docs: generalize __init__ docstring and add fixture acquisition READMEs

alhassankhedr-cohere · alhassankhedr-cohere · commit 55de819fd39d · 2026-04-20T12:33:05.000-04:00
Update the package docstring to cover confidential VMs broadly, not just
TDX. Add README files to tests/fixtures/firmware/ and tests/fixtures/uki/
explaining how to obtain the binary test fixtures from GCS.
diff --git a/src/cvm_measure/__init__.py b/src/cvm_measure/__init__.py
@@ -12,6 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-"""cvm-measure: compute expected TDX register values from published inputs."""
+"""cvm-measure: compute expected confidential VM register values from published inputs."""
 
 __version__ = "0.1.0"
diff --git a/tests/fixtures/firmware/README.md b/tests/fixtures/firmware/README.md
@@ -0,0 +1,36 @@
+# Firmware Test Fixtures
+
+Place OVMF firmware binaries here to enable MRTD integration tests.
+
+## How to obtain
+
+Google publishes OVMF firmware binaries for GCE TDX VMs in a public GCS bucket.
+Files are named by their SHA-384 hash. Look up the hash in the corresponding
+baseline file (`fixtures/baselines/a3-highgpu-1g.json`, field `firmware_sha384`),
+then download:
+
+```bash
+HASH=f53fdf89544e1e6d785eee42d0a4bb38e26b36e951be537ac22114d210f2d5239eba243dd71991afe8345e7020974a46
+
+gsutil cp \
+  gs://gce_tcb_integrity/ovmf_x64_csm/${HASH}.fd \
+  tests/fixtures/firmware/ovmf-a3-highgpu-1g.fd
+```
+
+To verify the download:
+
+```bash
+sha384sum tests/fixtures/firmware/ovmf-a3-highgpu-1g.fd
+```
+
+The output should match the hash used above.
+
+## Available firmware images
+
+Browse all available images:
+
+```bash
+gsutil ls gs://gce_tcb_integrity/ovmf_x64_csm/
+```
+
+Without firmware binaries, tests that depend on them are automatically skipped.
diff --git a/tests/fixtures/uki/README.md b/tests/fixtures/uki/README.md
@@ -0,0 +1,42 @@
+# UKI Test Fixtures
+
+Place UKI (Unified Kernel Image) binaries here to enable PE parsing and
+end-to-end register computation tests.
+
+## How to obtain
+
+The UKI (BOOTX64.EFI) is extracted from a PodVM disk image built by the
+fortress CI pipeline. The disk images are stored in GCS.
+
+### 1. Download the disk image
+
+```bash
+gsutil cp \
+  gs://cohere-confidential-computing-podvm-build/ubuntu-mkosi-tdx-debug-2026-03-27/disk.tar.gz \
+  /tmp/disk.tar.gz
+```
+
+### 2. Extract the UKI
+
+Use the extraction script from the fortress repo (requires `mtools`):
+
+```bash
+# Install mtools if needed
+brew install mtools   # macOS
+apt install mtools    # Linux
+
+# Extract BOOTX64.EFI from the disk image
+python3 ../fortress/deployment/terraform/podvm-build/scripts/extract-uki.py \
+  /tmp/disk.tar.gz \
+  tests/fixtures/uki/bootx64-a3-highgpu-1g.efi
+```
+
+The script will print the file size and SHA-384 hash to stderr.
+
+### 3. Clean up
+
+```bash
+rm /tmp/disk.tar.gz
+```
+
+Without UKI binaries, tests that depend on them are automatically skipped.
