engineering: Include PCR 7 into pcrlock policy for non-containerized UKI target OS (#221)

* Try including PCR 7 into pcrlock policy

* Removed old check

* Exclude PCR 7 on BM tests

* Remove default PCR

* Exclude PCR 7 for container tests

* Update docs/Reference/Host-Configuration/API-Reference/Encryption.md

Co-authored-by: Copilot <[email protected]>

* Update crates/trident_api/src/config/host/storage/encryption.rs

Co-authored-by: Copilot <[email protected]>

* Corrected formatting

* Updated PCR validation

* Updated comment

* Tried fixing

* Tried fixing again

* Do not overwrite Trident config for grub test

* Updated task link

* Corrected again

---------

Co-authored-by: Copilot <[email protected]>

Author: ndubchak

.pipelines/templates/stages/testing_baremetal/update_host_config.py

@@ -11,6 +11,7 @@
 def update_trident_host_config(
     *,
     host_configuration: dict,
+    test_selection: dict,
     interface_name: str,
     interface_ip: str,
     interface_mac: Optional[str] = None,
@@ -80,6 +81,20 @@ def update_trident_host_config(
             "writableEtcOverlayHooks"
         ] = True
 
+    # TODO: If this is a BM test with grub MOS -> UKI target OS flow, then only
+    # request PCRs 4 and 11 in the PCRs section b/c we cannot currently include
+    # PCR 7 into pcrlock policy as SecureBoot is disabled on BM machines.
+    # Related ADO task:
+    # https://dev.azure.com/mariner-org/polar/_workitems/edit/15566.
+    storage = host_configuration.get("storage")
+    if storage and "uki" in test_selection.get("compatible", []):
+        encryption = storage.get("encryption")
+        if encryption and "pcrs" in encryption:
+            logging.info(
+                "Detected UKI image, overwriting PCRs section to only include PCRs 4 and 11 and exclude PCR 7."
+            )
+            encryption["pcrs"] = ["boot-loader-code", "kernel-boot"]
+
     logging.info(
         "Final trident_yaml content post all the updates: %s", host_configuration
     )
@@ -164,8 +179,12 @@ def main():
     with open(args.trident_yaml) as f:
         trident_yaml_content = yaml.safe_load(f)
 
+    with open(args.test_selection) as f:
+        test_selection_content = yaml.safe_load(f)
+
     update_trident_host_config(
         host_configuration=trident_yaml_content,
+        test_selection=test_selection_content,
         interface_name=args.interface_name,
         interface_ip=args.oam_ip,
         interface_mac=args.oam_mac,

.pipelines/templates/stages/testing_vm/netlaunch-testing.yml

@@ -172,9 +172,9 @@ stages:
               # Enable SecureBoot for all E2E tests.
               SECURE_BOOT="--secure-boot"
 
-              # If this is a usr-verity image; a signing certificate must be
-              # set via --signing-cert; otherwise, set it to an empty string.
-              # This can also be used for sysext signing.
+              # If this is a usr-verity UKI image, a signing certificate must
+              # be set via --signing-cert; otherwise, set it to an empty
+              # string. This can also be used for sysext signing.
               TRIDENT_CONFIG="$(tridentConfigPath)/trident-config.yaml"
               IMAGE_URL=$(sudo yq '.image.url' "$TRIDENT_CONFIG")
               CERT_SEARCH_PATH="$(System.ArtifactsDirectory)/usrverity-testimage"
@@ -185,10 +185,24 @@ stages:
                 SIGNING_CERT=""
               fi
 
+              # If this is a usr-verity UKI image and the test will run in a
+              # container, then overwrite the PCRs to exclude PCR 7.
+              ENCRYPTION_VALUE=$(sudo yq '.storage.encryption' "$TRIDENT_CONFIG")
+              if [[ "$IMAGE_URL" == *usrverity.cosi && \
+                    "${{ parameters.runtimeEnv }}" == 'container' && \
+                    "$ENCRYPTION_VALUE" != "null" ]]; then
+                sudo yq -i '
+                  .storage.encryption.pcrs = ["boot-loader-code", "kernel-boot"]
+                ' "$TRIDENT_CONFIG"
+
+                echo "Updated Trident config:"
+                sudo yq '.' "$TRIDENT_CONFIG"
+              fi
+
               ./bin/netlaunch \
                   --iso ./artifacts/iso/$(installerISOName).iso \
                   --config $(tridentSourceDirectory)/tools/vm-netlaunch.yaml \
-                  --trident $(tridentConfigPath)/trident-config.yaml \
+                  --trident "$TRIDENT_CONFIG" \
                   --servefolder ./artifacts/test-image \
                   --logstream \
                   $MAX_FAILURES_FLAG \

