trusted-execution-clusters · bgartzi · Jan 15, 2026 · Jan 15, 2026
diff --git a/lib/src/tpmevents.rs b/lib/src/tpmevents.rs
@@ -55,6 +55,7 @@ pub enum TPMEventID {
     Pcr14MokList,
     Pcr14MokListX,
     Pcr14MokListTrusted,
+    PcrLastNodeEvent, // Don't use it except for TPM Event combination
 }
 
 impl TPMEventID {
@@ -93,6 +94,7 @@ impl TPMEventID {
             TPMEventID::Pcr14MokList => TPMEG_MOKVARS,
             TPMEventID::Pcr14MokListX => TPMEG_MOKVARS,
             TPMEventID::Pcr14MokListTrusted => TPMEG_MOKVARS,
+            TPMEventID::PcrLastNodeEvent => TPMEG_NEVER,
         }
     }
 

diff --git a/lib/src/tpmevents/combine/tests.rs b/lib/src/tpmevents/combine/tests.rs
@@ -1313,3 +1313,372 @@ fn test_combine_one_image() {
     let image_pcrs: Vec<Vec<Pcr>> = images.iter().map(|e| compile_pcrs(e)).collect();
     assert_eq!(image_pcrs, res);
 }
+
+#[test]
+fn test_pcr14_mok_list_trusted() {
+    let event = TPMEvent {
+        pcr: 14,
+        name: "EV_IPL".to_string(),
+        hash: hex::decode("4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a")
+            .unwrap(),
+        id: TPMEventID::Pcr14MokListTrusted,
+    };
+    let res = combine_images(&[vec![event.clone()], vec![event.clone()]]);
+    assert_eq!(res, vec![compile_pcrs(&[event])]);
+}
+
+#[test]
+fn test_all_pcrs_2_images() {
+    let images = vec![
+        vec![
+            TPMEvent {
+                pcr: 4,
+                name: "EV_EFI_ACTION".to_string(),
+                hash: hex::decode(
+                    "3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4EfiCall,
+            },
+            TPMEvent {
+                pcr: 4,
+                name: "EV_SEPARATOR".to_string(),
+                hash: hex::decode(
+                    "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4Separator,
+            },
+            TPMEvent {
+                pcr: 4,
+                name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(),
+                hash: hex::decode(
+                    "94896c17d49fc8c8df0cc2836611586edab1615ce7cb58cf13fc5798de56b367",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4Shim,
+            },
+            TPMEvent {
+                pcr: 4,
+                name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(),
+                hash: hex::decode(
+                    "bc6844fc7b59b4f0c7da70a307fc578465411d7a2c34b0f4dc2cc154c873b644",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4Grub,
+            },
+            TPMEvent {
+                pcr: 4,
+                name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(),
+                hash: hex::decode(
+                    "2b1dc59bc61dbbc3db11a6f3b0708c948efd46cceb7f6c8ea2024b8d1b8c829a",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4Vmlinuz,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7SecureBoot,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "adb6fc232943e39c374bf4782b6c697f43c39fca1f4b51dfceda21164e19a893",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Pk,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "b5432fe20c624811cb0296391bfdf948ebd02f0705ab8229bea09774023f0ebf",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Kek,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "4313e43de720194a0eabf4d6415d42b5a03a34fdc47bb1fc924cc4e665e6893d",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Db,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "001004ba58a184f09be6c1f4ec75a246cc2eefa9637b48ee428b6aa9bce48c55",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Dbx,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_SEPARATOR".to_string(),
+                hash: hex::decode(
+                    "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Separator,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_AUTHORITY".to_string(),
+                hash: hex::decode(
+                    "4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7ShimCert,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_AUTHORITY".to_string(),
+                hash: hex::decode(
+                    "e8e9578f5951ef16b1c1aa18ef02944b8375ec45ed4b5d8cdb30428db4a31016",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7SbatLevel,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_AUTHORITY".to_string(),
+                hash: hex::decode(
+                    "ad5901fd581e6640c742c488083b9ac2c48255bd28a16c106c6f9df52702ee3f",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7GrubMokListCert,
+            },
+            TPMEvent {
+                pcr: 14,
+                name: "EV_IPL".to_string(),
+                hash: hex::decode(
+                    "e8e48e3ad10bc243341b4663c0057aef0ec7894ccc9ecb0598f0830fa57f7220",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr14MokList,
+            },
+            TPMEvent {
+                pcr: 14,
+                name: "EV_IPL".to_string(),
+                hash: hex::decode(
+                    "8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr14MokListX,
+            },
+            TPMEvent {
+                pcr: 14,
+                name: "EV_IPL".to_string(),
+                hash: hex::decode(
+                    "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr14MokListTrusted,
+            },
+        ],
+        vec![
+            TPMEvent {
+                pcr: 4,
+                name: "EV_EFI_ACTION".to_string(),
+                hash: hex::decode(
+                    "3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4EfiCall,
+            },
+            TPMEvent {
+                pcr: 4,
