From da0f92cef850afb4cb244394bca5889bd7be5d20 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 11 May 2023 15:40:37 +0000 Subject: [PATCH 1/5] gha: ci-on-push: Don't skip tests for SEV-SNP Now that we have SNP artifacts in place and they are built via gha, remove the condition that skips the tests for SNP. Fixes: #6809 Signed-off-by: Tobin Feldman-Fitzthum --- tests/integration/kubernetes/run_kubernetes_tests.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index 281d1d878f..daddb756ab 100644 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -58,10 +58,6 @@ if [ ${KATA_HYPERVISOR} == "qemu-sev" ]; then exit 0 fi -if [ ${KATA_HYPERVISOR} == "qemu-snp" ]; then - exit 0 -fi - # we may need to skip a few test cases when running on non-x86_64 arch arch_config_file="${kubernetes_dir}/filter_out_per_arch/${TARGET_ARCH}.yaml" if [ -f "${arch_config_file}" ]; then From 72308ddb079d45253a994a3a34c2c515fc65a8f5 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 11 May 2023 18:37:44 +0000 Subject: [PATCH 2/5] gha: ci-on-push: Don't skip tests for SEV Now that SEV artifacts are built by GHA, remove conditional that skips tests when using qemu-sev. Signed-off-by: Tobin Feldman-Fitzthum --- tests/integration/kubernetes/run_kubernetes_tests.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index daddb756ab..db1e16633c 100644 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -54,10 +54,6 @@ else ) fi -if [ ${KATA_HYPERVISOR} == "qemu-sev" ]; then - exit 0 -fi - # we may need to skip a few test cases when running on non-x86_64 arch arch_config_file="${kubernetes_dir}/filter_out_per_arch/${TARGET_ARCH}.yaml" if [ -f "${arch_config_file}" ]; then From 521dad2a47e8915d279cde15a3f1d2c9bf05dfb8 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 11 May 2023 17:07:08 +0000 Subject: [PATCH 3/5] Tests: skip CPU constraints test on SEV and SNP Currently Kata does not support memory / CPU hotplug for SEV or SEV-SNP so we need to skip tests that rely on it. Signed-off-by: Tobin Feldman-Fitzthum --- tests/integration/kubernetes/k8s-cpu-ns.bats | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/integration/kubernetes/k8s-cpu-ns.bats b/tests/integration/kubernetes/k8s-cpu-ns.bats index 4d5f2e8833..f3c69a2f62 100644 --- a/tests/integration/kubernetes/k8s-cpu-ns.bats +++ b/tests/integration/kubernetes/k8s-cpu-ns.bats @@ -11,7 +11,9 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" - [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "TEEs do not support memory / CPU hotplug" + ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) \ + && skip "TEEs do not support memory / CPU hotplug" + pod_name="constraints-cpu-test" container_name="first-cpu-container" @@ -28,7 +30,9 @@ setup() { @test "Check CPU constraints" { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" - [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "TEEs do not support memory / CPU hotplug" + ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) \ + && skip "TEEs do not support memory / CPU hotplug" + # Create the pod kubectl create -f "${pod_config_dir}/pod-cpu.yaml" @@ -73,7 +77,8 @@ setup() { teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" - [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] && skip "TEEs do not support memory / CPU hotplug" + ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) \ + && skip "TEEs do not support memory / CPU hotplug" # Debugging information kubectl describe "pod/$pod_name" From 724437efb3d9409dc492bd3913bc246417112312 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Thu, 11 May 2023 20:01:48 +0000 Subject: [PATCH 4/5] kata-deploy: add kata-qemu-sev runtimeclass In order to populate containerd config file with support for SEV, we need to add the qemu-sev shim to the kata-deploy script. Signed-off-by: Tobin Feldman-Fitzthum --- tools/packaging/kata-deploy/scripts/kata-deploy.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index 68fd59b30d..820ac9d5d0 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -18,6 +18,7 @@ shims=( "qemu" "qemu-nvidia-gpu" "qemu-tdx" + "qemu-sev" "qemu-snp" "clh" "dragonball" From cbb9fe8b812429910832b7874624fc483a9f4329 Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 16 May 2023 02:27:20 +0000 Subject: [PATCH 5/5] config: Use standard OVMF with SEV The AmdSev firmware package should be used with measured direct boot. If the expected hashes are not injected into the firmware binary by the VMM, the guest will not boot. This is required for security. Currently the main branch does not have the extended shim support for SEV, which tells the VMM to inject the expected hashes. We ship the standard OVMF package to use with SNP, so let's switch SEV to that for now. This will need to be changed back when shim support for SEV(-ES) is added to main. Signed-off-by: Tobin Feldman-Fitzthum --- src/runtime/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 7628dc43dd..7e264dfeac 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -130,7 +130,7 @@ FIRMWAREVOLUMEPATH := FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF.fd FIRMWARETDVFVOLUMEPATH := -FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd +FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd # Name of default configuration file the runtime will use.