crates/osutils/src/encryption.rs

@@ -25,9 +25,6 @@ pub const KEY_SIZE: &str = "512";
 /// Size of the temporary recovery key file in bytes.
 const TMP_RECOVERY_KEY_SIZE: usize = 64;
 
-/// Default PCR to seal encrypted volumes to. PCR 7 represents the `SecureBoot` state.
-pub const DEFAULT_PCR: Pcr = Pcr::Pcr7;
-
 /// Runs `systemd-cryptenroll` to enroll a TPM 2.0 device for the given device of a LUKS2 encrypted
 /// volume.
 ///
@@ -259,7 +256,7 @@ mod tests {
         let pcrs = BitFlags::from(Pcr::Pcr1) | BitFlags::from(Pcr::Pcr4);
         assert_eq!(to_tpm2_pcrs_arg(pcrs), "--tpm2-pcrs=1+4".to_string());
 
-        let single_pcr = BitFlags::from(DEFAULT_PCR);
+        let single_pcr = BitFlags::from(Pcr::Pcr7);
         assert_eq!(to_tpm2_pcrs_arg(single_pcr), "--tpm2-pcrs=7".to_string());
 
         let all_pcrs = BitFlags::<Pcr>::all();

crates/osutils/src/pcrlock.rs

@@ -95,8 +95,8 @@ fn generate_tpm2_access_policy(pcrs: BitFlags<Pcr>) -> Result<(), Error> {
         pcrs.iter().map(|pcr| pcr.to_num()).collect::<Vec<_>>()
     );
 
-    // If running inside of a container AND pcrlock.json already exists in the ROS on the host,
-    // copy it from the host and into the container
+    // If running inside of a container AND pcrlock.json already exists in the target OS on the
+    // host, copy it from the host into the container
     if container::is_running_in_container()
         .unstructured("Failed to determine if running in container")?
     {

crates/trident/src/engine/rollback.rs

@@ -5,7 +5,6 @@ use enumflags2::BitFlags;
 use log::{debug, info, trace, warn};
 
 use osutils::{block_devices, efivar, lsblk, pcrlock, veritysetup, virt};
-use sysdefs::tpm2::Pcr;
 use trident_api::{
     constants::internal_params::VIRTDEPLOY_BOOT_ORDER_WORKAROUND,
     error::{InternalError, ReportError, ServicingError, TridentError, TridentResultExt},
@@ -87,23 +86,11 @@ pub fn validate_boot(datastore: &mut DataStore) -> Result<(), TridentError> {
             if ctx.is_uki()? {
                 debug!("Regenerating pcrlock policy for current boot");
 
-                let pcrs = if !encryption.pcrs.is_empty() {
-                    encryption
-                        .pcrs
-                        .iter()
-                        .fold(BitFlags::empty(), |acc, &pcr| acc | BitFlags::from(pcr))
-                } else {
-                    // TODO: Currently, we cannot seal to PCR 7 b/c not all measurements are
-                    // recognized by the .pcrlock file generation logic. Once that is resolved,
-                    // we want to have PCR 7 as the default. For now, we use PCRs 4 and 11. Related
-                    // ADO tasks:
-                    // https://dev.azure.com/mariner-org/polar/_workitems/edit/14523/ and
-                    // https://dev.azure.com/mariner-org/polar/_workitems/edit/14455/.
-                    //
-                    // Use default PCR 7 if none specified.
-                    //BitFlags::from(DEFAULT_PCR)
-                    BitFlags::from(Pcr::Pcr4) | BitFlags::from(Pcr::Pcr11)
-                };
+                // Get the PCRs from Host Configuration
+                let pcrs = encryption
+                    .pcrs
+                    .iter()
+                    .fold(BitFlags::empty(), |acc, &pcr| acc | BitFlags::from(pcr));
 
