Esp alternate locations

.github/workflows/tests.yml

@@ -32,6 +32,7 @@ jobs:
         target-image-url:
           - "https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/42.20250929.3.0/x86_64/fedora-coreos-42.20250929.3.0-ostree.x86_64.ociarchive"
           - "https://mirror.openshift.com/pub/openshift-v4/dependencies/rhcos/4.19/4.19.0/rhcos-4.19.0-x86_64-ostree.x86_64.ociarchive"
+          - "quay.io/trusted-execution-clusters/fedora-coreos@sha256:0eafb8b60f0329a743d42e7d4d286eb4b36fd096489fdda74d011d861e6692e6"
         test-finder:
           - grep -E "^ *test-.*$" | grep -v uki
         host-platform:

justfile

@@ -5,7 +5,7 @@
 
 image := "https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/42.20250929.3.0/x86_64/fedora-coreos-42.20250929.3.0-ostree.x86_64.ociarchive"
 target_container_ociarchive_path := absolute_path(join("/tmp", file_name(image)))
-target_container_name := without_extension(file_name(image))
+target_container_name := replace_regex(without_extension(file_name(image)), "@sha256:", "-")
 target_container_osinfo_path := "/tmp/compute-pcrs-osinfo"
 target_container_mount_point := "/var/srv/image"
 host_platform := "qemu-ovmf/fedora-42"
@@ -14,12 +14,17 @@ skip_build := "false"
 
 pull-target-container-image:
     #!/bin/bash
+    # set -x
     set -euo pipefail
     if ! podman image exists {{target_container_name}}; then
-        curl --skip-existing -o {{target_container_ociarchive_path}} {{image}}
-        image_id=$(podman load -i {{target_container_ociarchive_path}} 2>/dev/null | awk -F ':' '{print $NF}')
-        rm {{target_container_ociarchive_path}}
-        podman tag $image_id {{target_container_name}}
+        if podman pull {{image}}; then
+            podman tag {{image}} {{target_container_name}}
+        else
+            curl --skip-existing -o {{target_container_ociarchive_path}} {{image}}
+            image_id=$(podman load -i {{target_container_ociarchive_path}} 2>/dev/null | awk -F ':' '{print $NF}')
+            rm {{target_container_ociarchive_path}}
+            podman tag $image_id {{target_container_name}}
+        fi
     fi
 
 extract-info-target-container-image: pull-target-container-image

lib/src/esp.rs

@@ -4,6 +4,7 @@
 // SPDX-License-Identifier: MIT
 
 use crate::pefile;
+use glob::glob;
 use std::fs;
 use std::io;
 use std::path::{Path, PathBuf};
@@ -14,35 +15,32 @@ pub struct Esp {
     grub: PathBuf,
 }
 
-const ESP_VENDOR_NAMES: [&str; 2] = ["redhat", "fedora"];
+fn find_efi_bin(search_path: &Path, bin_name: &str) -> io::Result<PathBuf> {
+    let glob_path = search_path.join(Path::new("**/EFI/*/").join(bin_name));
+    let glob_pattern = glob_path.to_str().ok_or_else(|| {
+        io::Error::new(
+            io::ErrorKind::InvalidInput,
+            "Invalid efi bin search pattern",
+        )
+    })?;
 
-fn esp_vendor_path(esp_root_path: &Path) -> io::Result<PathBuf> {
-    for vendor in ESP_VENDOR_NAMES {
-        let vendor_path = esp_root_path.join(format!("EFI/{vendor}"));
-        match fs::metadata(&vendor_path) {
-            Err(_) => {}
-            Ok(metadata) => {
-                if metadata.is_dir() {
-                    return Ok(vendor_path);
-                }
-            }
+    let search_results = match glob(glob_pattern) {
+        Ok(results) => results,
+        Err(_) => {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidInput,
+                "Invalid efi bin search pattern",
+            ));
         }
+    };
+    if let Some(path) = search_results.filter_map(Result::ok).next() {
+        // Assume there's just one of them; return the first one
+        return Ok(path);
     }
-    Err(io::Error::new(
-        io::ErrorKind::NotFound,
-        String::from("Unknown ESP tree format"),
-    ))
-}
 
