mirror of
https://github.com/siderolabs/talos.git
synced 2025-10-28 15:01:13 +01:00
166d75fe88
The previous flow was using TPM PCR 11 values to bound the policy which means TPM cannot unseal when UKI changes. Now it's fixed to use PCR 7 which is bound to the SecureBoot state (SecureBoot status and Certificates). This provides a full chain of trust bound to SecureBoot state and signed PCR signature. Also the code has been refactored to use PolicyCalculator from the TPM library. Signed-off-by: Noel Georgi <git@frezbo.dev>
51 lines
1.0 KiB
Go
51 lines
1.0 KiB
Go
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
// Package tpm2 provides TPM2.0 related functionality helpers.
|
|
package tpm2_test
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
tpm2internal "github.com/siderolabs/talos/internal/pkg/secureboot/tpm2"
|
|
)
|
|
|
|
func TestGetSelection(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
for _, tt := range []struct {
|
|
name string
|
|
pcrs []int
|
|
expected []byte
|
|
}{
|
|
{
|
|
name: "empty",
|
|
expected: []byte{0, 0, 0},
|
|
},
|
|
{
|
|
name: "1, 3, 5",
|
|
pcrs: []int{1, 3, 5},
|
|
expected: []byte{42, 0, 0},
|
|
},
|
|
{
|
|
name: "21, 22, 23",
|
|
pcrs: []int{21, 22, 23},
|
|
expected: []byte{0, 0, 0xe0},
|
|
},
|
|
} {
|
|
tt := tt
|
|
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
actual, err := tpm2internal.CreateSelector(tt.pcrs)
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, tt.expected, actual)
|
|
})
|
|
}
|
|
}
|