ci: add simple test that ensures the verity nvpcr measurements are made

author Lennart Poettering <lennart@amutable.com>

Tue, 17 Feb 2026 20:59:30 +0000 (21:59 +0100)

committer Lennart Poettering <lennart@amutable.com>

Tue, 17 Feb 2026 21:00:14 +0000 (22:00 +0100)
author Lennart Poettering <lennart@amutable.com>
Tue, 17 Feb 2026 20:59:30 +0000 (21:59 +0100)
committer Lennart Poettering <lennart@amutable.com>
Tue, 17 Feb 2026 21:00:14 +0000 (22:00 +0100)
diff --git a/test/units/TEST-70-TPM2.nvpcr.sh b/test/units/TEST-70-TPM2.nvpcr.sh

index ce5bdfc651bab8eb82648250c38a5f1383035a5a..ba5d6c9b7f43777c6551ec61edf170cd76523a31 100755 (executable)
--- a/test/units/TEST-70-TPM2.nvpcr.sh
+++ b/test/units/TEST-70-TPM2.nvpcr.sh
@@ -20,7 +20,8 @@ at_exit() {
          jq --seq --slurp </run/log/systemd/tpm2-measure.log
      fi
  
-    rm -rf /run/nvpcr
+    rm -rf /run/nvpcr /tmp/nvpcr
+    rm -f /var/tmp/nvpcr.raw /run/verity.d/test-79-nvpcr.crt
  }
  
  trap at_exit EXIT
@@ -52,3 +53,46 @@ test "$DIGEST_ACTUAL2" != "$DIGEST_EXPECTED"
  DIGEST_MEASURED2="$(echo -n "schnurz" | openssl dgst -sha256 -hex -r | cut -d' ' -f1)"
  DIGEST_EXPECTED2="$(echo "$DIGEST_EXPECTED$DIGEST_MEASURED2" | tr '[:lower:]' '[:upper:]' | basenc --base16 -d | openssl dgst -sha256 -hex -r | cut -d' ' -f1)"
  test "$DIGEST_ACTUAL2" = "$DIGEST_EXPECTED2"
+
+mkdir /tmp/nvpcr
+
+OPENSSL_CONFIG="/tmp/nvpcr/opensslconfig"
+# Unfortunately OpenSSL insists on reading some config file, hence provide one with mostly placeholder contents
+cat >"${OPENSSL_CONFIG:?}" <<EOF
+[ req ]
+prompt = no
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+C = DE
+ST = Test State
+L = Test Locality
+O = Org Name
+OU = Org Unit Name
+CN = Common Name
+emailAddress = test@email.com
+EOF
+
+openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" \
+            -x509 -sha256 -nodes -days 365 -newkey rsa:4096 \
+            -keyout /tmp/nvpcr/test-70-nvpcr.key -out /tmp/nvpcr/test-70-nvpcr.crt
+
+mkdir /tmp/nvpcr/tree
+touch /tmp/nvpcr/tree/file
+
+SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs \
+    systemd-repart -P \
+                   -s /tmp/nvpcr/tree \
+                   --certificate=/tmp/nvpcr/test-70-nvpcr.crt \
+                   --private-key=/tmp/nvpcr/test-70-nvpcr.key \
+                   /var/tmp/nvpcr.raw
+
+mkdir -p /run/verity.d
+cp /tmp/nvpcr/test-70-nvpcr.crt /run/verity.d/
+
+cp /run/log/systemd/tpm2-measure.log /tmp/nvpcr/log-before
+
+systemd-dissect --image-policy='root=signed:=absent+unused' --mtree /var/tmp/nvpcr.raw
+
+set +o pipefail
+diff /tmp/nvpcr/log-before /run/log/systemd/tpm2-measure.log | grep -F '"content":{"nvIndexName":"verity","string":"verity:'
author	Lennart Poettering <lennart@amutable.com>
	Tue, 17 Feb 2026 20:59:30 +0000 (21:59 +0100)
committer	Lennart Poettering <lennart@amutable.com>
	Tue, 17 Feb 2026 21:00:14 +0000 (22:00 +0100)