mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-16 07:05:14 +00:00
Merge pull request #5337 from dubek/runtime-add-sev-tests
CCv0: runtime/pkg/sev: Add unit tests; allow measurement without kernel
This commit is contained in:
commit
3dd655d60d
@ -7,4 +7,5 @@ This repository contains a number of packages in addition to the
|
|||||||
|-|-|
|
|-|-|
|
||||||
| [`katatestutils`](katatestutils) | Unit test utilities. |
|
| [`katatestutils`](katatestutils) | Unit test utilities. |
|
||||||
| [`katautils`](katautils) | Utilities. |
|
| [`katautils`](katautils) | Utilities. |
|
||||||
|
| [`sev`](sev) | AMD SEV confidential guest utilities. |
|
||||||
| [`signals`](signals) | Signal handling functions. |
|
| [`signals`](signals) | Signal handling functions. |
|
||||||
|
14
src/runtime/pkg/sev/README.md
Normal file
14
src/runtime/pkg/sev/README.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# AMD SEV confidential guest utilities
|
||||||
|
|
||||||
|
This package provides utilities for launching AMD SEV confidential guests.
|
||||||
|
|
||||||
|
## Calculating expected launch digests
|
||||||
|
|
||||||
|
The `CalculateLaunchDigest` function can be used to calculate the expected
|
||||||
|
SHA-256 of an SEV confidential guest given its firmware, kernel, initrd, and
|
||||||
|
kernel command-line.
|
||||||
|
|
||||||
|
### Unit test data
|
||||||
|
|
||||||
|
The [`testdata`](testdata) directory contains file used for testing
|
||||||
|
`CalculateLaunchDigest`.
|
@ -152,11 +152,13 @@ func CalculateLaunchDigest(firmwarePath, kernelPath, initrdPath, cmdline string)
|
|||||||
return res, err
|
return res, err
|
||||||
}
|
}
|
||||||
|
|
||||||
ht, err := constructSevHashesTable(kernelPath, initrdPath, cmdline)
|
if kernelPath != "" {
|
||||||
if err != nil {
|
ht, err := constructSevHashesTable(kernelPath, initrdPath, cmdline)
|
||||||
return res, err
|
if err != nil {
|
||||||
|
return res, err
|
||||||
|
}
|
||||||
|
digest.Write(ht)
|
||||||
}
|
}
|
||||||
digest.Write(ht)
|
|
||||||
|
|
||||||
copy(res[:], digest.Sum(nil))
|
copy(res[:], digest.Sum(nil))
|
||||||
return res, nil
|
return res, nil
|
||||||
|
32
src/runtime/pkg/sev/sev_test.go
Normal file
32
src/runtime/pkg/sev/sev_test.go
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
// Copyright contributors to AMD SEV/-ES in Go
|
||||||
|
//
|
||||||
|
// SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
|
package sev
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/hex"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestCalculateLaunchDigestWithoutKernelHashes(t *testing.T) {
|
||||||
|
ld, err := CalculateLaunchDigest("testdata/ovmf_suffix.bin", "", "", "")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected err value: %s", err)
|
||||||
|
}
|
||||||
|
hexld := hex.EncodeToString(ld[:])
|
||||||
|
if hexld != "b184e06e012366fd7b33ebfb361a515d05f00d354dca07b36abbc1e1e177ced5" {
|
||||||
|
t.Fatalf("wrong measurement: %s", hexld)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestCalculateLaunchDigestWithKernelHashes(t *testing.T) {
|
||||||
|
ld, err := CalculateLaunchDigest("testdata/ovmf_suffix.bin", "/dev/null", "/dev/null", "")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unexpected err value: %s", err)
|
||||||
|
}
|
||||||
|
hexld := hex.EncodeToString(ld[:])
|
||||||
|
if hexld != "d59d7696efd7facfaa653758586e6120c4b6eaec3e327771d278cc6a44786ba5" {
|
||||||
|
t.Fatalf("wrong measurement: %s", hexld)
|
||||||
|
}
|
||||||
|
}
|
9
src/runtime/pkg/sev/testdata/README.md
vendored
Normal file
9
src/runtime/pkg/sev/testdata/README.md
vendored
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
# sev/testdata
|
||||||
|
|
||||||
|
The `ovmf_suffix.bin` contains the last 4KB of the `OVMF.fd` binary from edk2's
|
||||||
|
`OvmfPkg/AmdSev/AmdSevX64.dsc` build. To save space, we committed only the
|
||||||
|
last 4KB instead of the the full 4MB binary.
|
||||||
|
|
||||||
|
The end of the file contains a GUIDed footer table with entries that hold the
|
||||||
|
SEV-ES AP reset vector address, which is needed in order to compute VMSAs for
|
||||||
|
SEV-ES guests.
|
BIN
src/runtime/pkg/sev/testdata/ovmf_suffix.bin
vendored
Normal file
BIN
src/runtime/pkg/sev/testdata/ovmf_suffix.bin
vendored
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user