Planner to verify the RoT artifacts and choose correct one for environment #8630
Description
As part of the work to get MGS driven updates incorporated into the planner, we came across a roadbump. Previously, wicket created a RawHubrisArchive from each artifact to verify the CMPA and CFPA pages against. In the planner, this step isn't as straightforward because we don't have access to the artifacts, but rather just the metadata. The TUF metadata does not contain any of this information from the RoT artifacts.
To get to a point where we have the information available to the planner we'll need the following work:
- Retrieve the Root Key Table Hash (RKTH) from the RoT artifacts before Nexus re-packages the TUF repo's RoT artifacts.
Should be done as a newThelpc55_signroutine.SIGNfield in the archive caboose should be set to the RKTH of the image(s) it contains. - Then we can store those hashes somewhere, perhaps the artifact metadata (
TufArtifactMeta)? Will need input from @iliana on such kind-specific metadata. [tuf] Store rkth/sign hashes in artifact metadata #8729 - Have the planner verify the RKTH against the CMPA/CFPA found in inventory as part of [reconfigurator] RoT planner support #8421 and [reconfigurator] RoT bootloader planner support #8664.