From 34c687f2b3885fbe053d6a908fc7ce0b43d1db19 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 27 Oct 2025 12:55:02 +0100
Subject: [PATCH] ci: add some test for the new nvpcr infra

---
 test/units/TEST-65-ANALYZE.sh        |  5 +++++
 test/units/TEST-70-TPM2.pcrextend.sh | 28 ++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/test/units/TEST-65-ANALYZE.sh b/test/units/TEST-65-ANALYZE.sh
index d71b76e92a..f368d21653 100755
--- a/test/units/TEST-65-ANALYZE.sh
+++ b/test/units/TEST-65-ANALYZE.sh
@@ -1093,6 +1093,11 @@ systemd-analyze image-policy 'home=encrypted:usr=verity' 2>&1 | grep -q -e '^usr
 systemd-analyze pcrs
 systemd-analyze pcrs --json=pretty
 systemd-analyze pcrs 14 7 0 ima
+if systemd-analyze has-tpm2 -q ; then
+    systemd-analyze nvpcrs
+    systemd-analyze nvpcrs --json=pretty
+    systemd-analyze nvpcrs hardware cryptsetup
+fi
 
 systemd-analyze architectures
 systemd-analyze architectures --json=pretty
diff --git a/test/units/TEST-70-TPM2.pcrextend.sh b/test/units/TEST-70-TPM2.pcrextend.sh
index 318fce02a1..e5cd4843d6 100755
--- a/test/units/TEST-70-TPM2.pcrextend.sh
+++ b/test/units/TEST-70-TPM2.pcrextend.sh
@@ -30,6 +30,7 @@ export SYSTEMD_FORCE_MEASURE=1
 "$SD_PCREXTEND" --version
 "$SD_PCREXTEND" foo
 "$SD_PCREXTEND" --machine-id
+"$SD_PCREXTEND" --product-id
 "$SD_PCREXTEND" --tpm2-device=list
 "$SD_PCREXTEND" --tpm2-device=auto foo
 "$SD_PCREXTEND" --tpm2-device=/dev/tpm0 foo
@@ -40,6 +41,7 @@ export SYSTEMD_FORCE_MEASURE=1
 "$SD_PCREXTEND" --file-system=/
 "$SD_PCREXTEND" --file-system=/tmp --file-system=/
 "$SD_PCREXTEND" --file-system=/tmp --file-system=/ --pcr=15 --pcr=11
+"$SD_PCREXTEND" --nvpcr=hardware foo
 
 if tpm_has_pcr sha1 11; then
     "$SD_PCREXTEND" --bank=sha1 --pcr=11 foo
@@ -55,6 +57,7 @@ fi
 (! "$SD_PCREXTEND" --pcr=-1 foo)
 (! "$SD_PCREXTEND" --pcr=1024 foo)
 (! "$SD_PCREXTEND" --foo=bar)
+(! "$SD_PCREXTEND" --nvpcr=idontexist foo)
 
 unset SYSTEMD_FORCE_MEASURE
 
@@ -122,3 +125,28 @@ diff /tmp/newpcr15 \
      <(cat /tmp/oldpcr15 <(echo -n "file-system:$FS_WORD" | openssl dgst -binary -sha256) | openssl dgst -binary -sha256)
 
 rm -f /tmp/oldpcr{11,15} /tmp/newpcr{11,15}
+
+mkdir -p /run/nvpcr
+
+cat >/run/nvpcr/test.nvpcr <<EOF
+{"name":"test","algorithm":"sha256","nvIndex":30474762}
+EOF
+/usr/lib/systemd/systemd-tpm2-setup
+test -f /run/systemd/nvpcr/test.anchor
+/usr/lib/systemd/systemd-pcrextend --nvpcr=test schrumpel
+# To calculate the current value we need the anchor measurement
+DIGEST_BASE="$(cat /run/systemd/nvpcr/test.anchor)"
+DIGEST_MEASURED="$(echo -n "schrumpel" | openssl dgst -sha256 -binary | xxd -p -c200)"
+DIGEST_EXPECTED="$(echo "$DIGEST_BASE$DIGEST_MEASURED" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c200)"
+DIGEST_ACTUAL="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .value')"
+test "$DIGEST_ACTUAL" = "$DIGEST_EXPECTED"
+
+# Now "destroy" the value via another measurement
+/usr/lib/systemd/systemd-pcrextend --nvpcr=test schnurz
+DIGEST_ACTUAL2="$(systemd-analyze nvpcrs test --json=pretty | jq -r '.[] | select(.name=="test") | .value')"
+test "$DIGEST_ACTUAL2" != "$DIGEST_EXPECTED"
+
+# And calculate the new result
+DIGEST_MEASURED2="$(echo -n "schnurz" | openssl dgst -sha256 -binary | xxd -p -c200)"
+DIGEST_EXPECTED2="$(echo "$DIGEST_EXPECTED$DIGEST_MEASURED2" | xxd -r -p | openssl dgst -sha256 -binary | xxd -p -c200)"
+test "$DIGEST_ACTUAL2" = "$DIGEST_EXPECTED2"