-fn bin_path_from_esp_vendor(esp_vendor_path: &Path, bin_name: &str) -> io::Result<PathBuf> {
-    let bin_path = esp_vendor_path.join(bin_name);
-    let metadata = fs::metadata(&bin_path)?;
-    if metadata.is_file() {
-        return Ok(bin_path);
-    }
     Err(io::Error::new(
-        io::ErrorKind::IsADirectory,
-        bin_path.to_string_lossy(),
+        io::ErrorKind::NotFound,
+        format!("{bin_name} not found"),
     ))
 }
 
@@ -53,11 +51,9 @@ impl Esp {
             return Err(io::Error::new(io::ErrorKind::NotADirectory, path));
         }
 
-        let esp_vendor_path = esp_vendor_path(&path_pb)?;
-
         Ok(Esp {
-            grub: bin_path_from_esp_vendor(&esp_vendor_path, "grubx64.efi")?,
-            shim: bin_path_from_esp_vendor(&esp_vendor_path, "shimx64.efi")?,
+            grub: find_efi_bin(&path_pb, "grubx64.efi")?,
+            shim: find_efi_bin(&path_pb, "shimx64.efi")?,
         })
     }
 

lib/src/rootfs.rs

@@ -3,22 +3,34 @@
 //
 // SPDX-License-Identifier: MIT
 
+use std::fs;
 use std::io;
 use std::path;
 
 const RELATIVE_KERNELS_PATH: &str = "usr/lib/modules/";
-const RELATIVE_ESP_PATH: &str = "usr/lib/bootupd/updates/";
+const RELATIVE_ESP_OLD: &str = "usr/lib/bootupd/updates/";
+// From fcos-44 on shim/grub are stored in different directories
+// see https://fedoraproject.org/wiki/Changes/BootLoaderUpdatesPhase1
+const RELATIVE_ESP_NEW: &str = "usr/lib/efi";
 
 pub struct RootFSTree {
     esp_path: String,
     kernels_path: String,
 }
 
+fn esp_path_absolute(rootfs_path: &path::Path) -> io::Result<path::PathBuf> {
+    let temptative = rootfs_path.join(RELATIVE_ESP_NEW);
+    match fs::exists(&temptative)? {
+        true => Ok(temptative),
+        false => Ok(rootfs_path.join(RELATIVE_ESP_OLD)),
+    }
+}
+
 impl RootFSTree {
     pub fn new(rootfs_path: &str) -> io::Result<RootFSTree> {
         let rootfs_path = path::absolute(rootfs_path)?;
         let kernels_path = rootfs_path.join(RELATIVE_KERNELS_PATH);
-        let esp_path = rootfs_path.join(RELATIVE_ESP_PATH);
+        let esp_path = esp_path_absolute(&rootfs_path)?;
         Ok(RootFSTree {
             esp_path: esp_path.to_str().unwrap().into(),
             kernels_path: kernels_path.to_str().unwrap().into(),

