From c2b18f9660eed6a414a281b7b53c080471651e45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 24 Oct 2024 10:42:41 +0200 Subject: [PATCH 01/13] workflows: Store rootfs dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit So far we haven't been storing the rootfs dependencies as part of our workflows, but we better do it to re-use them as part of the rootfs build. Signed-off-by: Fabiano Fidêncio --- .github/workflows/build-kata-static-tarball-amd64.yaml | 2 +- .github/workflows/build-kata-static-tarball-arm64.yaml | 2 +- .github/workflows/build-kata-static-tarball-ppc64le.yaml | 2 +- .github/workflows/build-kata-static-tarball-s390x.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 27a00c11da..77af603fea 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -134,7 +134,7 @@ jobs: push-to-registry: true - name: store-artifact ${{ matrix.asset }} - if: ${{ matrix.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }} + if: ${{ matrix.stage != 'release' }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index a4df332892..7d0e170471 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -75,7 +75,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }} + if: ${{ inputs.stage != 'release' }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index 79e7ad5b78..8da80c391f 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -76,7 +76,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }} + if: ${{ inputs.stage != 'release' }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }} diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 693f81a478..a546419f23 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -106,7 +106,7 @@ jobs: push-to-registry: true - name: store-artifact ${{ matrix.asset }} - if: ${{ inputs.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }} + if: ${{ inputs.stage != 'release' }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} From eb07a809ce025bc20589f609893ffe33b9c05e4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 24 Oct 2024 12:27:35 +0200 Subject: [PATCH 02/13] tests: Add a helper script to use prebuild components MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a helper script that does basically what's already being done by the s390x CI, which is: * Move a folder with the components that we were stored / downloaded during the GHA execution to the expected `build` location * Get rid of the dependencies for a specific asset, as the dependencies are already pulled in from previous GHA steps For now this script is only being added but not yet executed anywhere, and that will come as the next step in this series. Signed-off-by: Fabiano Fidêncio --- .../gha-adjust-to-use-prebuilt-components.sh | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100755 tests/gha-adjust-to-use-prebuilt-components.sh diff --git a/tests/gha-adjust-to-use-prebuilt-components.sh b/tests/gha-adjust-to-use-prebuilt-components.sh new file mode 100755 index 0000000000..b16c5e3b4b --- /dev/null +++ b/tests/gha-adjust-to-use-prebuilt-components.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2024 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# + +set -o errexit +set -o nounset +set -o pipefail + +this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +repo_root_dir="$(cd "${this_script_dir}/../" && pwd)" + +base_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build" +build_dir="${base_dir}/build" + +function main() { + artifacts_dir="${1:-}" + asset="${2:-}" + + if [ -z "${artifacts_dir}" ]; then + echo "The artefacts directory must be passed as the first argument to this script." + exit 1 + fi + + if [ -z "${asset}" ]; then + echo "The asset must be passed as the second argument to this script." + exit 1 + fi + + mv ${artifacts_dir} ${build_dir} + sed -i "s/\(^${asset}-tarball:\).