From bafa527be0ec8ead61626024bcf6f4fb9bc8fe63 Mon Sep 17 00:00:00 2001 From: Gabriela Cervantes Date: Thu, 12 Sep 2024 17:13:52 +0000 Subject: [PATCH 1/2] ci: tdx: Test attestation with ITTS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Intel Tiber Trust Services (formerly known as Intel Trust Authority) is Intel's own attestation service, and we want to take advantage of the TDX CI in order to ensure ITTS works as expected. In order to do so, let's replace the former method used (DCAP) to use ITTS instead. Signed-off-by: Gabriela Cervantes Signed-off-by: Fabiano FidĂȘncio --- .../kubernetes/confidential_kbs.sh | 26 ++++++++++++------- tests/integration/kubernetes/gha-run.sh | 1 + 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index 6d2fcd5ed9..33fa53728e 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -17,6 +17,7 @@ source "${kubernetes_dir}/../../../tools/packaging/guest-image/lib_se.sh" export PATH="${PATH}:/opt/kata/bin" KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" +ITA_KEY="${ITA_KEY:-}" # Where the trustee (includes kbs) sources will be cloned readonly COCO_TRUSTEE_DIR="/tmp/trustee" # Where the kbs sources will be cloned @@ -255,6 +256,13 @@ function kbs_k8s_deploy() { image=$(get_from_kata_deps ".externals.coco-trustee.image") image_tag=$(get_from_kata_deps ".externals.coco-trustee.image_tag") + # Image tag for TDX + if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then + # The ITA / ITTS images are named as: + # ita-as-${image_tag} + image_tag=$(echo ${image_tag} | sed 's/built-in/ita/g') + fi + # The ingress handler for AKS relies on the cluster's name which in turn # contain the HEAD commit of the kata-containers repository (supposedly the # current directory). It will be needed to save the cluster's name before @@ -308,16 +316,14 @@ function kbs_k8s_deploy() { echo "::group::Deploy the KBS" if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then - echo "Setting up custom PCCS for TDX" - cat <<- EOF > "${COCO_KBS_DIR}/config/kubernetes/custom_pccs/sgx_default_qcnl.conf" -{ - "pccs_url": "https://$(hostname -i | grep -o "^[0-9.]*"):8081/sgx/certification/v4/", - - // To accept insecure HTTPS certificate, set this option to false - "use_secure_cert": false -} -EOF - export DEPLOYMENT_DIR=custom_pccs + echo "::group::Setting up ITA/ITTS for TDX" + pushd "${COCO_KBS_DIR}/config/kubernetes/ita/" + # Let's replace the "tBfd5kKX2x9ahbodKV1..." sample + # `api_key`property by a valid ITA/ITTS API key, in the + # ITA/ITTS specific configuration + sed -i -e "s/tBfd5kKX2x9ahbodKV1.../${ITA_KEY}/g" kbs-config.toml + popd + export DEPLOYMENT_DIR=ita fi ./deploy-kbs.sh diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 674fc60cf7..2a3e89054a 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -30,6 +30,7 @@ KBS=${KBS:-false} KBS_INGRESS=${KBS_INGRESS:-} KUBERNETES="${KUBERNETES:-}" SNAPSHOTTER="${SNAPSHOTTER:-}" +ITA_KEY="${ITA_KEY:-}" HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}" NO_PROXY="${NO_PROXY:-${no_proxy:-}}" PULL_TYPE="${PULL_TYPE:-default}" From 66bcfe7369b887a0068ca4e75dfad3a78105c4aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 27 Sep 2024 20:32:19 +0200 Subject: [PATCH 2/2] k8s: kbs: Properly delete ita kustomization MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ita kustomization for Trustee, as well as previously used one (DCAP), doesn't have a $(uname -m) directory after the deployment directory name. Let's follow the same logic used for the deploy-kbs script and clean those up accordingly. Signed-off-by: Fabiano FidĂȘncio --- tests/integration/kubernetes/confidential_kbs.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index 33fa53728e..b16ad2cc76 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -224,7 +224,12 @@ kbs_uninstall_cli() { # function kbs_k8s_delete() { pushd "$COCO_KBS_DIR" - kubectl delete -k config/kubernetes/overlays/$(uname -m) + if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then + kubectl delete -k config/kubernetes/ita + else + kubectl delete -k config/kubernetes/overlays/$(uname -m) + fi + # Verify that KBS namespace resources were properly deleted cmd="kubectl get all -n $KBS_NS 2>&1 | grep 'No resources found'" waitForProcess "120" "30" "$cmd"