Merge pull request #2899 from OSInside/s390_attestation_request_data

schaefi · web-flow · commit b51594c1fa15 · 2025-11-16T20:01:06.000+01:00
Add support for s390 UV-attestation
diff --git a/.github/workflows/ci-code-style.yml b/.github/workflows/ci-code-style.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
 
     steps:
       - uses: actions/checkout@v3
diff --git a/.github/workflows/ci-units-types.yml b/.github/workflows/ci-units-types.yml
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
 
     steps:
       - uses: actions/checkout@v3
diff --git a/kiwi/bootloader/config/zipl.py b/kiwi/bootloader/config/zipl.py
@@ -18,6 +18,7 @@
 import os
 import copy
 import logging
+import shutil
 from string import Template
 from typing import Dict
 
@@ -123,7 +124,8 @@ def setup_loader(self, target: str) -> None:
                     )
                     Command.run(genprotimg_host_key_check)
                     os.unlink(f'{root_dir}/{cc_boot_image}')
-                # final call
+
+                # generate secure execution image
                 genprotimg = genprotimg_init
                 genprotimg.append('--no-verify')
                 for host_key_certificate in host_key_certificates:
@@ -135,6 +137,73 @@ def setup_loader(self, target: str) -> None:
                         genprotimg.append(host_crl)
                 Command.run(genprotimg)
 
+                # extract secure execution header
+                secure_execution_header = 'secure_execution_header.bin'
+                Command.run(
+                    [
+                        'chroot', root_dir, 'pvextract-hdr',
+                        '-o', secure_execution_header,
+                        cc_boot_image
+                    ]
+                )
+                shutil.move(
+                    os.sep.join([root_dir, secure_execution_header]),
+                    os.sep.join(
+                        [
+                            self.custom_args['target_dir'],
+                            '{0}.{1}-{2}.{3}'.format(
+                                self.xml_state.xml_data.get_name(),
+                                self.arch,
+                                self.xml_state.get_image_version(),
+                                secure_execution_header
+                            )
+                        ]
+                    )
+                )
+
+                # generate attestation request binary and response key
+                attestation_request = 'attestation_request.bin'
+                attestation_response_key = 'attestation_response.key'
+                pvattest = [
+                    'chroot', root_dir, 'pvattest', 'create',
+                    '--no-verify', '--verbose',
+                    '-o', attestation_request,
+                    '--arpk', attestation_response_key
+                ]
+                for host_key_certificate in host_key_certificates:
+                    for host_key in host_key_certificate.get('hkd_cert'):
+                        pvattest.append('-k')
+                        pvattest.append(host_key)
+                Command.run(pvattest)
+                shutil.move(
+                    os.sep.join([root_dir, attestation_request]),
+                    os.sep.join(
+                        [
+                            self.custom_args['target_dir'],
+                            '{0}.{1}-{2}.{3}'.format(
+                                self.xml_state.xml_data.get_name(),
+                                self.arch,
+                                self.xml_state.get_image_version(),
+                                attestation_request
+                            )
+                        ]
+                    )
+                )
+                shutil.move(
+                    os.sep.join([root_dir, attestation_response_key]),
+                    os.sep.join(
+                        [
+                            self.custom_args['target_dir'],
+                            '{0}.{1}-{2}.{3}'.format(
+                                self.xml_state.xml_data.get_name(),
+                                self.arch,
+                                self.xml_state.get_image_version(),
+                                attestation_response_key
+                            )
+                        ]
+                    )
+                )
+
             self.custom_args['secure_linux'] = True
             self.custom_args['secure_image_file'] = cc_boot_image
             os.unlink(f'{root_dir}/{self.custom_args["kernel"]}')
diff --git a/kiwi/builder/disk.py b/kiwi/builder/disk.py
@@ -166,6 +166,7 @@ def __init__(
         self.luks = xml_state.get_luks_credentials()
         self.use_disk_password = \
             xml_state.get_build_type_bootloader_use_disk_password()
+        self.host_key_certificates = xml_state.get_host_key_certificates()
         self.integrity = xml_state.build_type.get_standalone_integrity()
         self.integrity_legacy_hmac = \
             xml_state.build_type.get_integrity_legacy_hmac()
@@ -419,7 +420,64 @@ def create_disk(self) -> Result:
             compress=compression,
             shasum=True
         )
-
+        if self.host_key_certificates and 's390' in self.arch:
+            self.result.add(
+                key='secure_execution_header',
+                filename=os.path.normpath(
+                    os.sep.join(
+                        [
+                            self.target_dir,
+                            '{0}.{1}-{2}.{3}'.format(
+                                self.xml_state.xml_data.get_name(),
+                                self.arch,
+                                self.xml_state.get_image_version(),
+                                'secure_execution_header.bin'
+                            )
+                        ]
+                    )
+                ),
+                use_for_bundle=True,
+                compress=False,
+                shasum=False
+            )
+            self.result.add(
+                key='attestation_response_key',
+                filename=os.path.normpath(
+                    os.sep.join(
+                        [
+                            self.target_dir,
+                            '{0}.{1}-{2}.{3}'.format(
+                                self.xml_state.xml_data.get_name(),
+                                self.arch,
+                                self.xml_state.get_image_version(),
+                                'attestation_response.key'
+                            )
+                        ]
+                    )
+                ),
+                use_for_bundle=True,
+                compress=False,
+                shasum=False
+            )
+            self.result.add(
+                key='attestation_request',
+                filename=os.path.normpath(
+                    os.sep.join(
+                        [
+                            self.target_dir,
+                            '{0}.{1}-{2}.{3}'.format(
+                                self.xml_state.xml_data.get_name(),
+                                self.arch,
+                                self.xml_state.get_image_version(),
+                                'attestation_request.bin'
+                            )
+                        ]
+                    )
+                ),
+                use_for_bundle=True,
+                compress=False,
+                shasum=False
+            )
         # create image root metadata
         self.result.add(
             key='image_packages',
@@ -557,7 +615,9 @@ def _bootloader_instance(self, disk: Disk) -> BootLoaderConfigBase:
             'boot_is_crypto':
                 self.boot_is_crypto,
             'config_options':
-                self.xml_state.get_bootloader_config_options()
+                self.xml_state.get_bootloader_config_options(),
+            'target_dir':
+                self.target_dir
         }
         if self.bootloader.startswith('grub'):
             custom_args.update(
diff --git a/test/unit/bootloader/config/zipl_test.py b/test/unit/bootloader/config/zipl_test.py
@@ -39,6 +39,7 @@ def setup(self, mock_FirmWare):
         self.bootloader.custom_args['initrd'] = None
         self.bootloader.custom_args['boot_options'] = {}
         self.bootloader.custom_args['targetbase'] = '/dev/disk'
+        self.bootloader.custom_args['target_dir'] = 'target_dir'
         self.bootloader.sys_mount = Mock(
             mountpoint='sys_mount'
         )
@@ -63,6 +64,7 @@ def test_setup_loader_raises_invalid_target(self, mock_os_unlink):
         with raises(KiwiBootLoaderTargetError):
             self.bootloader.setup_loader('iso')
 