*/\1/g" ${base_dir}/Makefile +} + +main "$@" From 13ea082531405d3b7f398722c919d34c9e06dbc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 24 Oct 2024 11:13:31 +0200 Subject: [PATCH 03/13] workflows: Build rootfs after its deps are built MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit By doing this we can just re-use the dependencies already built, saving us a reasonable amount of time. Signed-off-by: Fabiano Fidêncio --- .../build-kata-static-tarball-amd64.yaml | 71 +++++++++++++++-- .../build-kata-static-tarball-arm64.yaml | 64 ++++++++++++++- .../build-kata-static-tarball-ppc64le.yaml | 69 ++++++++++++++++- .../build-kata-static-tarball-s390x.yaml | 77 ++++++++++++++++--- 4 files changed, 259 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 77af603fea..abd8edd08b 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -53,11 +53,6 @@ jobs: - qemu - qemu-snp-experimental - stratovirt - - rootfs-image - - rootfs-image-confidential - - rootfs-image-mariner - - rootfs-initrd - - rootfs-initrd-confidential - runk - trace-forwarder - virtiofsd @@ -142,6 +137,70 @@ jobs: retention-days: 15 if-no-files-found: error + build-asset-rootfs: + runs-on: ubuntu-22.04 + needs: build-asset + strategy: + matrix: + asset: + - rootfs-image + - rootfs-image-confidential + - rootfs-image-mariner + - rootfs-initrd + - rootfs-initrd-confidential + steps: + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + + - name: Build ${{ matrix.asset }} + id: build + run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 15 + if-no-files-found: error + build-asset-shim-v2: runs-on: ubuntu-22.04 needs: build-asset @@ -192,7 +251,7 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04 - needs: [build-asset, build-asset-shim-v2] + needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index 7d0e170471..f7d5649948 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -35,8 +35,6 @@ jobs: - nydus - qemu - stratovirt - - rootfs-image - - rootfs-initrd - virtiofsd steps: - name: Login to Kata Containers quay.io @@ -74,6 +72,66 @@ jobs: TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 15 + if-no-files-found: error + + build-asset-rootfs: + runs-on: arm64-builder + needs: build-asset + strategy: + matrix: + asset: + - rootfs-image + - rootfs-initrd + steps: + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + + - name: Build ${{ matrix.asset }} + run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + - name: store-artifact ${{ matrix.asset }} if: ${{ inputs.stage != 'release' }} uses: actions/upload-artifact@v4 @@ -132,7 +190,7 @@ jobs: create-kata-tarball: runs-on: arm64-builder - needs: [build-asset, build-asset-shim-v2] + needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index 8da80c391f..77607d8789 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -30,7 +30,6 @@ jobs: - agent - kernel - qemu - - rootfs-initrd - virtiofsd stage: - ${{ inputs.stage }} @@ -84,6 +83,72 @@ jobs: retention-days: 1 if-no-files-found: error + build-asset-rootfs: + runs-on: ppc64le + needs: build-asset + strategy: + matrix: + asset: + - rootfs-initrd + stage: + - ${{ inputs.stage }} + steps: + - name: Prepare the self-hosted runner + run: | + ${HOME}/scripts/prepare_runner.sh + sudo rm -rf $GITHUB_WORKSPACE/* + + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + + - name: Build ${{ matrix.asset }} + run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 1 + if-no-files-found: error + build-asset-shim-v2: runs-on: ppc64le needs: build-asset @@ -138,7 +203,7 @@ jobs: create-kata-tarball: runs-on: ppc64le - needs: [build-asset, build-asset-shim-v2] + needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index a546419f23..b948bf3925 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -38,10 +38,6 @@ jobs: - kernel-confidential - pause-image - qemu - - rootfs-image - - rootfs-image-confidential - - rootfs-initrd - - rootfs-initrd-confidential - virtiofsd env: PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} @@ -114,9 +110,72 @@ jobs: retention-days: 15 if-no-files-found: error - build-asset-boot-image-se: + build-asset-rootfs: runs-on: s390x needs: build-asset + strategy: + matrix: + asset: + - rootfs-image + - rootfs-image-confidential + - rootfs-initrd + - rootfs-initrd-confidential + steps: + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + + - name: Build ${{ matrix.asset }} + id: build + run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 15 + if-no-files-found: error + + build-asset-boot-image-se: + runs-on: s390x + needs: [build-asset, build-asset-rootfs] steps: - uses: actions/checkout@v4 @@ -142,11 +201,7 @@ jobs: - name: Build boot-image-se run: | - base_dir=tools/packaging/kata-deploy/local-build/ - cp -r kata-artifacts ${base_dir}/build - # Skip building dependant artifacts of boot-image-se-tarball - # because we already have them from the previous build - sed -i 's/\(^boot-image-se-tarball:\).