ci: generate signed measurements for QEMU

.github/workflows/generate-measurements.yml

@@ -53,7 +53,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        provider: ["aws", "azure", "gcp"]
+        provider: ["aws", "azure", "gcp", "qemu"]
     permissions:
       id-token: write
       contents: read
@@ -112,6 +112,7 @@ jobs:
           echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
 
       - name: Create Cluster in E2E Test environment
+        if: matrix.provider != 'qemu'
         id: create_cluster
         uses: ./.github/actions/e2e_test
         with:
@@ -132,6 +133,7 @@ jobs:
           test: "nop"
 
       - name: Fetch PCRs from running cluster
+        if: matrix.provider != 'qemu'
         run: |
           KUBECONFIG="${PWD}/constellation-admin.conf" kubectl rollout status ds/verification-service -n kube-system --timeout=3m
           CONSTELL_IP=$(jq -r ".ip" constellation-id.json)
@@ -189,6 +191,33 @@ jobs:
         env:
           CSP: ${{ matrix.provider }}
 
+      - name: Set PCRs for QEMU
+        if: matrix.provider == 'qemu'
+        env:
+          ref: ${{ steps.extract.outputs.ref }}
+          stream: ${{ steps.extract.outputs.stream }}
+          version: ${{ steps.extract.outputs.version }}
+        run: |
+          path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json"
+          mkdir -p "${{ github.workspace }}/generated-measurements"
+          wget -O ${{ github.workspace }}/generated-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}"
+          jq '.measurements' < ${{ github.workspace }}/generated-measurements/measurements.image.json | jq '{"measurements": .}' > ${{ github.workspace }}/generated-measurements/measurements.json
+          cat "${{ github.workspace }}/generated-measurements/measurements.json"
+          yq '
+          .csp = "QEMU" |
+          .image = "${{ steps.extract.outputs.version }}" |
+          .measurements.4.warnOnly = false |
+          .measurements.8.warnOnly = false |
+          .measurements.9.warnOnly = false |
+          .measurements.11.warnOnly = false |
+          .measurements.12.warnOnly = false |
+          .measurements.13.warnOnly = false |
+          .measurements.15.warnOnly = false |
+          .measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \
+          -I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
+          mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json"
+        shell: bash
+
       - name: Upload measurements as artifact
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -196,7 +225,7 @@ jobs:
           path: "${{ github.workspace }}/generated-measurements"
 
       - name: Always terminate cluster
-        if: always()
+        if: always() && matrix.provider != 'qemu'
         continue-on-error: true
         uses: ./.github/actions/constellation_destroy
         with:
@@ -220,7 +249,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        provider: ["aws", "azure", "gcp"]
+        provider: ["aws", "azure", "gcp", "qemu"]
     steps:
       - name: Check out repository
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
@@ -270,7 +299,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        provider: ["aws", "azure", "gcp"]
+        provider: ["aws", "azure", "gcp", "qemu"]
     permissions:
       id-token: write
       contents: read
@@ -324,7 +353,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        provider: ["aws", "azure", "gcp"]
+        provider: ["aws", "azure", "gcp", "qemu"]
     permissions:
       id-token: write
       contents: read

image/measured-boot/pcr-stable.json

@@ -1,8 +1,16 @@
 {
   "measurements": {
-    "8": "0000000000000000000000000000000000000000000000000000000000000000",
-    "11": "0000000000000000000000000000000000000000000000000000000000000000",
-    "13": "0000000000000000000000000000000000000000000000000000000000000000",
-    "15": "0000000000000000000000000000000000000000000000000000000000000000"
+    "8": {
+      "expected": "0000000000000000000000000000000000000000000000000000000000000000"
+    },
+    "11": {
+      "expected": "0000000000000000000000000000000000000000000000000000000000000000"
+    },
+    "13": {
+      "expected": "0000000000000000000000000000000000000000000000000000000000000000"
+    },
+    "15": {
+      "expected": "0000000000000000000000000000000000000000000000000000000000000000"
+    }
   }
 }

image/measured-boot/precalculate_pcr_12.sh

@@ -35,7 +35,9 @@ write_output() {
   cat > "${out}" << EOF
 {
   "measurements": {
-    "12": "${expected_pcr_12}"
+    "12": {
+      "expected": "${expected_pcr_12}"
+    }
   },
   "cmdline": "${cmdline}",
   "cmdline-sha256": "${cmdline_hash}"

image/measured-boot/precalculate_pcr_4.sh

@@ -23,7 +23,9 @@ write_output() {
   cat > "${out}" << EOF
 {
   "measurements": {
-    "4": "${expected_pcr_4}"
+    "4": {
+      "expected": "${expected_pcr_4}"
+    }
   },
   "efistages": [
     {

image/measured-boot/precalculate_pcr_9.sh

@@ -28,7 +28,9 @@ write_output() {
   cat > "${out}" << EOF
 {
   "measurements": {
-    "9": "${expected_pcr_9}"
+    "9": {
+      "expected": "${expected_pcr_9}"
+    }
   },
   "initrd-sha256": "${initrd_hash}"
 }