+    @patch('shutil.move')
     @patch('os.unlink')
     @patch('os.path.exists')
     @patch('kiwi.bootloader.config.zipl.BootImageBase.get_boot_names')
@@ -79,7 +81,7 @@ def test_setup_loader(
         mock_write_config_file, mock_Temporary_new_file,
         mock_BootLoaderTemplateZipl, mock_Command_run,
         mock_Path_create, mock_Path_wipe, mock_BootImageBase_get_boot_names,
-        mock_os_path_exists, mock_os_unlink
+        mock_os_path_exists, mock_os_unlink, mock_shutil_move
     ):
         temporary = Mock()
         temporary.name = 'system_root_mount/kiwi_zipl.conf_'
@@ -146,6 +148,22 @@ def test_setup_loader(
                     '--crl', '/path/to/revocation-list.crl',
                 ]
             ),
+            call(
+                [
+                    'chroot', 'system_root_mount', 'pvextract-hdr',
+                    '-o', 'secure_execution_header.bin',
+                    'bootpath/kernel-filename.cc'
+                ]
+            ),
+            call(
+                [
+                    'chroot', 'system_root_mount', 'pvattest', 'create',
+                    '--no-verify', '--verbose',
+                    '-o', 'attestation_request.bin',
+                    '--arpk', 'attestation_response.key',
+                    '-k', '/path/to/host.crt'
+                ]
+            ),
             call(
                 [
                     'chroot', 'system_root_mount', 'zipl',
@@ -156,6 +174,23 @@ def test_setup_loader(
                 ]
             )
         ]
+        assert mock_shutil_move.call_args_list == [
+            call(
+                'system_root_mount/secure_execution_header.bin',
+                'target_dir/image-name.x86_64-image-version.'
+                'secure_execution_header.bin'
+            ),
+            call(
+                'system_root_mount/attestation_request.bin',
+                'target_dir/image-name.x86_64-image-version.'
+                'attestation_request.bin'
+            ),
+            call(
+                'system_root_mount/attestation_response.key',
+                'target_dir/image-name.x86_64-image-version.'
+                'attestation_response.key'
+            )
+        ]
         assert mock_os_unlink.call_args_list == [
             call('system_root_mount/bootpath/kernel-filename.cc'),
             call('system_root_mount/bootpath/kernel-filename'),
diff --git a/test/unit/builder/disk_test.py b/test/unit/builder/disk_test.py
@@ -1205,6 +1205,7 @@ def test_create_disk_standard_root_s390_boot(
         mock_Disk.return_value.__enter__.return_value = \
             self._get_disk_instance()
         self.disk_builder.arch = 's390x'
+        self.disk_builder.host_key_certificates = Mock()
         bootloader_config = Mock()
         bootloader_config.get_boot_cmdline = Mock(
             return_value='boot_cmdline'