*/\1/g' ${base_dir}/Makefile + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "boot-image-se" make boot-image-se-tarball build_dir=$(readlink -f build) sudo cp -r "${build_dir}" "kata-build" @@ -212,7 +267,7 @@ jobs: create-kata-tarball: runs-on: s390x - needs: [build-asset, build-asset-boot-image-se, build-asset-shim-v2] + needs: [build-asset, build-asset-rootfs, build-asset-boot-image-se, build-asset-shim-v2] steps: - uses: actions/checkout@v4 with: From 6ea036987841c9ff87573b09a6de62a035d32069 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 24 Oct 2024 16:21:52 +0200 Subject: [PATCH 04/13] workflows: build: Ensure rootfs is built before shim-v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As the rootfs will have what we need to add as part of the shim-v2 configuration files for measured rootfs, we **must** ensure this is built **before** shim-v2. Signed-off-by: Fabiano Fidêncio --- .github/workflows/build-kata-static-tarball-amd64.yaml | 2 +- .github/workflows/build-kata-static-tarball-arm64.yaml | 2 +- .github/workflows/build-kata-static-tarball-ppc64le.yaml | 2 +- .github/workflows/build-kata-static-tarball-s390x.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index abd8edd08b..f4c761e9e3 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -203,7 +203,7 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04 - needs: build-asset + needs: [build-asset, build-asset-rootfs] steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index f7d5649948..d0a38d98c8 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -143,7 +143,7 @@ jobs: build-asset-shim-v2: runs-on: arm64-builder - needs: build-asset + needs: [build-asset, build-asset-rootfs] steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index 77607d8789..a1838b1b8c 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -151,7 +151,7 @@ jobs: build-asset-shim-v2: runs-on: ppc64le - needs: build-asset + needs: [build-asset, build-asset-rootfs] steps: - name: Prepare the self-hosted runner run: | diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index b948bf3925..aee654d764 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -219,7 +219,7 @@ jobs: build-asset-shim-v2: runs-on: s390x - needs: build-asset + needs: [build-asset, build-asset-rootfs] steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} From a65946bcb0b14e6808cd846e47bd0268bdff260c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 24 Oct 2024 16:27:38 +0200 Subject: [PATCH 05/13] workflows: build: Ensure rootfs is present for shim-v2 build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's ensure that we get the already built rootfs tarball from previous steps of the action at the time we're building the shim-v2. The reason we do that is because the rootfs binary tarballs has a root_hash.txt file that contains the information needed the shim-v2 build scripts to add the measured rootfs arguments to the shim-v2 configuration files. Signed-off-by: Fabiano Fidêncio --- .github/workflows/build-kata-static-tarball-amd64.yaml | 8 ++++++++ .github/workflows/build-kata-static-tarball-arm64.yaml | 8 ++++++++ .github/workflows/build-kata-static-tarball-ppc64le.yaml | 8 ++++++++ .github/workflows/build-kata-static-tarball-s390x.yaml | 8 ++++++++ 4 files changed, 32 insertions(+) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index f4c761e9e3..00fcd964ce 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -224,9 +224,17 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + - name: Build shim-v2 id: build run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index d0a38d98c8..4f549c5fb3 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -164,8 +164,16 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + - name: Build shim-v2 run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index a1838b1b8c..d322db9bde 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -177,8 +177,16 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + - name: Build shim-v2 run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index aee654d764..599e512e55 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -240,9 +240,17 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + - name: Build shim-v2 id: build run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink From ef29824db9cff807968448257d819bdb0a95f697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 24 Oct 2024 22:27:18 +0200 Subject: [PATCH 06/13] runtime: Don't do measured rootfs for "vanilla" kernel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We may decide to add this later on, but for now this is only targetting TEEs and the confidential image / initrd. Signed-off-by: Fabiano Fidêncio --- src/runtime/Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 06fa601274..c941272c3f 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -151,7 +151,6 @@ FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd SNPCERTSPATH := /opt/snp/cert_chain.cert ROOTMEASURECONFIG ?