-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkg/securelaunch: integration tests #2824
Conversation
ee543b0
to
14a6354
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2824 +/- ##
==========================================
+ Coverage 75.17% 75.53% +0.36%
==========================================
Files 433 433
Lines 43034 43034
==========================================
+ Hits 32350 32505 +155
+ Misses 10684 10529 -155 ☔ View full report in Codecov by Sentry. |
Hopefully I've written these tests correctly. |
They look fine to me. This looks very interesting, I wonder if you could put a bit more context in the comment? I would personally be very interested in the context. Up to you, I'm approving it :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
very interesting!
If you could talk to me a bit about what you're using this for, I'd be interested to hear. I have not kept up with securelaunch status.
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
14a6354
to
4afd84e
Compare
We've been using this with the TrenchBoot project (https://trenchboot.org/). We use u-root as the initramfs for our SecureLaunch kernel (MLE in Intel parlance) to provide a security engine. Based on a policy file, we can measure various components and ultimately launch (kexec) into a specific target kernel. We can verify that the target kernel/initramfs haven't been tampered with by including hashes in the policy file. We validate the policy file with a signature and validate the public key with a hash stored in the TPM. The stored hash can only be read if the specified PCRs have the correct value (in the default case, we use 17,18,19, which are only available in locality 4 while running the MLE code) |
No description provided.