tests: Enable k8s-confidential-attestation.bats for s390x

For running a KBS with `se-verifier` in service, specific credentials need to be configured. (See https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se for details.) This commit introduces two procedures to support IBM SE attestation: - Prepare required files and directory structure - Set necessary environment variables for KBS deployment - Repackage a secure image once the KBS service address is determined These changes enable `k8s-confidential-attestation.bats` for s390x. Fixes: #9933 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-08-31 16:36:38 +00:00 · 2024-06-26 12:51:09 +02:00
parent 5d0f74cd70
commit d94b285189
3 changed files with 86 additions and 0 deletions
--- a/tests/integration/kubernetes/confidential_kbs.sh
+++ b/tests/integration/kubernetes/confidential_kbs.sh
@@ -12,6 +12,9 @@ kubernetes_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${kubernetes_dir}/../../gha-run-k8s-common.sh"
 # shellcheck disable=1091
 source "${kubernetes_dir}/../../../tests/common.bash"
+source "${kubernetes_dir}/../../../tools/packaging/guest-image/lib_se.sh"
+# For kata-runtime
+export PATH="${PATH}:/opt/kata/bin"

 KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
 # Where the trustee (includes kbs) sources will be cloned
@@ -239,6 +242,14 @@ function kbs_k8s_deploy() {
 	# expects at least one secret served at install time.
 	echo "somesecret" > overlays/$(uname -m)/key.bin

+	# For qemu-se runtime, prepare the necessary resources
+	if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then
+		prepare_credentials_for_qemu_se
+		# SE_SKIP_CERTS_VERIFICATION should be set to true
+		# to skip the verification of the certificates
+		sed -i "s/false/true/g" overlays/s390x/patch.yaml
+	fi
+
 	echo "::group::Update the kbs container image"
 	install_kustomize
 	pushd base
@@ -456,3 +467,32 @@ _handle_ingress_nodeport() {
 	# By exporting this variable the kbs deploy script will install the nodeport service
 	export DEPLOYMENT_DIR=nodeport
 }
+
+
+# Prepare necessary resources for qemu-se runtime
+# Documentation: https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se
+prepare_credentials_for_qemu_se() {
+	echo "::group::Prepare credentials for qemu-se runtime"
+	if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then
+		>&2 echo "ERROR: IBM_SE_CREDS_DIR is empty"
+		return 1
+	fi
+	config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml"
+	kata_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path'))
+	if [ ! -d ${HKD_PATH} ]; then
+		>&2 echo "ERROR: HKD_PATH is not set"
+		return 1
+	fi
+	pushd "${IBM_SE_CREDS_DIR}"
+	mkdir {certs,crls,hdr,hkds,rsa}
+	openssl genrsa -aes256 -passout pass:test1234 -out encrypt_key-psw.pem 4096
+	openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -pubout -out rsa/encrypt_key.pub
+	openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -out rsa/encrypt_key.pem
+	cp ${kata_base_dir}/kata-containers-se.img hdr/hdr.bin
+	cp ${HKD_PATH}/HKD-*.crt hkds/
+	cp ${HKD_PATH}/ibm-z-host-key-gen2.crl crls/
+	cp ${HKD_PATH}/DigiCertCA.crt ${HKD_PATH}/ibm-z-host-key-signing-gen2.crt certs/
+	popd
+	ls -R ${IBM_SE_CREDS_DIR}
+	echo "::endgroup::"
+}
--- a/tests/integration/kubernetes/k8s-confidential-attestation.bats
+++ b/tests/integration/kubernetes/k8s-confidential-attestation.bats
@@ -47,6 +47,15 @@ setup() {
 	set_metadata_annotation "${K8S_TEST_YAML}" \
 		"${kernel_params_annotation}" \
 		"${kernel_params_value}"
+
+	# A secure boot image for IBM SE should be rebuilt according to the KBS configuration.
+	if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then
+		if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then
+			>&2 echo "ERROR: IBM_SE_CREDS_DIR is empty"
+			return 1
+		fi
+		repack_secure_image "${kernel_params_value}" "${IBM_SE_CREDS_DIR}" "true"
+	fi
 }

@test "Get CDH resource" {
--- a/tools/packaging/guest-image/lib_se.sh
+++ b/tools/packaging/guest-image/lib_se.sh
@@ -81,3 +81,40 @@ EOF
 		return 1
 	fi
 }
+
+function repack_secure_image() {
+	kernel_params_value="${1:-}"
+	build_dir="${2:-}"
+	for_kbs="${3:-false}"
+	if [ -z "${build_dir}" ]; then
+		>&2 echo "ERROR: build_dir for secure image is not specified"
+		return 1
+	fi
+	config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml"
+	if [ ! -f "${config_file_path}" ]; then
+		>&2 echo "ERROR: config file not found: ${config_file_path}"
+		return 1
+	fi
+	kernel_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path'))
+	# Make sure ${build_dir}/hdr exists
+	mkdir -p "${build_dir}/hdr"
+	# Prepare required files for building the secure image
+	cp "${kernel_base_dir}/vmlinuz-confidential.container" "${build_dir}/hdr/"
+	cp "${kernel_base_dir}/kata-containers-initrd-confidential.img" "${build_dir}/hdr/"
+	# Build the secure image
+	build_secure_image "${kernel_params_value}" "${build_dir}/hdr" "${build_dir}/hdr"
+	# Get the secure image updated back to the kernel base directory
+	if [ ! -f "${build_dir}/hdr/kata-containers-se.img" ]; then
+		>&2 echo "ERROR: secure image not found: ${build_dir}/hdr/kata-containers-se.img"
+		return 1
+	fi
+	sudo cp "${build_dir}/hdr/kata-containers-se.img" "${kernel_base_dir}/"
+	if [ "${for_kbs}" == "true" ]; then
+		# Rename kata-containers-se.img to hdr.bin and clean up kernel and initrd
+		mv "${build_dir}/hdr/kata-containers-se.img" "${build_dir}/hdr/hdr.bin"
+		rm -f ${build_dir}/hdr/{vmlinuz-confidential.container,kata-containers-initrd-confidential.img}
+	else
+		# Clean up the build directory completely
+		rm -rf "${build_dir}"
+	fi
+}