CLI: use the path to the target container's root to find ESP and kernel images

cli/src/main.rs

@@ -41,17 +41,10 @@ enum Command {
         #[arg(
             long,
             short,
-            default_value = "/usr/lib/modules/",
-            help = "Path to the kernel modules directory. This helps finding the vmlinuz image"
+            default_value = "/",
+            help = "Path to the target container image root filesystem"
         )]
-        kernels: String,
-        #[arg(
-            long,
-            short,
-            default_value = "/usr/lib/bootupd/updates/",
-            help = "Path to the ESP directory"
-        )]
-        esp: String,
+        rootfs: String,
         #[command(flatten)]
         secureboot_variables: SecureBootVarStores,
         #[arg(
@@ -78,17 +71,10 @@ enum Command {
         #[arg(
             long,
             short,
-            default_value = "/usr/lib/modules/",
-            help = "Path to the kernel modules directory. This helps finding the vmlinuz image"
+            default_value = "/",
+            help = "Path to the target container image root filesystem"
         )]
-        kernels: String,
-        #[arg(
-            long,
-            short,
-            default_value = "/usr/lib/bootupd/updates/",
-            help = "Path to the ESP directory"
-        )]
-        esp: String,
+        rootfs: String,
         #[arg(
             long,
             default_value_t = false,
@@ -107,10 +93,10 @@ enum Command {
         #[arg(
             long,
             short,
-            default_value = "/usr/lib/bootupd/updates/",
-            help = "Path to the ESP directory"
+            default_value = "/",
+            help = "Path to the target container image root filesystem"
         )]
-        esp: String,
+        rootfs: String,
         #[command(flatten)]
         secureboot_variables: SecureBootVarStores,
         #[arg(
@@ -158,16 +144,20 @@ fn main() -> Result<()> {
 
     match &cli.command {
         Command::All {
-            kernels,
-            esp,
+            rootfs,
             secureboot_variables,
             uki,
             no_secureboot,
             mok_variables,
         } => {
+            let rfs = rootfs::RootFSTree::new(rootfs).unwrap();
             let pcrs = vec![
-                compute_pcr4(kernels, esp, *uki, !no_secureboot),
-                compute_pcr7(secureboot_variables.efivars.as_deref(), esp, !no_secureboot),
+                compute_pcr4(rfs.vmlinuz(), rfs.esp(), *uki, !no_secureboot),
+                compute_pcr7(
+                    secureboot_variables.efivars.as_deref(),
+                    rfs.esp(),
+                    !no_secureboot,
+                ),
                 /* compute_pcr11(), */
                 compute_pcr14(mok_variables),
             ];
@@ -178,21 +168,26 @@ fn main() -> Result<()> {
             Ok(())
         }
         Command::Pcr4 {
-            kernels,
-            esp,
+            rootfs,
             uki,
             no_secureboot,
         } => {
-            let pcr = compute_pcr4(kernels, esp, *uki, !no_secureboot);
+            let rfs = rootfs::RootFSTree::new(rootfs).unwrap();
+            let pcr = compute_pcr4(rfs.vmlinuz(), rfs.esp(), *uki, !no_secureboot);
             println!("{}", serde_json::to_string_pretty(&pcr).unwrap());
             Ok(())
         }
         Command::Pcr7 {
-            esp,
+            rootfs,
             secureboot_variables,
             no_secureboot,
         } => {
-            let pcr = compute_pcr7(secureboot_variables.efivars.as_deref(), esp, !no_secureboot);
+            let rfs = rootfs::RootFSTree::new(rootfs).unwrap();
+            let pcr = compute_pcr7(
+                secureboot_variables.efivars.as_deref(),
+                rfs.esp(),
+                !no_secureboot,
+            );
             println!("{}", serde_json::to_string_pretty(&pcr).unwrap());
             Ok(())
         }

justfile

@@ -7,6 +7,7 @@ image := "https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/42.
 target_container_ociarchive_path := absolute_path(join("/tmp", file_name(image)))
 target_container_name := without_extension(file_name(image))
 target_container_osinfo_path := "/tmp/compute-pcrs-osinfo"
+target_container_mount_point := "/var/srv/image"
 container_image_name := "compute-pcrs"
 skip_build := "false"
 
@@ -49,11 +50,10 @@ test-container: prepare-test-deps
     podman run --rm \
         --security-opt label=disable \
         -v $PWD/test-data/:/var/srv/test-data \
-        --mount=type=image,source={{target_container_name}},destination=/var/srv/image,rw=false \
+        --mount=type=image,source={{target_container_name}},destination={{target_container_mount_point}},rw=false \
         {{container_image_name}} \
         compute-pcrs all \
-            --kernels /var/srv/image/usr/lib/modules \
-            --esp /var/srv/image/usr/lib/bootupd/updates \
+            --rootfs {{target_container_mount_point}} \
             --efivars /var/srv/test-data/efivars/qemu-ovmf/${ID}-${VERSION_ID} \
             --mok-variables /var/srv/test-data/mok-variables/${ID}-${VERSION_ID} \
             > test/result.json 2>/dev/null
@@ -95,11 +95,10 @@ test-vmlinuz: prepare-test-deps
     podman run --rm \
         --security-opt label=disable \
         -v $PWD/test-data/:/var/srv/test-data \
-        --mount=type=image,source={{target_container_name}},destination=/var/srv/image,rw=false \
+        --mount=type=image,source={{target_container_name}},destination={{target_container_mount_point}},rw=false \
         {{container_image_name}} \
         compute-pcrs pcr4 \
-            --kernels /var/srv/image/usr/lib/modules \
-            --esp /var/srv/image/usr/lib/bootupd/updates
+            --rootfs {{target_container_mount_point}} \
 
 test-uki: prepare-test-deps
     #!/bin/bash
@@ -108,7 +107,7 @@ test-uki: prepare-test-deps
     podman run --rm \
         --security-opt label=disable \
         -v $PWD/test-data/:/var/srv/test-data \
-        --mount=type=image,source={{target_container_name}},destination=/var/srv/image,rw=false \
+        --mount=type=image,source={{target_container_name}},destination={{target_container_mount_point}},rw=false \
         {{container_image_name}} \
         compute-pcrs pcr11 uki \
 