= "" -KERNELPARAMS += $(ROOTMEASURECONFIG) KERNELTDXPARAMS += $(ROOTMEASURECONFIG) # Name of default configuration file the runtime will use. From d2d9792720af55d5ae7f282b450dbfc3cab9794e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 23 Oct 2024 18:36:04 +0200 Subject: [PATCH 07/13] build: Don't leave cached component behind if it can't be used MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's ensure we remove the component and any extra tarball provided by ORAS in case the cached component cannot be used. Signed-off-by: Fabiano Fidêncio --- .../packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 316ecd257c..174a2a1f86 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -206,8 +206,8 @@ install_cached_tarball_component() { rm -f ${component}-version rm -f ${component}-builder-image-version - [ "${cached_image_version}" != "${current_image_version}" ] && return 1 - [ "${cached_version}" != "${current_version}" ] && return 1 + [ "${cached_image_version}" != "${current_image_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") + [ "${cached_version}" != "${current_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") sha256sum -c "${component}-sha256sum" || return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") info "Using cached tarball of ${component}" From 9c84998de9d0ea6f80a4fd83f814df3fa89783c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 23 Oct 2024 19:38:40 +0200 Subject: [PATCH 08/13] build: cache: Cache root_hash.txt used by the shim-v2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's cache the root_hash.txt from the confidential image so we can use them later on to decide whether there was a rootfs change that would require shim-v2 to be rebuilt. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries.sh | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 174a2a1f86..f673f5edfe 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -1145,6 +1145,21 @@ handle_build() { fi tar tvf "${modules_final_tarball_path}" ;; + shim-v2) + if [ "${MEASURED_ROOTFS}" = "yes" ]; then + local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.xz" + if [ ! -f "${image_conf_tarball}" ]; then + die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball" + fi + + local root_hash_basedir="./opt/kata/share/kata-containers/" + if ! tar xvf ${image_conf_tarball} ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,; then + die "Building the shim-v2 with MEASURED_ROOTFS support requres a rootfs confidential image tarball built with MEASURED_ROOTFS support" + fi + + mv root_hash.txt shim-v2-root_hash.txt + fi + ;; esac pushd ${workdir} @@ -1210,6 +1225,13 @@ handle_build() { "kata-static-${build_target}-modules.tar.xz" ) ;; + shim-v2) + if [ "${MEASURED_ROOTFS}" = "yes" ]; then + files_to_push+=( + "shim-v2-root_hash.txt" + ) + fi + ;; *) ;; esac From 9c8b20b2bf7f5060551b27aa4842224bd5618385 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 24 Oct 2024 20:17:55 +0200 Subject: [PATCH 09/13] build: shim-v2: Rebuild if root_hashes do not match MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's make sure we take the root_hashes into consideration to decide whether the shim-v2 should or should not be used from the cached artefacts. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries.sh | 44 +++++++++++++++++++ tools/packaging/static-build/shim-v2/build.sh | 3 +- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index f673f5edfe..95dfb22771 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -166,6 +166,12 @@ get_kernel_modules_dir() { echo ${kernel_modules_dir} } +cleanup_and_fail_shim_v2_specifics() { + rm -f "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash.txt" + + return $(cleanup_and_fail "${1:-}" "${2:-}") +} + cleanup_and_fail() { local component_tarball_name="${1:-}" local extra_tarballs="${2:-}" @@ -184,6 +190,36 @@ cleanup_and_fail() { return 1 } +install_cached_shim_v2_tarball_get_root_hash() { + if [ "${MEASURED_ROOTFS}" != "yes" ]; then + return 0 + fi + + local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + local image_conf_tarball="kata-static-rootfs-image-confidential.tar.xz" + + local root_hash_basedir="./opt/kata/share/kata-containers/" + + tar xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},, + mv root_hash.txt "${tarball_dir}/root_hash.txt" + + return 0 +} + +install_cached_shim_v2_tarball_compare_root_hashes() { + if [ "${MEASURED_ROOTFS}" != "yes" ]; then + return 0 + fi + + local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + + [ -f shim-v2-root_hash.txt ] || return 1 + + diff "${tarball_dir}/root_hash.txt" shim-v2-root_hash.txt || return 1 + + return 0 +} + install_cached_tarball_component() { if [ "${USE_CACHE}" != "yes" ]; then return 1 @@ -198,6 +234,10 @@ install_cached_tarball_component() { # "tarball1_name:tarball1_path tarball2_name:tarball2_path ... tarballN_name:tarballN_path" local extra_tarballs="${6:-}" + if [ "${component}" = "shim-v2" ]; then + install_cached_shim_v2_tarball_get_root_hash + fi + oras pull ${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1 cached_version="$(cat ${component}-version)" @@ -210,6 +250,10 @@ install_cached_tarball_component() { [ "${cached_version}" != "${current_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") sha256sum -c "${component}-sha256sum" || return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") + if [ "${component}" = "shim-v2" ]; then + install_cached_shim_v2_tarball_compare_root_hashes || return $(cleanup_and_fail_shim_v2_specifics "${component_tarball_path}" "${extra_tarballs}") + fi + info "Using cached tarball of ${component}" mv "${component_tarball_name}" "${component_tarball_path}" diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index 9a1160f7bf..3944b09284 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -28,7 +28,8 @@ EXTRA_OPTS="${EXTRA_OPTS:-""}" if [ "${MEASURED_ROOTFS}" == "yes" ]; then info "Enable rootfs measurement config" - root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt" + root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash.txt" + [ -f "$root_hash_file" ] || \ die "Root hash file for measured rootfs not found at ${root_hash_file}" From d537932e66f0e2203f1a8a80f4942cfb1a1a1c35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 23 Oct 2024 17:42:56 +0200 Subject: [PATCH 10/13] build: shim-v2: Ensure MEASURED_ROOTFS is exported MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The approach taken for now is to export MEASURED_ROOTFS=yes on the workflow files for the architectures using confidential stuff, and leave the "normal" build without having it set (to avoid any change of expectation on the current bevahiour). Signed-off-by: Fabiano Fidêncio --- .github/workflows/build-kata-static-tarball-amd64.yaml | 1 + .github/workflows/build-kata-static-tarball-s390x.yaml | 1 + tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 00fcd964ce..11a016a4ba 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -248,6 +248,7 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + MEASURED_ROOTFS: yes - name: store-artifact shim-v2 uses: actions/upload-artifact@v4 diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 599e512e55..bef76dae66 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -264,6 +264,7 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + MEASURED_ROOTFS: yes - name: store-artifact shim-v2 uses: actions/upload-artifact@v4 diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 95dfb22771..47050065b1 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -821,6 +821,7 @@ install_shimv2() { export GO_VERSION export RUST_VERSION + export MEASURED_ROOTFS DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}" } From 7d202fc17330c3b4bf30ef4fe040a01f1d8349a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 25 Oct 2024 08:54:55 +0200 Subject: [PATCH 11/13] tests: Re-enable measured_rootfs test for TDX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As we're now building everything needed to test TDX with measured rootfs support, let's bring this test back in (for TDX only, at least for now). Signed-off-by: Fabiano Fidêncio --- .../kubernetes/k8s-measured-rootfs.bats | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index a33c457530..7ac3ae3847 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -5,16 +5,14 @@ # SPDX-License-Identifier: Apache-2.0 # +load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/lib.