Update qe tests#30
Closed
mlabonte-rh wants to merge 2 commits into
Closed
Conversation
Collaborator
|
@mlabonte-rh - at some stage a mess has been created. Do you mind resolving the conflicts first? |
butler54
added a commit
to butler54/coco-pattern
that referenced
this pull request
May 28, 2026
…cycle Replace direct Vault push script with full lifecycle automation following the established Pattern A (local file → values-secret.yaml → Vault): - Rewrite collect-firmware-refvals.sh to manage complete pod lifecycle: launch kata pod, install veritas, collect measurements, save locally, cleanup pod via trap handlers - Change output format from multi-key Vault secret to single JSON blob saved to ~/.coco-pattern/firmware-reference-values.json - Add --merge option to support multi-OCP-version reference values - Add --namespace, --output, --runtime-class, --pod-image options - Update values-secret.yaml.template to reference local JSON file - Update Makefile targets: collect-firmware-refvals and collect-firmware-refvals-merge - Update gen-secrets.sh bare metal messaging - Rewrite docs/firmware-reference-values.md for automated workflow This aligns firmware reference value management with pcrStash and KBS keys patterns, eliminating manual Vault interaction. Requires trustee-chart PR validatedpatterns#30 (single JSON blob consumption). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
butler54
added a commit
to butler54/coco-pattern
that referenced
this pull request
May 28, 2026
Update chartVersion from 0.5.* to 0.6.* to align with trustee-chart PR validatedpatterns#30 which introduces BREAKING CHANGE: firmware reference values consumed as single JSON blob instead of multi-key secret. Both profiles already have kbs.baremetal.enabled: "true" set, enabling firmware reference value enforcement when values are present in Vault. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
butler54
added a commit
that referenced
this pull request
May 28, 2026
…on (#89) * feat: add firmware reference values workflow for bare metal attestation Add comprehensive tooling and documentation for collecting and managing firmware reference values (TDX/SNP measurements) used in bare metal attestation policies. **New documentation:** - docs/firmware-reference-values.md: Complete workflow guide covering: - Architecture of TDX (mr_td, rtmr_1/2, xfam) and SNP measurements - SHA-256 vs SHA-384 algorithm clarification (different layers, both correct) - Step-by-step collection using veritas tool - Multi-OCP-version support via merged arrays - Known veritas gaps (TCB versions, SNP policy bits, image measurements) - Security considerations and policy trade-offs **New script:** - scripts/collect-firmware-refvals.sh: Automated wrapper that: - Extracts measurements from veritas JSON output - Transforms to KBS/RVPS expected format (arrays of hex strings) - Merges with existing Vault values to support multi-version - Pushes to secret/data/hub/firmwareReferenceValues **Integration:** - Makefile: Add `make push-firmware-refvals REFVALS_FILE=<path>` target - values-secret.yaml.template: Document firmwareReferenceValues structure This is PR 2A of Wave 2 (firmware hardening). The actual attestation policy enforcement and ESO integration come in subsequent PRs. Part of the bare metal attestation hardening roadmap. * docs: fix markdown linter warnings in firmware-reference-values.md Add blank lines before lists and code blocks to comply with markdownlint rules MD031 (blanks-around-fences) and MD032 (blanks-around-lists). * docs: fix all markdown linter warnings in firmware-reference-values.md Add blank lines before all lists and code blocks to comply with markdownlint rules MD031 (blanks-around-fences) and MD032 (blanks-around-lists). Fixed warnings at lines: 138, 178, 187, 195, 221, 230, 238, 248 * docs: fix remaining markdown linter warnings (lines 265, 300) Add blank lines before code block (line 265) and list (line 300). * feat: automate firmware reference value collection with full pod lifecycle Replace direct Vault push script with full lifecycle automation following the established Pattern A (local file → values-secret.yaml → Vault): - Rewrite collect-firmware-refvals.sh to manage complete pod lifecycle: launch kata pod, install veritas, collect measurements, save locally, cleanup pod via trap handlers - Change output format from multi-key Vault secret to single JSON blob saved to ~/.coco-pattern/firmware-reference-values.json - Add --merge option to support multi-OCP-version reference values - Add --namespace, --output, --runtime-class, --pod-image options - Update values-secret.yaml.template to reference local JSON file - Update Makefile targets: collect-firmware-refvals and collect-firmware-refvals-merge - Update gen-secrets.sh bare metal messaging - Rewrite docs/firmware-reference-values.md for automated workflow This aligns firmware reference value management with pcrStash and KBS keys patterns, eliminating manual Vault interaction. Requires trustee-chart PR #30 (single JSON blob consumption). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
butler54
added a commit
that referenced
this pull request
May 28, 2026
* feat: enable firmware reference values in bare metal profiles Wire firmware reference value enforcement into bare metal profiles by enabling kbs.baremetal.enabled and updating to trustee-chart v0.5.*. **Changes:** - values-baremetal.yaml: - Add kbs.baremetal.enabled: "true" override - Update trustee chartVersion: 0.4.* → 0.5.* - values-baremetal-gpu.yaml: - Add kbs.baremetal.enabled: "true" override - Update trustee chartVersion: 0.4.* → 0.5.* **Effect:** When deploying bare metal profiles, trustee-chart will now: 1. Create firmware-refvals-eso ExternalSecret (PR 2B) 2. Sync firmware reference values from Vault to cluster 3. Add firmware values to RVPS ConfigMap (PR 2B) 4. Enforce firmware measurements in attestation policy (PR 2C) **Prerequisites:** - Firmware values must be collected via veritas (PR 2A workflow) - Values must be pushed to Vault: `make push-firmware-refvals REFVALS_FILE=./refvals.json` - trustee-chart v0.5.0 must be released (includes PRs 2B, 2C) **Backwards compatibility:** If firmware values not pushed to Vault, attestation policy falls back to init_data-only verification (no breaking change). Part of Wave 2 (firmware hardening). Final PR to wire all pieces together. * feat: update bare metal profiles to trustee-chart v0.6.* Update chartVersion from 0.5.* to 0.6.* to align with trustee-chart PR #30 which introduces BREAKING CHANGE: firmware reference values consumed as single JSON blob instead of multi-key secret. Both profiles already have kbs.baremetal.enabled: "true" set, enabling firmware reference value enforcement when values are present in Vault. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated existing 'hub' site checks
Removed edge site tests
Added support files