                 // Get UKI and bootloader binaries for .pcrlock file generation
                 let (uki_binaries, bootloader_binaries) =

crates/trident/src/engine/storage/encryption.rs

@@ -16,7 +16,7 @@ use osutils::{
     container,
     dependencies::{Dependency, DependencyResultExt},
     efivar,
-    encryption::{self, KeySlotType, DEFAULT_PCR},
+    encryption::{self, KeySlotType},
     lsblk::{self, BlockDeviceType},
     path::join_relative,
     pcrlock,
@@ -134,8 +134,13 @@ pub(super) fn create_encrypted_devices(
             pcrlock::generate_pcrlock_policy(BitFlags::from(Pcr::Pcr0), vec![], vec![])?;
             None
         } else {
-            debug!("Target OS image is a grub image, so sealing against the default PCR 7");
-            Some(BitFlags::from(DEFAULT_PCR))
+            debug!("Target OS image is a grub image, so sealing against PCR 7");
+            Some(
+                encryption
+                    .pcrs
+                    .iter()
+                    .fold(BitFlags::empty(), |acc, &pcr| acc | BitFlags::from(pcr)),
+            )
         };
 
         // Check if `REENCRYPT_ON_CLEAN_INSTALL` internal param is set to true; if so, re-encrypt
@@ -226,8 +231,8 @@ pub(super) fn create_encrypted_devices(
 /// - `encryption_type`: The type of encryption to be used. Determines whether the device should be
 ///   re-encrypted in-place, or whether a new LUKS2 volume should be initialized.
 /// - `pcr`: The PCR to seal the key against. This is an optional PCR for scenarios where encrypted
-///   volumes are sealed against the value of PCR 7 instead of a pcrlock policy, mainly for the
-///   grub MOS + grub ROS flow.
+///   volumes are sealed against the value of PCR 7 instead of a pcrlock policy, for the grub MOS +
+///   grub target OS flow.
 fn encrypt_and_open_device(
     device_path: &Path,
     device_name: &String,
@@ -302,7 +307,7 @@ struct LuksDumpSegment {
 
 /// Returns paths of UKI and bootloader binaries that `systemd-pcrlock` tool should seal to. During
 /// encryption provisioning, returns binaries used for the current boot, as well as binaries that
-/// will be used in the future boot, i.e. in the ROS update image. During rollback validation,
+/// will be used in the future boot, i.e. in the target OS image. During rollback validation,
 /// returns binaries used for the current boot only.
 ///
 /// Returns a tuple containing two vectors:

crates/trident/src/subsystems/storage/encryption.rs

@@ -8,7 +8,7 @@ use enumflags2::BitFlags;
 use log::{debug, info, trace};
 
 use osutils::{
-    encryption as osutils_encryption, files, path,
+    container, efivar, encryption as osutils_encryption, files, path,
     pcrlock::{self, PCRLOCK_POLICY_JSON_PATH},
 };
 use sysdefs::tpm2::Pcr;
@@ -89,53 +89,43 @@ pub(super) fn validate_host_config(ctx: &EngineContext) -> Result<(), TridentErr
         }
 
