[DNM] engineering: Use custom pcrlock policy path adjacent to datastore

.pipelines/templates/trident-platform-cicd-template.yml

@@ -17,6 +17,12 @@ parameters:
       - amd64
       - arm64
 
+  - name: micVersion
+    displayName: MIC Version
+    type: string
+    default: "*.*.*"
+
+
 stages:
   - ${{ if eq( parameters.targetArchitecture, 'amd64') }}:
     - template: e2e-template.yml
@@ -27,6 +33,8 @@ stages:
         forceFunctionalTestImageRebuild: true
         baremetalTestsEnabled: ${{ parameters.baremetalTestsEnabled }}
         baseImageArtifactStage: ${{ parameters.baseImageArtifactStage }}
+        micVersion: ${{ parameters.micVersion }}
+        micBuildType: dev
 
   - ${{ if eq( parameters.targetArchitecture, 'arm64') }}:
     - template: e2e-arm64-template.yml

crates/osutils/src/dependencies.rs

@@ -1,7 +1,7 @@
 use std::{
     borrow::Cow,
     ffi::{OsStr, OsString},
-    io,
+    fmt, io,
     os::unix::process::ExitStatusExt,
     path::PathBuf,
     process::{Command as StdCommand, Output},
@@ -149,8 +149,8 @@ pub enum Dependency {
     False,
 }
 
-impl std::fmt::Display for Dependency {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+impl fmt::Display for Dependency {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         f.write_str(self.into())
     }
 }
@@ -261,6 +261,12 @@ impl Command {
         self.output()?.check_output()
     }
 
+    pub fn output_and_stderr_and_check(&self) -> Result<(String, String), Box<DependencyError>> {
+        let output = self.output()?;
+        let stdout = output.check_output()?;
+        Ok((stdout, output.error_output()))
+    }
+
     pub fn raw_output_and_check(&self) -> Result<Output, Box<DependencyError>> {
         self.output()?.check_raw_output()
     }

crates/osutils/src/encryption.rs

@@ -8,7 +8,7 @@ use anyhow::{Context, Error};
 use enumflags2::BitFlags;
 use log::debug;
 
-use crate::{dependencies::Dependency, pcrlock::PCRLOCK_POLICY_JSON_PATH};
+use crate::dependencies::Dependency;
 use sysdefs::tpm2::Pcr;
 use trident_api::constants::LUKS_HEADER_SIZE_IN_MIB;
 
@@ -34,6 +34,7 @@ pub fn systemd_cryptenroll(
     key_file: impl AsRef<Path>,
     device_path: impl AsRef<Path>,
     pcrs: Option<BitFlags<Pcr>>,
+    pcrlock_policy_path: Option<&Path>,
 ) -> Result<(), Error> {
     debug!(
         "Enrolling TPM 2.0 device for underlying encrypted volume '{}'",
@@ -50,8 +51,9 @@ pub fn systemd_cryptenroll(
     // against a pcrlock policy.
     if let Some(pcrs) = pcrs {
         cmd.arg(to_tpm2_pcrs_arg(pcrs));
-    } else {
-        cmd.arg(format!("--tpm2-pcrlock={PCRLOCK_POLICY_JSON_PATH}"));
+    } else if let Some(pcrlock_policy_path) = pcrlock_policy_path {
+        // TODO: ADJUST PATH FOR CONTAINER!
+        cmd.arg(format!("--tpm2-pcrlock={}", pcrlock_policy_path.display()));
     }
 
     cmd.run_and_check().context(format!(
@@ -178,6 +180,12 @@ pub fn cryptsetup_open(
     device_path: impl AsRef<Path>,
     device_name: &str,
 ) -> Result<(), Error> {
+    debug!(
+        "Opening underlying encrypted device '{}' as '{}'",
+        device_path.as_ref().display(),
+        device_name
+    );
+
     Dependency::Cryptsetup
         .cmd()
         .arg("luksOpen")
@@ -337,6 +345,7 @@ mod functional_test {
 
     use pytest_gen::functional_test;
     use sysdefs::partition_types::DiscoverablePartitionType;
+    use trident_api::constants::TRIDENT_DATASTORE_PATH_DEFAULT;
 
     use crate::{
         filesystems::MkfsFileSystemType,
@@ -416,10 +425,19 @@ mod functional_test {
         copy_static_pcrlock_files();
         // Generate a pcrlock policy that only includes PCR 0
         let pcrs = BitFlags::from(Pcr::Pcr0);
-        pcrlock::generate_pcrlock_policy(pcrs, vec![], vec![]).unwrap();
+        let pcrlock_policy_path =
+            pcrlock::construct_pcrlock_path(Path::new(TRIDENT_DATASTORE_PATH_DEFAULT), None)
+                .unwrap();
+        pcrlock::generate_pcrlock_policy(pcrs, &pcrlock_policy_path, vec![], vec![]).unwrap();
 
         // Run `systemd-cryptenroll` on the partition
-        systemd_cryptenroll(key_file_path, &partition1.node, None).unwrap();
+        systemd_cryptenroll(
+            key_file_path,
+            &partition1.node,
+            None,
+            Some(&pcrlock_policy_path),
+        )
+        .unwrap();
 
         // Open the encrypted volume, to make the block device available
         cryptsetup_open(key_file_path, &partition1.node, ENCRYPTED_VOLUME_NAME).unwrap();
@@ -558,10 +576,19 @@ mod functional_test {
         copy_static_pcrlock_files();
         // Generate a pcrlock policy that only includes PCR 0
         let pcrs = BitFlags::from(Pcr::Pcr0);
-        pcrlock::generate_pcrlock_policy(pcrs, vec![], vec![]).unwrap();
+        let pcrlock_policy_path =
+            pcrlock::construct_pcrlock_path(Path::new(TRIDENT_DATASTORE_PATH_DEFAULT), None)
+                .unwrap();
+        pcrlock::generate_pcrlock_policy(pcrs, &pcrlock_policy_path, vec![], vec![]).unwrap();
 
         // Run `systemd-cryptenroll` on the partition
-        systemd_cryptenroll(key_file_path, &partition1.node, None).unwrap();
+        systemd_cryptenroll(
+            key_file_path,
+            &partition1.node,
+            None,
+            Some(&pcrlock_policy_path),
+        )
+        .unwrap();
 
         // Open the encrypted volume, to make the block device available
         cryptsetup_open(key_file_path, &partition1.node, ENCRYPTED_VOLUME_NAME).unwrap();