@@ -121,10 +120,10 @@ test-secureboot-enabled: prepare-test-deps
     podman run --rm \
         --security-opt label=disable \
         -v $PWD/test-data/:/var/srv/test-data \
-        --mount=type=image,source={{target_container_name}},destination=/var/srv/image,rw=false \
+        --mount=type=image,source={{target_container_name}},destination={{target_container_mount_point}},rw=false \
         {{container_image_name}} \
         compute-pcrs pcr7 \
-            --esp /var/srv/image/usr/lib/bootupd/updates \
+            --rootfs {{target_container_mount_point}} \
             --efivars /var/srv/test-data/efivars/qemu-ovmf/${ID}-${VERSION_ID} \
             > test/result.json 2>/dev/null
     diff test-fixtures/${ID}-${OSTREE_VERSION}/pcr7-sb-enabled.json test/result.json || (echo "FAILED" && exit 1)
@@ -140,10 +139,10 @@ test-secureboot-disabled: prepare-test-deps
     podman run --rm \
         --security-opt label=disable \
         -v $PWD/test-data/:/var/srv/test-data \
-        --mount=type=image,source={{target_container_name}},destination=/var/srv/image,rw=false \
+        --mount=type=image,source={{target_container_name}},destination={{target_container_mount_point}},rw=false \
         {{container_image_name}} \
         compute-pcrs pcr7 \
-            --esp /var/srv/image/usr/lib/bootupd/updates \
+            --rootfs {{target_container_mount_point}} \
             --efivars /var/srv/test-data/efivars/qemu-ovmf/${ID}-${VERSION_ID}-sb-disabled \
             --secureboot-disabled \
             > test/result.json 2>/dev/null
@@ -159,7 +158,7 @@ test-default-mok-keys: prepare-test-deps
     podman run --rm \
         --security-opt label=disable \
         -v $PWD/test-data/:/var/srv/test-data \
-        --mount=type=image,source={{target_container_name}},destination=/var/srv/image,rw=false \
+        --mount=type=image,source={{target_container_name}},destination={{target_container_mount_point}},rw=false \
         {{container_image_name}} \
         compute-pcrs pcr14 \
             --mok-variables /var/srv/test-data/mok-variables/${ID}-${VERSION_ID} \

lib/src/esp.rs

@@ -56,20 +56,20 @@ impl Esp {
         let esp_vendor_path = esp_vendor_path(&path_pb)?;
 
         Ok(Esp {
-            grub: bin_path_from_esp_vendor(&esp_vendor_path, "shimx64.efi")?,
-            shim: bin_path_from_esp_vendor(&esp_vendor_path, "grubx64.efi")?,
+            grub: bin_path_from_esp_vendor(&esp_vendor_path, "grubx64.efi")?,
+            shim: bin_path_from_esp_vendor(&esp_vendor_path, "shimx64.efi")?,
         })
     }
 
     /// Tries loading the shim binary
     pub fn shim(&self) -> pefile::PeFile {
-        pefile::PeFile::load_from_file(&self.grub.to_string_lossy(), false)
+        pefile::PeFile::load_from_file(&self.shim.to_string_lossy(), false)
             .expect("Can't open shim binary")
     }
 
     /// Tries loading the grub binary
     pub fn grub(&self) -> pefile::PeFile {
-        pefile::PeFile::load_from_file(&self.shim.to_string_lossy(), false)
+        pefile::PeFile::load_from_file(&self.grub.to_string_lossy(), false)
             .expect("Can't open grub binary")
     }
 }

lib/src/lib.rs

@@ -16,6 +16,7 @@ mod esp;
 mod linux;
 mod mok;
 pub mod pefile;
+pub mod rootfs;
 pub mod shim;
 pub mod uefi;
 

lib/src/rootfs.rs

@@ -0,0 +1,35 @@
+// SPDX-FileCopyrightText: Timothée Ravier <tim@siosm.fr>
+// SPDX-FileCopyrightText: Beñat Gartzia Arruabarrena <bgartzia@redhat.com>
+//
+// SPDX-License-Identifier: MIT
+
+use std::io;
+use std::path;
+
+const RELATIVE_KERNELS_PATH: &str = "usr/lib/modules/";
+const RELATIVE_ESP_PATH: &str = "usr/lib/bootupd/updates/";
+
+pub struct RootFSTree {
+    esp_path: String,
+    kernels_path: String,
+}
+
+impl RootFSTree {
+    pub fn new(rootfs_path: &str) -> io::Result<RootFSTree> {
+        let rootfs_path = path::absolute(rootfs_path)?;
+        let kernels_path = rootfs_path.join(RELATIVE_KERNELS_PATH);
+        let esp_path = rootfs_path.join(RELATIVE_ESP_PATH);
+        Ok(RootFSTree {
+            esp_path: esp_path.to_str().unwrap().into(),
+            kernels_path: kernels_path.to_str().unwrap().into(),
+        })
+    }
+
+    pub fn esp(&self) -> &str {
+        self.esp_path.as_str()
+    }
+
+    pub fn vmlinuz(&self) -> &str {
+        self.kernels_path.as_str()
+    }
+}