         // We've already validated that only supported PCRs, i.e. 4, 7, and/or 11, are specified;
-        // but we also need to ensure that only valid PCRs are specified for each image type.
-        if !encryption.pcrs.is_empty() {
-            if ctx.is_uki()? {
-                // TODO: Currently, we cannot seal to PCR 7 for grub MOS -> UKI ROS scenario b/c
-                // not all measurements are recognized by the .pcrlock file generation logic. Once
-                // that is resolved, we include PCR 7 into the valid list. For now, only PCRs 4 and
-                // 11 are valid. Related ADO tasks:
-                // https://dev.azure.com/mariner-org/polar/_workitems/edit/14523/ and
-                // https://dev.azure.com/mariner-org/polar/_workitems/edit/14455/.
-                let invalid_pcrs: Vec<_> = encryption
-                    .pcrs
+        // but we also need to ensure that only PCR 7 is specified for grub images.
+        if !ctx.is_uki()? {
+            let invalid_pcrs: Vec<_> = encryption
+                .pcrs
+                .iter()
+                .filter(|&&pcr| pcr != Pcr::Pcr7)
+                .cloned()
+                .collect();
+
+            if !invalid_pcrs.is_empty() {
+                let pcrs_string = invalid_pcrs
                     .iter()
-                    .filter(|&&pcr| pcr != Pcr::Pcr4 && pcr != Pcr::Pcr11)
-                    .cloned()
-                    .collect();
-
-                if !invalid_pcrs.is_empty() {
-                    let pcrs_string = invalid_pcrs
-                        .iter()
-                        .map(|pcr| pcr.to_num().to_string())
-                        .collect::<Vec<_>>()
-                        .join(", ");
+                    .map(|pcr| pcr.to_num().to_string())
+                    .collect::<Vec<_>>()
+                    .join(", ");
+                return Err(TridentError::new(InvalidInputError::from(
+                    HostConfigurationDynamicValidationError::InvalidEncryptionPcrsForGrubImage {
+                        pcrs: pcrs_string,
+                    },
+                )));
+            }
+        } else {
+            // For UKI images, if PCR 7 is requested, we need to ensure that:
+            // 1. Secure Boot is enabled,
+            // 2. Trident is NOT running inside a container,
+            // due to the limitations of `systemd-pcrlock`.
+            if encryption.pcrs.contains(&Pcr::Pcr7) {
+                if !efivar::secure_boot_is_enabled() {
                     return Err(TridentError::new(InvalidInputError::from(
-                        HostConfigurationDynamicValidationError::InvalidEncryptionPcrsForUkiImage {
-                            pcrs: pcrs_string,
-                        },
+                        HostConfigurationDynamicValidationError::Pcr7EncryptionForUkiWhenSecureBootDisabled,
                     )));
                 }
-            } else {
-                let invalid_pcrs: Vec<_> = encryption
-                    .pcrs
-                    .iter()
-                    .filter(|&&pcr| pcr != Pcr::Pcr7)
-                    .cloned()
-                    .collect();
 
-                if !invalid_pcrs.is_empty() {
-                    let pcrs_string = invalid_pcrs
-                        .iter()
-                        .map(|pcr| pcr.to_num().to_string())
-                        .collect::<Vec<_>>()
-                        .join(", ");
+                if container::is_running_in_container()? {
                     return Err(TridentError::new(InvalidInputError::from(
-                    HostConfigurationDynamicValidationError::InvalidEncryptionPcrsForGrubImage {
-                        pcrs: pcrs_string,
-                    },
-                )));
+                        HostConfigurationDynamicValidationError::Pcr7EncryptionForUkiWhenRunningInContainer,
+                    )));
                 }
             }
         }
@@ -148,15 +138,15 @@ pub(super) fn validate_host_config(ctx: &EngineContext) -> Result<(), TridentErr
 /// persists the pcrlock policy to the update volume.
 ///
 /// On clean install:
-/// 1. TODO: UKI MOS + UKI ROS -> re-generate pcrlock policy to include PCRs 4,7,11 as selected by
-///    the user; not implemented for now. Related ADO task:
+/// 1. TODO: UKI MOS + UKI target OS -> re-generate pcrlock policy to include PCRs 4,7,11 as
+///    selected by the user; not implemented for now. Related ADO task:
 ///    https://dev.azure.com/mariner-org/polar/_workitems/edit/13059/.
-/// 2. Grub MOS + UKI ROS -> N/A, i.e. keep previous pcrlock policy that includes PCR 0 only,
-/// 3. Grub MOS + grub ROS -> N/A, i.e. still sealed to the value of PCR 7.
+/// 2. Grub MOS + UKI target OS -> N/A, i.e. keep previous pcrlock policy that includes PCR 0 only,
+/// 3. Grub MOS + grub target OS -> N/A, i.e. still sealed to the value of PCR 7.
 ///
 /// On A/B update:
-/// 1. UKI ROS -> re-generate pcrlock policy to include PCRs 4,7,11 as selected by the user,
-/// 2. Grub ROS -> N/A, i.e. keep previous pcrlock policy that includes PCR 7 only.
+/// 1. UKI target OS -> re-generate pcrlock policy to include PCRs 4,7,11 as selected by the user,
+/// 2. Grub target OS -> N/A, i.e. keep previous pcrlock policy that includes PCR 7 only.
 #[tracing::instrument(name = "encryption_provision", skip_all)]
 pub fn provision(ctx: &EngineContext, mount_path: &Path) -> Result<(), TridentError> {
     if let Some(encryption) = &ctx.spec.storage.encryption {
@@ -168,23 +158,10 @@ pub fn provision(ctx: &EngineContext, mount_path: &Path) -> Result<(), TridentEr
             // On A/B update, use PCRs selected by the user through the API
             ServicingType::AbUpdate => {
                 if ctx.is_uki()? {
-                    let bitflags = if !encryption.pcrs.is_empty() {
-                        encryption
-                            .pcrs
-                            .iter()
-                            .fold(BitFlags::empty(), |acc, &pcr| acc | BitFlags::from(pcr))
-                    } else {
-                        // TODO: Currently, we cannot seal to PCR 7 b/c not all measurements are
-                        // recognized by the .pcrlock file generation logic. Once that is resolved,
-                        // we want to have PCR 7 as the default. For now, we use PCRs 4 and 11. Related
-                        // ADO tasks:
-                        // https://dev.azure.com/mariner-org/polar/_workitems/edit/14523/ and
-                        // https://dev.azure.com/mariner-org/polar/_workitems/edit/14455/.
-                        //
-                        // Use default PCR if none specified.
-                        //BitFlags::from(osutils_encryption::DEFAULT_PCR)
-                        BitFlags::from(Pcr::Pcr4) | BitFlags::from(Pcr::Pcr11)
-                    };
+                    let bitflags = encryption
+                        .pcrs
+                        .iter()
+                        .fold(BitFlags::empty(), |acc, &pcr| acc | BitFlags::from(pcr));
                     Some(bitflags)
                 } else {
                     debug!(
@@ -552,27 +529,8 @@ mod tests {
         }
         validate_host_config(&ctx).unwrap();
 
