ci: add a CI test for nvpcr priorization

diff --git a/test/units/TEST-70-TPM2.nvpcr.sh b/test/units/TEST-70-TPM2.nvpcr.sh
index 05ae378d849e57073e98a85d7328f5f75b6d6fe4..d84bb1feb38fcea446395961afc5907c7722806b 100755 (executable)
--- a/test/units/TEST-70-TPM2.nvpcr.sh
+++ b/test/units/TEST-70-TPM2.nvpcr.sh
@@ -21,7 +21,8 @@ at_exit() {
     fi
 
     rm -rf /run/nvpcr /tmp/nvpcr
-    rm -f /var/tmp/nvpcr.raw /run/verity.d/test-70-nvpcr.crt /run/systemd/nvpcr/test.anchor
+    rm -f /var/tmp/nvpcr.raw /run/verity.d/test-70-nvpcr.crt
+    rm -f /run/systemd/nvpcr/test.anchor /run/systemd/nvpcr/test2.anchor /run/systemd/nvpcr/aaa.anchor /run/systemd/nvpcr/zzz.anchor
 }
 
 trap at_exit EXIT
@@ -54,6 +55,33 @@ DIGEST_MEASURED2="$(echo -n "schnurz" | openssl dgst -sha256 -hex -r | cut -d' '
 DIGEST_EXPECTED2="$(echo "$DIGEST_EXPECTED$DIGEST_MEASURED2" | tr '[:lower:]' '[:upper:]' | basenc --base16 -d | openssl dgst -sha256 -hex -r | cut -d' ' -f1)"
 test "$DIGEST_ACTUAL2" = "$DIGEST_EXPECTED2"
 
+# Verify the 'priority' field round-trips through the JSON definition. The 'test' NvPCR above sets no
+# priority, so it must report the default (1000).
+PRIORITY_DEFAULT="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .priority')"
+test "$PRIORITY_DEFAULT" = "1000"
+
+# A definition with an explicit priority must report exactly that value.
+cat >/run/nvpcr/test2.nvpcr <<EOF
+{"name":"test2","algorithm":"sha256","nvIndex":30474763,"priority":42}
+EOF
+PRIORITY_EXPLICIT="$(systemd-analyze nvpcrs test2 --json=pretty | jq -r '.[] | select(.name=="test2") | .priority')"
+test "$PRIORITY_EXPLICIT" = "42"
+
+# Verify NvPCRs are allocated in order of priority (lower value = more important = allocated first),
+# independent of lexical filename order. 'aaa' is lexically first but less important (higher priority
+# value), while 'zzz' is lexically last but more important (lower priority value), so 'zzz' must be set
+# up before 'aaa'.
+cat >/run/nvpcr/aaa.nvpcr <<EOF
+{"name":"aaa","algorithm":"sha256","nvIndex":30474772,"priority":900}
+EOF
+cat >/run/nvpcr/zzz.nvpcr <<EOF
+{"name":"zzz","algorithm":"sha256","nvIndex":30474773,"priority":100}
+EOF
+SETUP_LOG="$(/usr/lib/systemd/systemd-tpm2-setup 2>&1)"
+AAA_LINE="$(echo "$SETUP_LOG" | grep -n "Setting up NvPCR 'aaa'" | cut -d: -f1)"
+ZZZ_LINE="$(echo "$SETUP_LOG" | grep -n "Setting up NvPCR 'zzz'" | cut -d: -f1)"
+test "$ZZZ_LINE" -lt "$AAA_LINE"
+
 systemd-analyze identify-tpm2
 udevadm test-builtin 'tpm2_id identify' /dev/tpmrm0