From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 26 Nov 2025 12:24:57 +0000 (+0100)
Subject: ci: split out nvpcr test, so that it runs before rest of pcrextend (#39915)
X-Git-Tag: v259-rc2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1ceba02ad965a02e28f98d5ebf086eacf6d385b2;p=thirdparty%2Fsystemd.git

ci: split out nvpcr test, so that it runs before rest of pcrextend (#39915)

in pcrextend we destroy pcr 11, and if we are booted in a kernel that
has pcr11 sigs, we cannot use that signature anymore. hence, let's do
the nvpcr test first, before doing the pcrextend stuff.

Fixes: #39582
---

diff --git a/test/units/TEST-70-TPM2.nvpcr.sh b/test/units/TEST-70-TPM2.nvpcr.sh
new file mode 100755
index 00000000000..8827acc6ed5
--- /dev/null
+++ b/test/units/TEST-70-TPM2.nvpcr.sh
@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -eux
+set -o pipefail
+
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+export SYSTEMD_LOG_LEVEL=debug
+SD_PCREXTEND="/usr/lib/systemd/systemd-pcrextend"
+
+if [[ ! -x "${SD_PCREXTEND:?}" ]] || ! tpm_has_pcr sha256 11; then
+    echo "$SD_PCREXTEND or PCR sysfs files not found, skipping PCR extension tests"
+    exit 0
+fi
+
+at_exit() {
+    if [[ $? -ne 0 ]]; then
+        # Dump the event log on fail, to make debugging a bit easier
+        jq --seq --slurp </run/log/systemd/tpm2-measure.log
+    fi
+
+    rm -rf /run/nvpcr
+}
+
+trap at_exit EXIT
+
+# Temporarily override sd-pcrextend's sanity checks
+export SYSTEMD_FORCE_MEASURE=1
+
+mkdir -p /run/nvpcr
+
+cat >/run/nvpcr/test.nvpcr <<EOF
+{"name":"test","algorithm":"sha256","nvIndex":30474762}
+EOF
+/usr/lib/systemd/systemd-tpm2-setup
+test -f /run/systemd/nvpcr/test.anchor
+/usr/lib/systemd/systemd-pcrextend --nvpcr=test schrumpel
+# To calculate the current value we need the anchor measurement
+DIGEST_BASE="$(cat /run/systemd/nvpcr/test.anchor)"
+DIGEST_MEASURED="$(echo -n "schrumpel" | openssl dgst -sha256 -binary | xxd -p -c200)"
+DIGEST_EXPECTED="$(echo "$DIGEST_BASE$DIGEST_MEASURED" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c200)"
+DIGEST_ACTUAL="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .value')"
+test "$DIGEST_ACTUAL" = "$DIGEST_EXPECTED"
+
+# Now "destroy" the value via another measurement
+/usr/lib/systemd/systemd-pcrextend --nvpcr=test schnurz
+DIGEST_ACTUAL2="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .value')"
+test "$DIGEST_ACTUAL2" != "$DIGEST_EXPECTED"
+
+# And calculate the new result
+DIGEST_MEASURED2="$(echo -n "schnurz" | openssl dgst -sha256 -binary | xxd -p -c200)"
+DIGEST_EXPECTED2="$(echo "$DIGEST_EXPECTED$DIGEST_MEASURED2" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c200)"
+test "$DIGEST_ACTUAL2" = "$DIGEST_EXPECTED2"
diff --git a/test/units/TEST-70-TPM2.pcrextend.sh b/test/units/TEST-70-TPM2.pcrextend.sh
index c13722c961f..d40cd703705 100755
--- a/test/units/TEST-70-TPM2.pcrextend.sh
+++ b/test/units/TEST-70-TPM2.pcrextend.sh
@@ -125,28 +125,3 @@ diff /tmp/newpcr15 \
      <(cat /tmp/oldpcr15 <(echo -n "file-system:$FS_WORD" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
 
 rm -f /tmp/oldpcr{11,15} /tmp/newpcr{11,15}
-
-mkdir -p /run/nvpcr
-
-cat >/run/nvpcr/test.nvpcr <<EOF
-{"name":"test","algorithm":"sha256","nvIndex":30474762}
-EOF
-/usr/lib/systemd/systemd-tpm2-setup
-test -f /run/systemd/nvpcr/test.anchor
-/usr/lib/systemd/systemd-pcrextend --nvpcr=test schrumpel
-# To calculate the current value we need the anchor measurement
-DIGEST_BASE="$(cat /run/systemd/nvpcr/test.anchor)"
-DIGEST_MEASURED="$(echo -n "schrumpel" | openssl dgst -sha256 -binary | xxd -p -c200)"
-DIGEST_EXPECTED="$(echo "$DIGEST_BASE$DIGEST_MEASURED" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c200)"
-DIGEST_ACTUAL="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .value')"
-test "$DIGEST_ACTUAL" = "$DIGEST_EXPECTED"
-
-# Now "destroy" the value via another measurement
-/usr/lib/systemd/systemd-pcrextend --nvpcr=test schnurz
-DIGEST_ACTUAL2="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .value')"
-test "$DIGEST_ACTUAL2" != "$DIGEST_EXPECTED"
-
-# And calculate the new result
-DIGEST_MEASURED2="$(echo -n "schnurz" | openssl dgst -sha256 -binary | xxd -p -c200)"
-DIGEST_EXPECTED2="$(echo "$DIGEST_EXPECTED$DIGEST_MEASURED2" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c200)"
-test "$DIGEST_ACTUAL2" = "$DIGEST_EXPECTED2"