Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

system-tests: new test for disk encryption with support for TMPv2 PCR protection #129

Merged
merged 6 commits into from
Aug 21, 2024
Merged

system-tests: new test for disk encryption with support for TMPv2 PCR protection #129

merged 6 commits into from
Aug 21, 2024

Conversation

edcdavid
Copy link
Contributor

@edcdavid edcdavid commented Jul 31, 2024
edited
Loading

Ready for review:

This PR adds a CI test for TPM encryptions with PCR 1 and 7
The test defines the following 3 tests:

  • "Verifies that disabling Secure Boot prevents Disk decryption (PCR 7)":
    • start from a SNO system with secure boot enabled and the root disk encrypted with PCR 1 and 7
    • check that secure boot is enabled with PCR 1 and 7
    • check that reserved slot is not present
    • Disable secure boot with Redfish (gofish)
    • Restart the node gracefully and observe console with Redfish (ssh console)
    • wait for disk decryption failure logs to be detected
    • Enable secure boot
    • Force reboot node
  • "Verifies update indication with file (/etc/host-hw-Updating.flag)"
    • start from a SNO system with secure boot enabled and the root disk encrypted with PCR 1 and 7
    • check that secure boot is enabled with PCR 1 and 7
    • check that reserved slot is not present
    • Touch the "/etc/host-hw-Updating.flag" to notify a firmware upgrade. This essentially disables PCR protection. So any changes to PCR 1 and 7 will not prevent the disk to be decrypted
    • Disable secure boot with Redfish (gofish)
    • Restart the node gracefully and observe console with Redfish (ssh console)
    • wait for disk decryption to succeed and for the system to finish booting
    • Enable secure boot
    • Gracefully reboot node
  • "Verify that changing Host boot order prevents Disk decryption (TPM PCR 1)":
    • start from a SNO system with secure boot enabled and the root disk encrypted with PCR 1 and 7
    • check that secure boot is enabled with PCR 1 and 7
    • check that reserved slot is not present
    • Change the Server boot order
    • Restart the node gracefully and observe console with Redfish (ssh console)
    • wait for disk decryption failure logs to be detected
    • Change the Server boot order back to original settings
    • Force reboot node
      Notes:
  • uses environment variables ECO_CNF_RAN_BMC_USERNAME, ECO_CNF_RAN_BMC_PASSWORD, ECO_CNF_RAN_BMC_HOSTS to get BMC credential for SNO
  • uses KUBECONFIG to access SNO spoke
  • needs to the spoke to configure text mode on the console. This can be done with this extra manifest
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: master
  name: 05-worker-kernel-log
spec:
  kernelArguments:
    - nomodeset
    - console=tty0
    - console=ttyS0,115200n8

@edcdavid edcdavid mentioned this pull request Jul 31, 2024
Closed
@edcdavid edcdavid changed the title Adding test suite for disk encryption with support for TMPv2 PCR protection system-tests: new test for disk encryption with support for TMPv2 PCR protection Jul 31, 2024
@edcdavid edcdavid requested a review from mcornea August 5, 2024 13:09
@mcornea
Copy link
Collaborator

mcornea commented Aug 9, 2024

lgtm

@edcdavid edcdavid force-pushed the test-disk-encryption-pcr1 branch 6 times, most recently from 3211fad to 9f1116c Compare August 15, 2024 14:00
@mcornea
Copy link
Collaborator

mcornea commented Aug 19, 2024

lgtm

klaskosk
klaskosk approved these changes Aug 21, 2024
View reviewed changes
Copy link
Collaborator

@klaskosk klaskosk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

kononovn
kononovn approved these changes Aug 21, 2024
View reviewed changes
Copy link
Collaborator

@kononovn kononovn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

global level lgmt

@mcornea mcornea merged commit 92ac9d5 into openshift-kni:main Aug 21, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@klaskosk klaskosk klaskosk approved these changes

@mcornea mcornea mcornea approved these changes

@kononovn kononovn kononovn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@edcdavid @mcornea @kononovn @klaskosk