ci: generate signed measurements for QEMU

2025-01-11 23:49:30 -05:00 · 2023-01-09 10:04:13 +01:00 · 2023-01-09 10:04:13 +01:00 · 67be4016f5
commit 67be4016f5
parent d851623c0d
5 changed files with 55 additions and 12 deletions
--- a/.github/workflows/generate-measurements.yml
+++ b/.github/workflows/generate-measurements.yml
@ -53,7 +53,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        provider: ["aws", "azure", "gcp"]
+        provider: ["aws", "azure", "gcp", "qemu"]
    permissions:
      id-token: write
      contents: read
@ -112,6 +112,7 @@ jobs:
          echo "res_group_name=$name" >> "$GITHUB_OUTPUT"
      - name: Create Cluster in E2E Test environment
        if: matrix.provider != 'qemu'
        id: create_cluster
        uses: ./.github/actions/e2e_test
        with:
@ -132,6 +133,7 @@ jobs:
          test: "nop"
      - name: Fetch PCRs from running cluster
        if: matrix.provider != 'qemu'
        run: |
          KUBECONFIG="${PWD}/constellation-admin.conf" kubectl rollout status ds/verification-service -n kube-system --timeout=3m
          CONSTELL_IP=$(jq -r ".ip" constellation-id.json)
@ -189,6 +191,33 @@ jobs:
        env:
          CSP: ${{ matrix.provider }}
      - name: Set PCRs for QEMU
        if: matrix.provider == 'qemu'
        env:
          ref: ${{ steps.extract.outputs.ref }}
          stream: ${{ steps.extract.outputs.stream }}
          version: ${{ steps.extract.outputs.version }}
        run: |
          path="constellation/v1/ref/${ref}/stream/${stream}/${version}/image/csp/${{ matrix.provider }}/measurements.image.json"
          mkdir -p "${{ github.workspace }}/generated-measurements"
          wget -O ${{ github.workspace }}/generated-measurements/measurements.image.json "https://cdn.confidential.cloud/${path}"
          jq '.measurements' < ${{ github.workspace }}/generated-measurements/measurements.image.json | jq '{"measurements": .}' > ${{ github.workspace }}/generated-measurements/measurements.json
          cat "${{ github.workspace }}/generated-measurements/measurements.json"
          yq '
          .csp = "QEMU" |
          .image = "${{ steps.extract.outputs.version }}" |
          .measurements.4.warnOnly = false |
          .measurements.8.warnOnly = false |
          .measurements.9.warnOnly = false |
          .measurements.11.warnOnly = false |
          .measurements.12.warnOnly = false |
          .measurements.13.warnOnly = false |
          .measurements.15.warnOnly = false |
          .measurements.15.expected = "0000000000000000000000000000000000000000000000000000000000000000"' \
          -I 0 -o json -i "${{ github.workspace }}/generated-measurements/measurements.json"
          mv "${{ github.workspace }}/generated-measurements/measurements.json" "${{ github.workspace }}/generated-measurements/measurements-${{ matrix.provider }}.json"
        shell: bash
      - name: Upload measurements as artifact
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
@ -196,7 +225,7 @@ jobs:
          path: "${{ github.workspace }}/generated-measurements"
      - name: Always terminate cluster
-        if: always()
+        if: always() && matrix.provider != 'qemu'
        continue-on-error: true
        uses: ./.github/actions/constellation_destroy
        with:
@ -220,7 +249,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        provider: ["aws", "azure", "gcp"]
+        provider: ["aws", "azure", "gcp", "qemu"]
    steps:
      - name: Check out repository
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
@ -270,7 +299,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        provider: ["aws", "azure", "gcp"]
+        provider: ["aws", "azure", "gcp", "qemu"]
    permissions:
      id-token: write
      contents: read
@ -324,7 +353,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        provider: ["aws", "azure", "gcp"]
+        provider: ["aws", "azure", "gcp", "qemu"]
    permissions:
      id-token: write
      contents: read
--- a/image/measured-boot/pcr-stable.json
+++ b/image/measured-boot/pcr-stable.json
@ -1,8 +1,16 @@
 {
  "measurements": {
-    "8": "0000000000000000000000000000000000000000000000000000000000000000",
+    "8": {
-    "11": "0000000000000000000000000000000000000000000000000000000000000000",
+      "expected": "0000000000000000000000000000000000000000000000000000000000000000"
-    "13": "0000000000000000000000000000000000000000000000000000000000000000",
+    },
-    "15": "0000000000000000000000000000000000000000000000000000000000000000"
+    "11": {
      "expected": "0000000000000000000000000000000000000000000000000000000000000000"
    },
    "13": {
      "expected": "0000000000000000000000000000000000000000000000000000000000000000"
    },
    "15": {
      "expected": "0000000000000000000000000000000000000000000000000000000000000000"
    }
  }
 }
--- a/image/measured-boot/precalculate_pcr_12.sh
+++ b/image/measured-boot/precalculate_pcr_12.sh
@ -35,7 +35,9 @@ write_output() {
  cat > "${out}" << EOF
 {
  "measurements": {
-    "12": "${expected_pcr_12}"
+    "12": {
      "expected": "${expected_pcr_12}"
    }
  },
  "cmdline": "${cmdline}",
  "cmdline-sha256": "${cmdline_hash}"
--- a/image/measured-boot/precalculate_pcr_4.sh
+++ b/image/measured-boot/precalculate_pcr_4.sh
@ -23,7 +23,9 @@ write_output() {
  cat > "${out}" << EOF
 {
  "measurements": {
-    "4": "${expected_pcr_4}"
+    "4": {
      "expected": "${expected_pcr_4}"
    }
  },
  "efistages": [
    {
--- a/image/measured-boot/precalculate_pcr_9.sh
+++ b/image/measured-boot/precalculate_pcr_9.sh
@ -28,7 +28,9 @@ write_output() {
  cat > "${out}" << EOF
 {
  "measurements": {
-    "9": "${expected_pcr_9}"
+    "9": {
      "expected": "${expected_pcr_9}"
    }
  },
  "initrd-sha256": "${initrd_hash}"
 }