test-fixtures/qemu-ovmf/fedora-42/fedora-44.20260111.91.1/all-pcrs.json

@@ -0,0 +1,124 @@
+{
+  "pcrs": [
+    {
+      "id": 4,
+      "value": "55cafe514d82bb527d34b678c4d2954d1aab07b6483367b67cc90f121d6f67d4",
+      "events": [
+        {
+          "name": "EV_EFI_ACTION",
+          "pcr": 4,
+          "hash": "3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba",
+          "id": "Pcr4EfiCall"
+        },
+        {
+          "name": "EV_SEPARATOR",
+          "pcr": 4,
+          "hash": "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119",
+          "id": "Pcr4Separator"
+        },
+        {
+          "name": "EV_EFI_BOOT_SERVICES_APPLICATION",
+          "pcr": 4,
+          "hash": "9d5c8223265f3119cbc44155abbb58717e998338f41a4edeacb4b0b94357821f",
+          "id": "Pcr4Shim"
+        },
+        {
+          "name": "EV_EFI_BOOT_SERVICES_APPLICATION",
+          "pcr": 4,
+          "hash": "72c5ea9371a1262e5275d2ed7e97fb6ae420f7e8e5eb5f18a1232c088cd74680",
+          "id": "Pcr4Grub"
+        },
+        {
+          "name": "EV_EFI_BOOT_SERVICES_APPLICATION",
+          "pcr": 4,
+          "hash": "c5da3452bfe17cce87e00390f70afb55303f4f4411af853cf5289b95fce81c14",
+          "id": "Pcr4Vmlinuz"
+        }
+      ]
+    },
+    {
+      "id": 7,
+      "value": "8e8d561f8e596446b86c0cdbf22d9ff54a0b2913dd44054e23c493c93aa79ce7",
+      "events": [
+        {
+          "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+          "pcr": 7,
+          "hash": "ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e",
+          "id": "Pcr7SecureBoot"
+        },
+        {
+          "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+          "pcr": 7,
+          "hash": "adb6fc232943e39c374bf4782b6c697f43c39fca1f4b51dfceda21164e19a893",
+          "id": "Pcr7Pk"
+        },
+        {
+          "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+          "pcr": 7,
+          "hash": "b5432fe20c624811cb0296391bfdf948ebd02f0705ab8229bea09774023f0ebf",
+          "id": "Pcr7Kek"
+        },
+        {
+          "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+          "pcr": 7,
+          "hash": "4313e43de720194a0eabf4d6415d42b5a03a34fdc47bb1fc924cc4e665e6893d",
+          "id": "Pcr7Db"
+        },
+        {
+          "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+          "pcr": 7,
+          "hash": "001004ba58a184f09be6c1f4ec75a246cc2eefa9637b48ee428b6aa9bce48c55",
+          "id": "Pcr7Dbx"
+        },
+        {
+          "name": "EV_SEPARATOR",
+          "pcr": 7,
+          "hash": "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119",
+          "id": "Pcr7Separator"
+        },
+        {
+          "name": "EV_EFI_VARIABLE_AUTHORITY",
+          "pcr": 7,
+          "hash": "4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9",
+          "id": "Pcr7ShimCert"
+        },
+        {
+          "name": "EV_EFI_VARIABLE_AUTHORITY",
+          "pcr": 7,
+          "hash": "bcf4d1ff6bf02f949e5afd49dc45fe3e16f39b302764bf2ee98257e8297a1f7d",
+          "id": "Pcr7SbatLevel"
+        },
+        {
+          "name": "EV_EFI_VARIABLE_AUTHORITY",
+          "pcr": 7,
+          "hash": "ad5901fd581e6640c742c488083b9ac2c48255bd28a16c106c6f9df52702ee3f",
+          "id": "Pcr7GrubMokListCert"
+        }
+      ]
+    },
+    {
+      "id": 14,
+      "value": "17cdefd9548f4383b67a37a901673bf3c8ded6f619d36c8007562de1d93c81cc",
+      "events": [
+        {
+          "name": "EV_IPL",
+          "pcr": 14,
+          "hash": "e8e48e3ad10bc243341b4663c0057aef0ec7894ccc9ecb0598f0830fa57f7220",
+          "id": "Pcr14MokList"
+        },
+        {
+          "name": "EV_IPL",
+          "pcr": 14,
+          "hash": "8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0",
+          "id": "Pcr14MokListX"
+        },
+        {
+          "name": "EV_IPL",
+          "pcr": 14,
+          "hash": "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a",
+          "id": "Pcr14MokListTrusted"
+        }
+      ]
+    }
+  ]
+}

test-fixtures/qemu-ovmf/fedora-42/fedora-44.20260111.91.1/pcr14.json

@@ -0,0 +1,24 @@
+{
+  "id": 14,
+  "value": "17cdefd9548f4383b67a37a901673bf3c8ded6f619d36c8007562de1d93c81cc",
+  "events": [
+    {
+      "name": "EV_IPL",
+      "pcr": 14,
+      "hash": "e8e48e3ad10bc243341b4663c0057aef0ec7894ccc9ecb0598f0830fa57f7220",
+      "id": "Pcr14MokList"
+    },
+    {
+      "name": "EV_IPL",
+      "pcr": 14,
+      "hash": "8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0",
+      "id": "Pcr14MokListX"
+    },
+    {
+      "name": "EV_IPL",
+      "pcr": 14,
+      "hash": "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a",
+      "id": "Pcr14MokListTrusted"
+    }
+  ]
+}