+                name: "EV_SEPARATOR".to_string(),
+                hash: hex::decode(
+                    "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4Separator,
+            },
+            TPMEvent {
+                pcr: 4,
+                name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(),
+                hash: hex::decode(
+                    "94896c17d49fc8c8df0cc2836611586edab1615ce7cb58cf13fc5798de56b367",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4Shim,
+            },
+            TPMEvent {
+                pcr: 4,
+                name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(),
+                hash: hex::decode(
+                    "f45c2c974192366a5391e077c3cbf91e735e86eba2037fd86a1f1501818f73f4",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4Grub,
+            },
+            TPMEvent {
+                pcr: 4,
+                name: "EV_EFI_BOOT_SERVICES_APPLICATION".to_string(),
+                hash: hex::decode(
+                    "f31e645e5e9ed131eea5dca0a18893a21e5625b4a56314fa39587ddc33a7fa91",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr4Vmlinuz,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7SecureBoot,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "adb6fc232943e39c374bf4782b6c697f43c39fca1f4b51dfceda21164e19a893",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Pk,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "b5432fe20c624811cb0296391bfdf948ebd02f0705ab8229bea09774023f0ebf",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Kek,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "4313e43de720194a0eabf4d6415d42b5a03a34fdc47bb1fc924cc4e665e6893d",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Db,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_DRIVER_CONFIG".to_string(),
+                hash: hex::decode(
+                    "001004ba58a184f09be6c1f4ec75a246cc2eefa9637b48ee428b6aa9bce48c55",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Dbx,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_SEPARATOR".to_string(),
+                hash: hex::decode(
+                    "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7Separator,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_AUTHORITY".to_string(),
+                hash: hex::decode(
+                    "4d4a8e2c74133bbdc01a16eaf2dbb5d575afeb36f5d8dfcf609ae043909e2ee9",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7ShimCert,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_AUTHORITY".to_string(),
+                hash: hex::decode(
+                    "e8e9578f5951ef16b1c1aa18ef02944b8375ec45ed4b5d8cdb30428db4a31016",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7SbatLevel,
+            },
+            TPMEvent {
+                pcr: 7,
+                name: "EV_EFI_VARIABLE_AUTHORITY".to_string(),
+                hash: hex::decode(
+                    "ad5901fd581e6640c742c488083b9ac2c48255bd28a16c106c6f9df52702ee3f",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr7GrubMokListCert,
+            },
+            TPMEvent {
+                pcr: 14,
+                name: "EV_IPL".to_string(),
+                hash: hex::decode(
+                    "e8e48e3ad10bc243341b4663c0057aef0ec7894ccc9ecb0598f0830fa57f7220",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr14MokList,
+            },
+            TPMEvent {
+                pcr: 14,
+                name: "EV_IPL".to_string(),
+                hash: hex::decode(
+                    "8d8a3aae50d5d25838c95c034aadce7b548c9a952eb7925e366eda537c59c3b0",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr14MokListX,
+            },
+            TPMEvent {
+                pcr: 14,
+                name: "EV_IPL".to_string(),
+                hash: hex::decode(
+                    "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a",
+                )
+                .unwrap(),
+                id: TPMEventID::Pcr14MokListTrusted,
+            },
+        ],
+    ];
+
+    let res = combine_images(&images);
+    let pcr_values: Vec<Vec<String>> = res
+        .iter()
+        .map(|i| {
+            i.iter()
+                .map(|p| hex::encode(p.value.clone()))
+                .collect::<Vec<_>>()
+        })
+        .collect();
+
+    assert_eq!(
+        pcr_values,
+        vec![
+            // Bootloader1 + kernel1
+            vec![
+                "551bbd142a716c67cd78336593c2eb3b547b575e810ced4501d761082b5cd4a8",
+                "b3a56a06c03a65277d0a787fcabc1e293eaa5d6dd79398f2dda741f7b874c65d",
+                "17cdefd9548f4383b67a37a901673bf3c8ded6f619d36c8007562de1d93c81cc"
+            ],
+            // Bootloader1 + kernel2
+            vec![
+                "0c4e52c0bc5d2fedbf83b2fee82664dbe5347a79cfb2cbcb9a37f64211add6e8",
+                "b3a56a06c03a65277d0a787fcabc1e293eaa5d6dd79398f2dda741f7b874c65d",
+                "17cdefd9548f4383b67a37a901673bf3c8ded6f619d36c8007562de1d93c81cc"
+            ],
+            // Bootloader2 + kernel1
+            vec![
+                "b5b241aa48bb09350607d293d969920c61ee6bac343e5a114826e7a610c8eb97",
+                "b3a56a06c03a65277d0a787fcabc1e293eaa5d6dd79398f2dda741f7b874c65d",
+                "17cdefd9548f4383b67a37a901673bf3c8ded6f619d36c8007562de1d93c81cc"
+            ],
+            // Bootloader2 + kernel2
+            vec![
+                "37517a1f76c4d5cf615f4690921c732ad31359aac55f3aaf66d65a8ed38655a9",
+                "b3a56a06c03a65277d0a787fcabc1e293eaa5d6dd79398f2dda741f7b874c65d",
+                "17cdefd9548f4383b67a37a901673bf3c8ded6f619d36c8007562de1d93c81cc"
+            ],
+        ]
+    );
+}