Skip to content

WIP: Demo and related changes#33

Draft
travier wants to merge 7 commits into
trusted-execution-clusters:mainfrom
travier:main-wip-demo
Draft

WIP: Demo and related changes#33
travier wants to merge 7 commits into
trusted-execution-clusters:mainfrom
travier:main-wip-demo

Conversation

@travier
Copy link
Copy Markdown
Member

@travier travier commented Oct 6, 2025

Do not merge

This was referenced Apr 15, 2026
Open
Open
Open
@bgartzi
Copy link
Copy Markdown
Contributor

bgartzi commented Apr 22, 2026
edited
Loading

A few things:

  • Rebasing the branch onto the latest main.
  • Merging logic for uki/non-uki cases as logic is almost similar except for the last part.
  • Assuming default UKI paths.
  • Having only one pcr4 prediction command, which assumes uki by default, rolls back into legacy if uki is not found.
  • tpmeventids for uki + addons

Missing:

  • Make uki path for pcr11 non required, try to find the default one.
  • Tests.

PS TODO: linterrrr....

@bgartzi bgartzi mentioned this pull request May 4, 2026
Draft
bgartzi added 2 commits May 5, 2026 11:51
@bgartzi
rootfs: Manage uki + addon paths
8e3dc22 
Some images might boot from an UKI. By default, it will be located under
/boot/EFI/Linux/uki.efi in fedora images. If the user provides another
path, that will preceed over it.

Now, when new rootfs are created it will check if the user-provided or
the default UKI exists. If it does, it will fill the uki + addon fields
of the rootfs struct.

Later, we can retrieve those. uki returns an Option<String> to know if
it is or not a uki image.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
@bgartzi
tpmevents: TPMEventIDs for uki-related events
a7d6801 
Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
@bgartzi
tpmevents, pcr4: Merge uki+nonuki logic
8feed27 
PCR computation for PCR4 with uki or without it was not so different.
The only thing that changes is part related to vmlinuz or the UKI.

Merge both of them, as we can know which of the cases we are dealing
with easily, based on whether the UKI was found in the expected path or
not.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
bgartzi added 2 commits May 5, 2026 16:55
@bgartzi
lib: Update compute_pcr4 interface
8c4801f 
Admit paths to the UKI and its addons.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
@bgartzi
cli: compute PCR4 for uki images
ec70b84 
Now users can pass uki and uki addons paths to the compute-pcrs binary.
Now, the binary will assume that it is predicting PCRs for an UKI image.
It will try to find the UKI image in the path provided by the user. If
it was not provided, it will try finding it in the default path. It it
was not found even there, then it will assume it is the legacy case and
will compute pcr4 as it was done until now.

Signed-off-by: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@travier @bgartzi