Skip to content

fix(ibmse): Fix to make it work without machine specific HKD #1309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: devel
Choose a base branch
from
Open

fix(ibmse): Fix to make it work without machine specific HKD #1309

wants to merge 1 commit into from

Conversation

@eshantatIBM
Copy link

@eshantatIBM eshantatIBM commented Nov 7, 2025
edited
Loading

This fix is needed to generate correct ibmse-policy.rego for the z17 lpars

- Description of the problem which is fixed/What is the use case
Even though the HKD is valid, the current script says following

Mounting on second attempt passed
/dev/nbd0 disconnected
SE header found at offset 0x014000
SE header written to '/home/linuxuser/eshant/Rvps-Extraction/output-files/hdr.bin' (640 bytes)
se.tag:  9121b1872ea6a57570b3b9a1bf4d10eb
se.image_phkh: 
There seems to be some issue in HKD.crt. Please use the correct one and run it again.

If HKD in not included during HPCC productioin image generation, then the script does not provide the ibmse rego records

- What I did
Instead of failing (for example, for z17), se.image_phkh will get value from se.attestation_phkh.

- How to verify it
running on z Lpars

- Description for the changelog

After fix

Mounting on second attempt passed
/dev/nbd0 disconnected
SE header found at offset 0x014000
SE header written to '/home/linuxuser/eshant/Rvps-Extraction/output-files/hdr.bin' (640 bytes)
se.tag:  9121b1872ea6a57570b3b9a1bf4d10eb
se.image_phkh:  4941c69214b2c55fdd9de087330a0d7f0437d643ff616c29177bebed2f5330f5
provenance = ewogICAgInNlLmF0dGVzdGF0aW9uX3Boa2giOiBbCiAgICAgICAgIjQ5NDFjNjkyMTRiMmM1NWZkZDlkZTA4NzMzMGEwZDdmMDQzN2Q2NDNmZjYxNmMyOTE3N2JlYmVkMmY1MzMwZjUiCiAgICBdLAogICAgInNlLnRhZyI6IFsKICAgICAgICAiOTEyMWIxODcyZWE2YTU3NTcwYjNiOWExYmY0ZDEwZWIiCiAgICBdLAogICAgInNlLmltYWdlX3Boa2giOiBbCiAgICAgICAgIjQ5NDFjNjkyMTRiMmM1NWZkZDlkZTA4NzMzMGEwZDdmMDQzN2Q2NDNmZjYxNmMyOTE3N2JlYmVkMmY1MzMwZjUiCiAgICBdLAogICAgInNlLnVzZXJfZGF0YSI6IFsKICAgICAgICAiMDAiCiAgICBdLAogICAgInNlLnZlcnNpb24iOiBbCiAgICAgICAgIjI1NiIKICAgIF0KfQo=
-rw-r--r--. 1 root root 640 Nov 11 01:26 /home/linuxuser/eshant/Rvps-Extraction/output-files/hdr.bin
-rw-r--r--. 1 root root 561 Nov 11 01:26 /home/linuxuser/eshant/Rvps-Extraction/output-files/se-message
-rw-r--r--. 1 root root 446 Nov 11 01:26 /home/linuxuser/eshant/Rvps-Extraction/output-files/ibmse-policy.rego


$ cat output-files/ibmse-policy.rego
package policy
import rego.v1
default allow = false
converted_version := sprintf("%v", [input["se.version"]])
allow if {
    input["se.attestation_phkh"] == "4941c69214b2c55fdd9de087330a0d7f0437d643ff616c29177bebed2f5330f5"
    input["se.image_phkh"] == "4941c69214b2c55fdd9de087330a0d7f0437d643ff616c29177bebed2f5330f5"
    input["se.tag"] == "9121b1872ea6a57570b3b9a1bf4d10eb"
    input["se.user_data"] == "00"
    converted_version == "256"
}

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 7, 2025
@openshift-ci
Copy link

openshift-ci bot commented Nov 7, 2025

Hi @eshantatIBM. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@eshantatIBM eshantatIBM force-pushed the fix_ibmse_generation branch 2 times, most recently from 4c9a0c0 to 6980219 Compare November 11, 2025 06:28
@eshantatIBM eshantatIBM changed the title fix(chore): Fix for z17 Lpar fix(ibmse): Fix for z17 Lpar Nov 11, 2025
@eshantatIBM eshantatIBM marked this pull request as ready for review November 11, 2025 06:53
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 11, 2025
@openshift-ci openshift-ci bot requested review from pmores and wainersm November 11, 2025 06:53
@eshantatIBM
fix(chore): Fix for z17 Lpar
0488e4d 
This fix is needed to generate correct ibmse-policy.rego for the z17 lpars
@eshantatIBM eshantatIBM changed the title fix(ibmse): Fix for z17 Lpar fix(ibmse): Fix to make it work without machine specific HKD Nov 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pmores pmores Awaiting requested review from pmores

@wainersm wainersm Awaiting requested review from wainersm

Assignees

No one assigned

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eshantatIBM