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh" check_and_skip() { - # Currently the kernel-confidential, isn't built withh measured rootfs support, so this test - # should be skipped until it is - # See https://github.com/kata-containers/kata-containers/issues/9612, - # https://github.com/kata-containers/kata-containers/issues/7235 - # and https://github.com/kata-containers/kata-containers/issues/7415 - skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR" + if [ "${KATA_HYPERVISOR}" != "qemu-tdx" ]; then + skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR" + fi } setup() { @@ -25,11 +23,10 @@ setup() { @test "Test cannnot launch pod with measured boot enabled and incorrect hash" { pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")" - incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e" + incorrect_hash="1111111111111111111111111111111111111111111111111111111111111111" - # Despite the kernel being built with support, it is not currently enabled - # on configuration.toml. To avoid editing that file on the worker node, - # here it will be enabled via pod annotations. + # To avoid editing that file on the worker node, here it will be + # enabled via pod annotations. set_metadata_annotation "$pod_config" \ "io.katacontainers.config.hypervisor.kernel_params" \ "rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash" @@ -45,10 +42,9 @@ setup() { echo "Pod $pod_config file:" cat $pod_config - assert_pod_fail "$pod_config" + kubectl apply -f $pod_config - assert_logs_contain "$node" kata "$node_start_time" \ - 'verity: .* metadata block .* is corrupted' + waitForProcess "60" "3" "exec_host $node journalctl -t kata | grep \"verity: .* metadata block .* is corrupted\"" } teardown() { From d23d057ac74aa3344862c362d140f88fd639c997 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 25 Oct 2024 10:52:18 +0200 Subject: [PATCH 12/13] runtime: Enable measured rootfs for qemu-coco-dev MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's make sure we are prepared to test this with non-TEE environments as well. Signed-off-by: Fabiano Fidêncio --- src/runtime/Makefile | 2 ++ src/runtime/config/configuration-qemu-coco-dev.toml.in | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index c941272c3f..afe0ea0ab6 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -152,6 +152,7 @@ SNPCERTSPATH := /opt/snp/cert_chain.cert ROOTMEASURECONFIG ?= "" KERNELTDXPARAMS += $(ROOTMEASURECONFIG) +KERNELQEMUCOCODEVPARAMS += $(ROOTMEASURECONFIG) # Name of default configuration file the runtime will use. CONFIG_FILE = configuration.toml @@ -645,6 +646,7 @@ USER_VARS += DEFMACHINETYPE_CLH USER_VARS += DEFMACHINETYPE_STRATOVIRT USER_VARS += KERNELPARAMS USER_VARS += KERNELTDXPARAMS +USER_VARS += KERNELQEMUCOCODEVPARAMS USER_VARS += LIBEXECDIR USER_VARS += LOCALSTATEDIR USER_VARS += PKGDATADIR diff --git a/src/runtime/config/configuration-qemu-coco-dev.toml.in b/src/runtime/config/configuration-qemu-coco-dev.toml.in index 2373aabaa6..4b94ed61d4 100644 --- a/src/runtime/config/configuration-qemu-coco-dev.toml.in +++ b/src/runtime/config/configuration-qemu-coco-dev.toml.in @@ -73,7 +73,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@ # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. -kernel_params = "@KERNELPARAMS@" +kernel_params = "@KERNELQEMUCOCODEVPARAMS@" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty From b70d7c1aac30db6807d391baa32263295d307f5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 25 Oct 2024 10:55:32 +0200 Subject: [PATCH 13/13] tests: Enable measured rootfs tests for qemu-coco-dev MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Then it's on pair with what's being tested with TEEs using a rootfs image. Signed-off-by: Fabiano Fidêncio --- tests/integration/kubernetes/k8s-measured-rootfs.bats | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index 7ac3ae3847..f442496f8c 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -10,9 +10,14 @@ load "${BATS_TEST_DIRNAME}/lib.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh" check_and_skip() { - if [ "${KATA_HYPERVISOR}" != "qemu-tdx" ]; then - skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR" - fi + case "${KATA_HYPERVISOR}" in + qemu-tdx|qemu-coco-dev) + return + ;; + *) + skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR" + ;; + esac } setup() {