference values. It does not impact the amount of pcrs stored in the image-pcrs configmap. Although it gets the job done, it's not trivial to track where those reference values came from.

Not sure if this is what you had in mind, or populating both rvs and image-pcrs with all possible combinations would be preferred.

@Jakob-Naucke Jakob-Naucke left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice. A few comments.

Comment thread Cargo.toml
[workspace.package]
edition = "2024"
rust-version = "1.85"
rust-version = "1.88"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We usually sync buildroot, so I'm open to moving to 1.92 right away.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On this regard: I needed to also update some Containerfiles to build onto buildroot:fedora instead of just buildroot (which I think implicitly implied buildroot:latest).

Comment thread operator/src/test_utils.rs Outdated
Comment thread api/trusted-cluster-gen.go Outdated
Comment thread api/trusted-cluster-gen.go
Comment thread tests/trusted_execution_cluster.rs Outdated
@bgartzi

bgartzi commented Jan 20, 2026

Copy link
Copy Markdown
Member Author

Fixing latest conflicts...


ARG build_type
FROM ghcr.io/trusted-execution-clusters/buildroot AS builder
FROM ghcr.io/trusted-execution-clusters/buildroot:fedora AS builder

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:latest and :fedora point to Fedora 43 images that are apparently different, but I don't even know how they're different. Is there a difference that matters to this PR?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There was not, until I set the minimum rust version to 1.92: :latest fails to build as it still holds 1.91.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Not for this PR but frankly we should yank a :latest that isn't being updated

Comment thread operator/src/test_utils.rs
@bgartzi

bgartzi commented Jan 23, 2026

Copy link
Copy Markdown
Member Author

This version:

  • Rebase fixing conflicts
  • Addresses some of the comments on macros/constants on integration tests
  • Fixes an issue I found in which equally valued reference values would be repeated in the trustee data configmap.

Still, the buildroot:latest vs buildroot:fedora discussion and research remains.


ARG build_type
FROM ghcr.io/trusted-execution-clusters/buildroot AS builder
FROM ghcr.io/trusted-execution-clusters/buildroot:fedora AS builder

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Not for this PR but frankly we should yank a :latest that isn't being updated

Comment thread tests/trusted_execution_cluster.rs Outdated
@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: bgartzi, Jakob-Naucke

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Comment thread api/trusted-cluster-gen.go Outdated
Comment thread test_utils/src/constants.rs Outdated
Comment thread tests/trusted_execution_cluster.rs Outdated
Comment thread tests/trusted_execution_cluster.rs Outdated
@alicefr

alicefr commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@bgartzi I did a first pass, the only part that worries me is how we update the various hardcoded pcrs values and the second image when we upgrade the whole setup

@openshift-ci openshift-ci Bot removed the lgtm label Jul 13, 2026
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@bgartzi

bgartzi commented Jul 13, 2026

Copy link
Copy Markdown
Member Author

still struggling to remember I have to sign commits sorry.

@alicefr:

@bgartzi I did a first pass, the only part that worries me is how we update the various hardcoded pcrs values and the second image when we upgrade the whole setup

The problem is we could automate this using the compute-pcrs library somewhere in CI or makefile, but that would somehow break the purpose of the end to end test. If we really wish to test the whole stack, we need to boot a VM with the tested images, extract all pcr events and hashes, then update the values. We could automate it, but it is not precisely trivial.

@bgartzi

bgartzi commented Jul 15, 2026

Copy link
Copy Markdown
Member Author

Now, I believe this is ready for another look @alicefr unless something in CI fails. @Jakob-Naucke you're also invited ofc.

dependabot Bot and others added 14 commits July 15, 2026 12:59
Bumps the rust group with 3 updates: [uuid](https://github.com/uuid-rs/uuid), [toml](https://github.com/toml-rs/toml) and [regex](https://github.com/rust-lang/regex).


Updates `uuid` from 1.23.4 to 1.23.5
- [Release notes](https://github.com/uuid-rs/uuid/releases)
- [Commits](uuid-rs/uuid@v1.23.4...v1.23.5)

Updates `toml` from 1.1.2+spec-1.1.0 to 1.1.3+spec-1.1.0
- [Commits](toml-rs/toml@toml-v1.1.2...toml-v1.1.3)

Updates `regex` from 1.12.4 to 1.13.0
- [Release notes](https://github.com/rust-lang/regex/releases)
- [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md)
- [Commits](rust-lang/regex@1.12.4...1.13.0)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 1.23.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: rust
- dependency-name: toml
  dependency-version: 1.1.3+spec-1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: rust
- dependency-name: regex
  dependency-version: 1.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: rust
...

