github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-27 07:48:55 +00:00
Code Issues Projects Releases Wiki Activity

ci: tdx: Test attestation with ITTS

Browse Source 
Intel Tiber Trust Services (formerly known as Intel Trust Authority) is
Intel's own attestation service, and we want to take advantage of the
TDX CI in order to ensure ITTS works as expected.

In order to do so, let's replace the former method used (DCAP) to use
ITTS instead.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
This commit is contained in:
Gabriela Cervantes 2024-09-12 17:13:52 +00:00 committed by Fabiano Fidêncio
parent 86b8c53d27
commit bafa527be0
No known key found for this signature in database
GPG Key ID: EE926C2BDACC177B
2 changed files with 17 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
tests/integration/kubernetes/confidential_kbs.sh
View File

@ -17,6 +17,7 @@ source "${kubernetes_dir}/../../../tools/packaging/guest-image/lib_se.sh"
export PATH="${PATH}:/opt/kata/bin" export PATH="${PATH}:/opt/kata/bin"
KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
ITA_KEY="${ITA_KEY:-}"
# Where the trustee (includes kbs) sources will be cloned # Where the trustee (includes kbs) sources will be cloned
readonly COCO_TRUSTEE_DIR="/tmp/trustee" readonly COCO_TRUSTEE_DIR="/tmp/trustee"
# Where the kbs sources will be cloned # Where the kbs sources will be cloned
@ -255,6 +256,13 @@ function kbs_k8s_deploy() {
image=$(get_from_kata_deps ".externals.coco-trustee.image") image=$(get_from_kata_deps ".externals.coco-trustee.image")
image_tag=$(get_from_kata_deps ".externals.coco-trustee.image_tag") image_tag=$(get_from_kata_deps ".externals.coco-trustee.image_tag")
# Image tag for TDX
if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then
# The ITA / ITTS images are named as:
# ita-as-${image_tag}
image_tag=$(echo ${image_tag} | sed 's/built-in/ita/g')
fi
# The ingress handler for AKS relies on the cluster's name which in turn # The ingress handler for AKS relies on the cluster's name which in turn
# contain the HEAD commit of the kata-containers repository (supposedly the # contain the HEAD commit of the kata-containers repository (supposedly the
# current directory). It will be needed to save the cluster's name before # current directory). It will be needed to save the cluster's name before
@ -308,16 +316,14 @@ function kbs_k8s_deploy() {
echo "::group::Deploy the KBS" echo "::group::Deploy the KBS"
if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then if [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then
echo "Setting up custom PCCS for TDX" echo "::group::Setting up ITA/ITTS for TDX"
cat <<- EOF > "${COCO_KBS_DIR}/config/kubernetes/custom_pccs/sgx_default_qcnl.conf" pushd "${COCO_KBS_DIR}/config/kubernetes/ita/"
{ # Let's replace the "tBfd5kKX2x9ahbodKV1..." sample
"pccs_url": "https://$(hostname -i | grep -o "^[0-9.]*"):8081/sgx/certification/v4/", # `api_key`property by a valid ITA/ITTS API key, in the
# ITA/ITTS specific configuration
// To accept insecure HTTPS certificate, set this option to false sed -i -e "s/tBfd5kKX2x9ahbodKV1.../${ITA_KEY}/g" kbs-config.toml
"use_secure_cert": false popd
} export DEPLOYMENT_DIR=ita
EOF
export DEPLOYMENT_DIR=custom_pccs
fi fi
./deploy-kbs.sh ./deploy-kbs.sh

1
tests/integration/kubernetes/gha-run.sh
View File

@ -30,6 +30,7 @@ KBS=${KBS:-false}
KBS_INGRESS=${KBS_INGRESS:-} KBS_INGRESS=${KBS_INGRESS:-}
KUBERNETES="${KUBERNETES:-}" KUBERNETES="${KUBERNETES:-}"
SNAPSHOTTER="${SNAPSHOTTER:-}" SNAPSHOTTER="${SNAPSHOTTER:-}"
ITA_KEY="${ITA_KEY:-}"
HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}" HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}"
NO_PROXY="${NO_PROXY:-${no_proxy:-}}" NO_PROXY="${NO_PROXY:-${no_proxy:-}}"
PULL_TYPE="${PULL_TYPE:-default}" PULL_TYPE="${PULL_TYPE:-default}"