test-fixtures/qemu-ovmf/fedora-42/fedora-44.20260111.91.1/pcr4.json

@@ -0,0 +1,36 @@
+{
+  "id": 4,
+  "value": "55cafe514d82bb527d34b678c4d2954d1aab07b6483367b67cc90f121d6f67d4",
+  "events": [
+    {
+      "name": "EV_EFI_ACTION",
+      "pcr": 4,
+      "hash": "3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba",
+      "id": "Pcr4EfiCall"
+    },
+    {
+      "name": "EV_SEPARATOR",
+      "pcr": 4,
+      "hash": "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119",
+      "id": "Pcr4Separator"
+    },
+    {
+      "name": "EV_EFI_BOOT_SERVICES_APPLICATION",
+      "pcr": 4,
+      "hash": "9d5c8223265f3119cbc44155abbb58717e998338f41a4edeacb4b0b94357821f",
+      "id": "Pcr4Shim"
+    },
+    {
+      "name": "EV_EFI_BOOT_SERVICES_APPLICATION",
+      "pcr": 4,
+      "hash": "72c5ea9371a1262e5275d2ed7e97fb6ae420f7e8e5eb5f18a1232c088cd74680",
+      "id": "Pcr4Grub"
+    },
+    {
+      "name": "EV_EFI_BOOT_SERVICES_APPLICATION",
+      "pcr": 4,
+      "hash": "c5da3452bfe17cce87e00390f70afb55303f4f4411af853cf5289b95fce81c14",
+      "id": "Pcr4Vmlinuz"
+    }
+  ]
+}

test-fixtures/qemu-ovmf/fedora-42/fedora-44.20260111.91.1/pcr7-sb-disabled.json

@@ -0,0 +1,48 @@
+{
+  "id": 7,
+  "value": "b926225ac488e9c50ef2fa815aa7104b385a06907093bfb1dc62eeb7abecddf1",
+  "events": [
+    {
+      "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+      "pcr": 7,
+      "hash": "115aa827dbccfb44d216ad9ecfda56bdea620b860a94bed5b7a27bba1c4d02d8",
+      "id": "Pcr7SecureBoot"
+    },
+    {
+      "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+      "pcr": 7,
+      "hash": "dea7b80ab53a3daaa24d5cc46c64e1fa9ffd03739f90aadbd8c0867c4a5b4890",
+      "id": "Pcr7Pk"
+    },
+    {
+      "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+      "pcr": 7,
+      "hash": "e670e121fcebd473b8bc41bb801301fc1d9afa33904f06f7149b74f12c47a68f",
+      "id": "Pcr7Kek"
+    },
+    {
+      "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+      "pcr": 7,
+      "hash": "baf89a3ccace52750c5f0128351e0422a41597a1adfd50822aa363b9d124ea7c",
+      "id": "Pcr7Db"
+    },
+    {
+      "name": "EV_EFI_VARIABLE_DRIVER_CONFIG",
+      "pcr": 7,
+      "hash": "9f75b6823bff6af1024a4e2036719cdd548d3cbc2bf1de8e7ef4d0ed01f94bf9",
+      "id": "Pcr7Dbx"
+    },
+    {
+      "name": "EV_SEPARATOR",
+      "pcr": 7,
+      "hash": "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119",
+      "id": "Pcr7Separator"
+    },
+    {
+      "name": "EV_EFI_VARIABLE_AUTHORITY",
+      "pcr": 7,
+      "hash": "922e939a5565798a5ef12fe09d8b49bf951a8e7f89a0cca7a51636693d41a34d",
+      "id": "Pcr7SbatLevel"
+    }
+  ]
+}