Signed-off-by: dependabot[bot] <support@github.com>
And update those crates that were making use of it. Later we will also
use it in some other crates.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
I broke some of the compute-pcrs' lib APIs, so apart from just pointing
into a newer commit, we also need to tweak a couple of things here and
there.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
trustee tests were relying on some values that didn't hold any TPMEvent
or any PCR value that related to them.

This commit turns those dummy values into something that are closer to
something we could expect in reality.

The main reason to do this is that the compute-pcrs logic does not like
empty event PCRs, as it's based on that to reconstruct them.

This goes against the purpose of a unit test, as we should actually mock
that external part so as not to rely on it, but decided this was simpler
at least as an initial proposal.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Update trustee reference values with all possible combinations between
approved PCR values, not just those that come directly from image PCRs.

This computes reference values for possible stages during node updates
in which a node could be booting some components from image A and some
other from image B.

This commit also adds a test to check that pcr4 is well covered in front
of bootloader and kernel updates. The test is closer to an integration
test than to an unit-test as it relies on values that are close to real
values, and how the compute-pcrs lib's combine_images processes them.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Support the possibility of generating CRs for multiple approved images.
These are stored sepparately in different yaml files.

This changes the way trusted-cluster-gen names approved_image_cr.yaml
files, as it's not just one, but many of them that can be marshalled.
That's why test dependencies are updated to also be able to handle
multiple approved image CRs.

As we now deal with multiple images, and "coreos" is a bit to vague in
that case, approved-images now accept both the image reference and a
name, so we can identify them easily. Instead of calling "coreos" to the
existing one, we now call it "coreos-approved-primary".

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Refactor the logic that was verifying expected image pcrs in
test_image_pcrs_configmap_updates as a method of TestContext.

It also slightly changes the logic of the poller to stop when the length
of pcrs equals the one expected.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
The compute pcrs job was computing pcr7 based on the guest OS
information. However, PCR7 is mainly affected by the EFI variables,
which are configured by the platform, or virtualization host.

As we lack a proper way to retrieve the EFI vars of the platform that
nodes are running on, we don't attest pcr7, so we should just not
compute it.

This commit removes the bits that computed pcr7 in the compute-pcrs job
and those that checked it during integration tests. It leaves the test
logic covering pcr7 in operator/src/trustee.rs as it should be agnostic
to whatever pcr prediction comes in.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
These could be used by other tests too. Make it a macro so it can be
reused, and define a few more macros for standard TPMEvents and PCR
values that are constant across integration tests at the moment, such as
PCR7 and PCR14.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Add an integration test in which 2 approved images with different
bootloader and kernel are added to the cluster. This emulates the
situation in which a coreos image could be undergoing a bootloader and
kernel update.

The test checks that 2 images are added to the image pcr config map, and
then checks that the reference values contain all possible pcr4
combinations. pcr7 and pcr14 are constant in this case, so there are not
combinations possible (apart from the original value).

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
The logic checking that the image-pcrs configmap was populated moved
into using await_condition instead of a poller. Some conditions were
checked twice inside of the actual condition and subsequent assertions.
This commit removes those assertions in favor of the await call.

Moreover, it makes more sense from a stability point of view to wait for
the whole condition to happen, as it could be the case that a Nth image
is approved, and we run all the assertions (and fail) because only one
of the N images was found in the configmap. This way, the tests will
wait until the expected images of all approved images are present.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Some integration tests might run on more approved images. Find which it
is based on the test file then pre-pull it.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Assisted-By: Claude Opus 4.6 <noreply@anthropic.com>
This help not hitting some test timeouts due to images not being pulled
quickly enough.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Covering the primary and secondary approved images and also possible
combinations between the two of them.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
@bgartzi

bgartzi commented Jul 15, 2026

Copy link
Copy Markdown
Member Author

Of course I moved some constant around and changed their name but forgot to update their reference in the document that covered them. Fixed now.

@bgartzi

bgartzi commented Jul 16, 2026

Copy link
Copy Markdown
Member Author

Last failure was about kubevirt installation timing out. Trying again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants