diff --git a/.github/workflows/ci-nightly-s390x.yaml b/.github/workflows/ci-nightly-s390x.yaml index 8c7a2951eb..8f3d877faf 100644 --- a/.github/workflows/ci-nightly-s390x.yaml +++ b/.github/workflows/ci-nightly-s390x.yaml @@ -15,7 +15,8 @@ jobs: test_title: - kata-vfio-ap-e2e-tests - cc-vfio-ap-e2e-tests - - cc-se-e2e-tests + - cc-se-e2e-tests-go + - cc-se-e2e-tests-rs steps: - name: Fetch a test result for {{ matrix.test_title }} run: | diff --git a/tests/integration/kubernetes/confidential_common.sh b/tests/integration/kubernetes/confidential_common.sh index 8df00fe749..df81ac6352 100644 --- a/tests/integration/kubernetes/confidential_common.sh +++ b/tests/integration/kubernetes/confidential_common.sh @@ -10,7 +10,7 @@ source "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/confidential_kbs.sh" -SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-tdx" "qemu-se") +SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-tdx" "qemu-se" "qemu-se-runtime-rs") SUPPORTED_NON_TEE_HYPERVISORS=("qemu-coco-dev") function setup_unencrypted_confidential_pod() { @@ -31,12 +31,20 @@ function setup_unencrypted_confidential_pod() { # and returns the remote command to be executed to that specific hypervisor # in order to identify whether the workload is running on a TEE environment function get_remote_command_per_hypervisor() { - declare -A REMOTE_COMMAND_PER_HYPERVISOR - REMOTE_COMMAND_PER_HYPERVISOR[qemu-snp]="dmesg | grep \"Memory Encryption Features active:.*SEV-SNP\"" - REMOTE_COMMAND_PER_HYPERVISOR[qemu-tdx]="cpuid | grep TDX_GUEST" - REMOTE_COMMAND_PER_HYPERVISOR[qemu-se]="cd /sys/firmware/uv; cat prot_virt_guest | grep 1" - - echo "${REMOTE_COMMAND_PER_HYPERVISOR[${KATA_HYPERVISOR}]}" + case "${KATA_HYPERVISOR}" in + qemu-se*) + echo "cd /sys/firmware/uv; cat prot_virt_guest | grep 1" + ;; + qemu-snp) + echo "dmesg | grep \"Memory Encryption Features active:.*SEV-SNP\"" + ;; + qemu-tdx) + echo "cpuid | grep TDX_GUEST" + ;; + *) + echo "" + ;; + esac } # This function verifies whether the input hypervisor supports confidential tests and diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index 791b579924..7275a79d65 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -234,7 +234,7 @@ function kbs_k8s_delete() { pushd "${COCO_KBS_DIR}" if [[ "${KATA_HYPERVISOR}" = "qemu-tdx" ]]; then kubectl delete -k config/kubernetes/ita - elif [[ "${KATA_HYPERVISOR}" = "qemu-se" ]]; then + elif [[ "${KATA_HYPERVISOR}" = qemu-se* ]]; then kubectl delete -k config/kubernetes/overlays/ibm-se else kubectl delete -k config/kubernetes/overlays/ @@ -304,8 +304,8 @@ function kbs_k8s_deploy() { # expects at least one secret served at install time. echo "somesecret" > overlays/key.bin - # For qemu-se runtime, prepare the necessary resources - if [[ "${KATA_HYPERVISOR}" == "qemu-se" ]]; then + # For qemu-se* runtime, prepare the necessary resources + if [[ "${KATA_HYPERVISOR}" == qemu-se* ]]; then mv overlays/key.bin overlays/ibm-se/key.bin prepare_credentials_for_qemu_se # SE_SKIP_CERTS_VERIFICATION should be set to true diff --git a/tests/integration/kubernetes/k8s-block-volume.bats b/tests/integration/kubernetes/k8s-block-volume.bats index 05ff8326b0..e8b43d54fe 100644 --- a/tests/integration/kubernetes/k8s-block-volume.bats +++ b/tests/integration/kubernetes/k8s-block-volume.bats @@ -11,7 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { case "${KATA_HYPERVISOR}" in - qemu-runtime-rs) + qemu-runtime-rs|qemu-se-runtime-rs) skip "See: https://github.com/kata-containers/kata-containers/issues/10373" ;; fc|stratovirt) skip "See: https://github.com/kata-containers/kata-containers/issues/10873" ;; @@ -73,7 +73,7 @@ setup() { teardown() { case "${KATA_HYPERVISOR}" in - qemu-runtime-rs) + qemu-runtime-rs|qemu-se-runtime-rs) skip "See: https://github.com/kata-containers/kata-containers/issues/10373" ;; fc|stratovirt) skip "See: https://github.com/kata-containers/kata-containers/issues/10873" ;; diff --git a/tests/integration/kubernetes/k8s-cpu-ns.bats b/tests/integration/kubernetes/k8s-cpu-ns.bats index e47fd44d22..d871a41f88 100644 --- a/tests/integration/kubernetes/k8s-cpu-ns.bats +++ b/tests/integration/kubernetes/k8s-cpu-ns.bats @@ -14,6 +14,7 @@ setup() { [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" [ "${KATA_HYPERVISOR}" == "cloud-hypervisor" ] && skip "https://github.com/kata-containers/kata-containers/issues/9039" [ "${KATA_HYPERVISOR}" == "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" + [ "${KATA_HYPERVISOR}" == "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ && skip "TEEs do not support memory / CPU hotplug" @@ -120,6 +121,7 @@ teardown() { [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" [ "${KATA_HYPERVISOR}" == "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" + [ "${KATA_HYPERVISOR}" == "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" [ "${KATA_HYPERVISOR}" == "cloud-hypervisor" ] && skip "https://github.com/kata-containers/kata-containers/issues/9039" ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ diff --git a/tests/integration/kubernetes/k8s-empty-dirs.bats b/tests/integration/kubernetes/k8s-empty-dirs.bats index d414065a78..78a3810c3d 100644 --- a/tests/integration/kubernetes/k8s-empty-dirs.bats +++ b/tests/integration/kubernetes/k8s-empty-dirs.bats @@ -18,8 +18,6 @@ assert_equal() { } setup() { - [ "${KATA_HYPERVISOR}" = "qemu-se" ] && \ - skip "See: https://github.com/kata-containers/kata-containers/issues/10002" pod_name="sharevol-kata" get_pod_config_dir pod_logs_file="" @@ -45,6 +43,8 @@ setup() { } @test "Empty dir volume when FSGroup is specified with non-root container" { + [[ "${KATA_HYPERVISOR}" = qemu-se* ]] && \ + skip "See: https://github.com/kata-containers/kata-containers/issues/10002" # This is a reproducer of k8s e2e "[sig-storage] EmptyDir volumes when FSGroup is specified [LinuxOnly] [NodeFeature:FSGroup] new files should be created with FSGroup ownership when container is non-root" test pod_file="${pod_config_dir}/pod-empty-dir-fsgroup.yaml" agnhost_name="${container_images_agnhost_name}" @@ -70,8 +70,6 @@ setup() { } teardown() { - [ "${KATA_HYPERVISOR}" = "qemu-se" ] && \ - skip "See: https://github.com/kata-containers/kata-containers/issues/10002" # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-inotify.bats b/tests/integration/kubernetes/k8s-inotify.bats index c2a761d46d..95fb0a63d0 100644 --- a/tests/integration/kubernetes/k8s-inotify.bats +++ b/tests/integration/kubernetes/k8s-inotify.bats @@ -12,7 +12,7 @@ setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" issue_url="https://github.com/kata-containers/kata-containers/issues/8906" - [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" + [[ "${KATA_HYPERVISOR}" == qemu-se* ]] && skip "test not working for IBM Z LPAR (see ${issue_url})" get_pod_config_dir pod_yaml="${pod_config_dir}"/inotify-configmap-pod.yaml @@ -50,7 +50,7 @@ teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" issue_url="https://github.com/kata-containers/kata-containers/issues/8906" - [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" + [[ "${KATA_HYPERVISOR}" == qemu-se* ]] && skip "test not working for IBM Z LPAR (see ${issue_url})" # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-number-cpus.bats b/tests/integration/kubernetes/k8s-number-cpus.bats index b81143a6d0..adc1d4fd82 100644 --- a/tests/integration/kubernetes/k8s-number-cpus.bats +++ b/tests/integration/kubernetes/k8s-number-cpus.bats @@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { [ "${KATA_HYPERVISOR}" = "cloud-hypervisor" ] && skip "test not working https://github.com/kata-containers/kata-containers/issues/9039" [ "${KATA_HYPERVISOR}" = "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" + [ "${KATA_HYPERVISOR}" = "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" pod_name="cpu-test" container_name="c1" get_pod_config_dir @@ -53,6 +54,7 @@ setup() { teardown() { [ "${KATA_HYPERVISOR}" = "cloud-hypervisor" ] && skip "test not working https://github.com/kata-containers/kata-containers/issues/9039" [ "${KATA_HYPERVISOR}" = "qemu-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" + [ "${KATA_HYPERVISOR}" = "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-shared-volume.bats b/tests/integration/kubernetes/k8s-shared-volume.bats index 2181e39ebc..b8d8b203f5 100644 --- a/tests/integration/kubernetes/k8s-shared-volume.bats +++ b/tests/integration/kubernetes/k8s-shared-volume.bats @@ -9,7 +9,7 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { - [ "${KATA_HYPERVISOR}" = "qemu-se" ] && \ + [[ "${KATA_HYPERVISOR}" == qemu-se* ]] && \ skip "See: https://github.com/kata-containers/kata-containers/issues/10002" get_pod_config_dir } @@ -67,7 +67,7 @@ setup() { } teardown() { - [ "${KATA_HYPERVISOR}" = "qemu-se" ] && \ + [[ "${KATA_HYPERVISOR}" == qemu-se* ]] && \ skip "See: https://github.com/kata-containers/kata-containers/issues/10002" # Debugging information kubectl describe "pod/$pod_name" || true diff --git a/tests/integration/kubernetes/lib.sh b/tests/integration/kubernetes/lib.sh index c726a0c14c..296083480b 100644 --- a/tests/integration/kubernetes/lib.sh +++ b/tests/integration/kubernetes/lib.sh @@ -302,7 +302,7 @@ set_metadata_annotation() { # dots. yq -i ".${annotation_key} = \"${value}\"" "${yaml}" - if [[ "${key}" =~ kernel_params ]] && [[ "${KATA_HYPERVISOR}" == "qemu-se" ]]; then + if [[ "${key}" =~ kernel_params ]] && [[ "${KATA_HYPERVISOR}" == qemu-se* ]]; then # A secure boot image for IBM SE should be rebuilt according to the KBS configuration. if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then >&2 echo "ERROR: IBM_SE_CREDS_DIR is empty"