pkg/securelaunch: integration tests

[pjcolp]

No description provided.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (cd5aa2c) 75.17% compared to head (3e7c142) 75.53%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2824      +/-   ##
==========================================
+ Coverage   75.17%   75.53%   +0.36%     
==========================================
  Files         433      433              
  Lines       43034    43034              
==========================================
+ Hits        32350    32505     +155     
+ Misses      10684    10529     -155     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pjcolp]

Hopefully I've written these tests correctly.

[rminnich]

They look fine to me. This looks very interesting, I wonder if you could put a bit more context in the comment? I would personally be very interested in the context. Up to you, I'm approving it :-)

[rminnich]

very interesting!

If you could talk to me a bit about what you're using this for, I'd be interested to hear. I have not kept up with securelaunch status.

[pjcolp]

We've been using this with the TrenchBoot project (https://trenchboot.org/). We use u-root as the initramfs for our SecureLaunch kernel (MLE in Intel parlance) to provide a security engine. Based on a policy file, we can measure various components and ultimately launch (kexec) into a specific target kernel. We can verify that the target kernel/initramfs haven't been tampered with by including hashes in the policy file. We validate the policy file with a signature and validate the public key with a hash stored in the TPM. The stored hash can only be read if the specified PCRs have the correct value (in the default case, we use 17,18,19, which are only available in locality 4 while running the MLE code)