From bafa527be0ec8ead61626024bcf6f4fb9bc8fe63 Mon Sep 17 00:00:00 2001 From: Gabriela Cervantes Date: Thu, 12 Sep 2024 17:13:52 +0000 Subject: [PATCH] ci: tdx: Test attestation with ITTS MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Intel Tiber Trust Services (formerly known as Intel Trust Authority) is Intel's own attestation service, and we want to take advantage of the TDX CI in order to ensure ITTS works as expected. In order to do so, let's replace the former method used (DCAP) to use ITTS instead. Signed-off-by: Gabriela Cervantes Signed-off-by: Fabiano FidĂȘncio --- .../kubernetes/confidential_kbs.sh | 26 ++++++++++++------- tests/integration/kubernetes/gha-run.sh | 1 + 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index 6d2fcd5ed9..33fa53728e 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -17,6 +17,7 @@ source "${kubernetes_dir}/../../../tools/packaging/guest-image/lib_se.sh" export PATH="${PATH}:/opt/kata/bin" KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" +ITA_KEY="${ITA_KEY:-}" # Where the trustee (includes kbs) sources will be cloned readonly COCO_TRUSTEE_DIR="/tmp/trustee" # Where the kbs sources will be cloned @@ -255,6 +256,13 @@ function kbs_k8s_deploy() { image=$(get_from_kata_deps ".externals.coco-trustee.image") image_tag=$(get_from_kata_deps ".externals.coco-trustee.image_tag") + # Image tag for TDX + if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then + # The ITA / ITTS images are named as: + # ita-as-${image_tag} + image_tag=$(echo ${image_tag} | sed 's/built-in/ita/g') + fi + # The ingress handler for AKS relies on the cluster's name which in turn # contain the HEAD commit of the kata-containers repository (supposedly the # current directory). It will be needed to save the cluster's name before @@ -308,16 +316,14 @@ function kbs_k8s_deploy() { echo "::group::Deploy the KBS" if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then - echo "Setting up custom PCCS for TDX" - cat <<- EOF > "${COCO_KBS_DIR}/config/kubernetes/custom_pccs/sgx_default_qcnl.conf" -{ - "pccs_url": "https://$(hostname -i | grep -o "^[0-9.]*"):8081/sgx/certification/v4/", - - // To accept insecure HTTPS certificate, set this option to false - "use_secure_cert": false -} -EOF - export DEPLOYMENT_DIR=custom_pccs + echo "::group::Setting up ITA/ITTS for TDX" + pushd "${COCO_KBS_DIR}/config/kubernetes/ita/" + # Let's replace the "tBfd5kKX2x9ahbodKV1..." sample + # `api_key`property by a valid ITA/ITTS API key, in the + # ITA/ITTS specific configuration + sed -i -e "s/tBfd5kKX2x9ahbodKV1.../${ITA_KEY}/g" kbs-config.toml + popd + export DEPLOYMENT_DIR=ita fi ./deploy-kbs.sh diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 674fc60cf7..2a3e89054a 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -30,6 +30,7 @@ KBS=${KBS:-false} KBS_INGRESS=${KBS_INGRESS:-} KUBERNETES="${KUBERNETES:-}" SNAPSHOTTER="${SNAPSHOTTER:-}" +ITA_KEY="${ITA_KEY:-}" HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}" NO_PROXY="${NO_PROXY:-${no_proxy:-}}" PULL_TYPE="${PULL_TYPE:-default}"