-        // Test case #2: If OS image is a UKI image, then only PCRs 4 and 11 are allowed.
+        // Test case #2: If OS image is a UKI image AND PCRs only include 4 and 11, then pass.
         ctx.is_uki = Some(true);
-        {
-            let encryption = ctx.spec.storage.encryption.as_mut().unwrap();
-            encryption.pcrs = vec![Pcr::Pcr4, Pcr::Pcr7, Pcr::Pcr11];
-        }
-        let pcrs_str = [Pcr::Pcr7]
-            .iter()
-            .map(|pcr| pcr.to_num().to_string())
-            .collect::<Vec<_>>()
-            .join(", ");
-        assert_eq!(
-            validate_host_config(&ctx).unwrap_err().kind(),
-            &ErrorKind::InvalidInput(InvalidInputError::InvalidHostConfigurationDynamic {
-                inner: HostConfigurationDynamicValidationError::InvalidEncryptionPcrsForUkiImage {
-                    pcrs: pcrs_str,
-                }
-            })
-        );
-
-        // Test case #3: If OS image is a UKI image AND PCRs only include 4 and 11, then pass.
         {
             let encryption = ctx.spec.storage.encryption.as_mut().unwrap();
             encryption.pcrs = vec![Pcr::Pcr4, Pcr::Pcr11];

crates/trident/src/subsystems/storage/mod.rs

@@ -222,7 +222,7 @@ mod tests {
     use tempfile::NamedTempFile;
     use url::Url;
 
-    use osutils::encryption::{self, DEFAULT_PCR};
+    use osutils::encryption;
     use trident_api::{
         config::{
             AbUpdate, Disk as DiskConfig, Encryption, FileSystem, HostConfiguration, MountPoint,
@@ -232,6 +232,8 @@ mod tests {
         error::ErrorKind,
     };
 
+    use sysdefs::tpm2::Pcr;
+
     fn get_ctx() -> EngineContext {
         EngineContext {
             servicing_type: ServicingType::CleanInstall,
@@ -331,7 +333,7 @@ mod tests {
                         device_name: "luks-enc".to_owned(),
                         device_id: "part5".to_owned(),
                     }],
-                    pcrs: vec![DEFAULT_PCR],
+                    pcrs: vec![Pcr::Pcr7],
                     ..Default::default()
                 }),
                 ..Default::default()