tests: Enable k8s-confidential-attestation.bats for s390x

For running a KBS with `se-verifier` in service,
specific credentials need to be configured.
(See https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se for details.)

This commit introduces two procedures to support IBM SE attestation:

- Prepare required files and directory structure
- Set necessary environment variables for KBS deployment
- Repackage a secure image once the KBS service address is determined

These changes enable `k8s-confidential-attestation.bats` for s390x.

Fixes: #9933

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
Hyounggyu Choi 2024-06-26 12:51:09 +02:00
parent 5d0f74cd70
commit d94b285189
3 changed files with 86 additions and 0 deletions

View File

@ -12,6 +12,9 @@ kubernetes_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${kubernetes_dir}/../../gha-run-k8s-common.sh"
# shellcheck disable=1091
source "${kubernetes_dir}/../../../tests/common.bash"
source "${kubernetes_dir}/../../../tools/packaging/guest-image/lib_se.sh"
# For kata-runtime
export PATH="${PATH}:/opt/kata/bin"
KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
# Where the trustee (includes kbs) sources will be cloned
@ -239,6 +242,14 @@ function kbs_k8s_deploy() {
# expects at least one secret served at install time.
echo "somesecret" > overlays/$(uname -m)/key.bin
# For qemu-se runtime, prepare the necessary resources
if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then
prepare_credentials_for_qemu_se
# SE_SKIP_CERTS_VERIFICATION should be set to true
# to skip the verification of the certificates
sed -i "s/false/true/g" overlays/s390x/patch.yaml
fi
echo "::group::Update the kbs container image"
install_kustomize
pushd base
@ -456,3 +467,32 @@ _handle_ingress_nodeport() {
# By exporting this variable the kbs deploy script will install the nodeport service
export DEPLOYMENT_DIR=nodeport
}
# Prepare necessary resources for qemu-se runtime
# Documentation: https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se
prepare_credentials_for_qemu_se() {
echo "::group::Prepare credentials for qemu-se runtime"
if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then
>&2 echo "ERROR: IBM_SE_CREDS_DIR is empty"
return 1
fi
config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml"
kata_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path'))
if [ ! -d ${HKD_PATH} ]; then
>&2 echo "ERROR: HKD_PATH is not set"
return 1
fi
pushd "${IBM_SE_CREDS_DIR}"
mkdir {certs,crls,hdr,hkds,rsa}
openssl genrsa -aes256 -passout pass:test1234 -out encrypt_key-psw.pem 4096
openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -pubout -out rsa/encrypt_key.pub
openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -out rsa/encrypt_key.pem
cp ${kata_base_dir}/kata-containers-se.img hdr/hdr.bin
cp ${HKD_PATH}/HKD-*.crt hkds/
cp ${HKD_PATH}/ibm-z-host-key-gen2.crl crls/
cp ${HKD_PATH}/DigiCertCA.crt ${HKD_PATH}/ibm-z-host-key-signing-gen2.crt certs/
popd
ls -R ${IBM_SE_CREDS_DIR}
echo "::endgroup::"
}

View File

@ -47,6 +47,15 @@ setup() {
set_metadata_annotation "${K8S_TEST_YAML}" \
"${kernel_params_annotation}" \
"${kernel_params_value}"
# A secure boot image for IBM SE should be rebuilt according to the KBS configuration.
if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then
if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then
>&2 echo "ERROR: IBM_SE_CREDS_DIR is empty"
return 1
fi
repack_secure_image "${kernel_params_value}" "${IBM_SE_CREDS_DIR}" "true"
fi
}
@test "Get CDH resource" {

View File

@ -81,3 +81,40 @@ EOF
return 1
fi
}
function repack_secure_image() {
kernel_params_value="${1:-}"
build_dir="${2:-}"
for_kbs="${3:-false}"
if [ -z "${build_dir}" ]; then
>&2 echo "ERROR: build_dir for secure image is not specified"
return 1
fi
config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml"
if [ ! -f "${config_file_path}" ]; then
>&2 echo "ERROR: config file not found: ${config_file_path}"
return 1
fi
kernel_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path'))
# Make sure ${build_dir}/hdr exists
mkdir -p "${build_dir}/hdr"
# Prepare required files for building the secure image
cp "${kernel_base_dir}/vmlinuz-confidential.container" "${build_dir}/hdr/"
cp "${kernel_base_dir}/kata-containers-initrd-confidential.img" "${build_dir}/hdr/"
# Build the secure image
build_secure_image "${kernel_params_value}" "${build_dir}/hdr" "${build_dir}/hdr"
# Get the secure image updated back to the kernel base directory
if [ ! -f "${build_dir}/hdr/kata-containers-se.img" ]; then
>&2 echo "ERROR: secure image not found: ${build_dir}/hdr/kata-containers-se.img"
return 1
fi
sudo cp "${build_dir}/hdr/kata-containers-se.img" "${kernel_base_dir}/"
if [ "${for_kbs}" == "true" ]; then
# Rename kata-containers-se.img to hdr.bin and clean up kernel and initrd
mv "${build_dir}/hdr/kata-containers-se.img" "${build_dir}/hdr/hdr.bin"
rm -f ${build_dir}/hdr/{vmlinuz-confidential.container,kata-containers-initrd-confidential.img}
else
# Clean up the build directory completely
rm -rf "${build_dir}"
fi
}