mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-30 14:25:43 +00:00
tests: Enable k8s-confidential-attestation.bats for s390x
For running a KBS with `se-verifier` in service, specific credentials need to be configured. (See https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se for details.) This commit introduces two procedures to support IBM SE attestation: - Prepare required files and directory structure - Set necessary environment variables for KBS deployment - Repackage a secure image once the KBS service address is determined These changes enable `k8s-confidential-attestation.bats` for s390x. Fixes: #9933 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
parent
5d0f74cd70
commit
d94b285189
@ -12,6 +12,9 @@ kubernetes_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
source "${kubernetes_dir}/../../gha-run-k8s-common.sh"
|
||||
# shellcheck disable=1091
|
||||
source "${kubernetes_dir}/../../../tests/common.bash"
|
||||
source "${kubernetes_dir}/../../../tools/packaging/guest-image/lib_se.sh"
|
||||
# For kata-runtime
|
||||
export PATH="${PATH}:/opt/kata/bin"
|
||||
|
||||
KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
|
||||
# Where the trustee (includes kbs) sources will be cloned
|
||||
@ -239,6 +242,14 @@ function kbs_k8s_deploy() {
|
||||
# expects at least one secret served at install time.
|
||||
echo "somesecret" > overlays/$(uname -m)/key.bin
|
||||
|
||||
# For qemu-se runtime, prepare the necessary resources
|
||||
if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then
|
||||
prepare_credentials_for_qemu_se
|
||||
# SE_SKIP_CERTS_VERIFICATION should be set to true
|
||||
# to skip the verification of the certificates
|
||||
sed -i "s/false/true/g" overlays/s390x/patch.yaml
|
||||
fi
|
||||
|
||||
echo "::group::Update the kbs container image"
|
||||
install_kustomize
|
||||
pushd base
|
||||
@ -456,3 +467,32 @@ _handle_ingress_nodeport() {
|
||||
# By exporting this variable the kbs deploy script will install the nodeport service
|
||||
export DEPLOYMENT_DIR=nodeport
|
||||
}
|
||||
|
||||
|
||||
# Prepare necessary resources for qemu-se runtime
|
||||
# Documentation: https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se
|
||||
prepare_credentials_for_qemu_se() {
|
||||
echo "::group::Prepare credentials for qemu-se runtime"
|
||||
if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then
|
||||
>&2 echo "ERROR: IBM_SE_CREDS_DIR is empty"
|
||||
return 1
|
||||
fi
|
||||
config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml"
|
||||
kata_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path'))
|
||||
if [ ! -d ${HKD_PATH} ]; then
|
||||
>&2 echo "ERROR: HKD_PATH is not set"
|
||||
return 1
|
||||
fi
|
||||
pushd "${IBM_SE_CREDS_DIR}"
|
||||
mkdir {certs,crls,hdr,hkds,rsa}
|
||||
openssl genrsa -aes256 -passout pass:test1234 -out encrypt_key-psw.pem 4096
|
||||
openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -pubout -out rsa/encrypt_key.pub
|
||||
openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -out rsa/encrypt_key.pem
|
||||
cp ${kata_base_dir}/kata-containers-se.img hdr/hdr.bin
|
||||
cp ${HKD_PATH}/HKD-*.crt hkds/
|
||||
cp ${HKD_PATH}/ibm-z-host-key-gen2.crl crls/
|
||||
cp ${HKD_PATH}/DigiCertCA.crt ${HKD_PATH}/ibm-z-host-key-signing-gen2.crt certs/
|
||||
popd
|
||||
ls -R ${IBM_SE_CREDS_DIR}
|
||||
echo "::endgroup::"
|
||||
}
|
||||
|
@ -47,6 +47,15 @@ setup() {
|
||||
set_metadata_annotation "${K8S_TEST_YAML}" \
|
||||
"${kernel_params_annotation}" \
|
||||
"${kernel_params_value}"
|
||||
|
||||
# A secure boot image for IBM SE should be rebuilt according to the KBS configuration.
|
||||
if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then
|
||||
if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then
|
||||
>&2 echo "ERROR: IBM_SE_CREDS_DIR is empty"
|
||||
return 1
|
||||
fi
|
||||
repack_secure_image "${kernel_params_value}" "${IBM_SE_CREDS_DIR}" "true"
|
||||
fi
|
||||
}
|
||||
|
||||
@test "Get CDH resource" {
|
||||
|
@ -81,3 +81,40 @@ EOF
|
||||
return 1
|
||||
fi
|
||||
}
|
||||
|
||||
function repack_secure_image() {
|
||||
kernel_params_value="${1:-}"
|
||||
build_dir="${2:-}"
|
||||
for_kbs="${3:-false}"
|
||||
if [ -z "${build_dir}" ]; then
|
||||
>&2 echo "ERROR: build_dir for secure image is not specified"
|
||||
return 1
|
||||
fi
|
||||
config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml"
|
||||
if [ ! -f "${config_file_path}" ]; then
|
||||
>&2 echo "ERROR: config file not found: ${config_file_path}"
|
||||
return 1
|
||||
fi
|
||||
kernel_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path'))
|
||||
# Make sure ${build_dir}/hdr exists
|
||||
mkdir -p "${build_dir}/hdr"
|
||||
# Prepare required files for building the secure image
|
||||
cp "${kernel_base_dir}/vmlinuz-confidential.container" "${build_dir}/hdr/"
|
||||
cp "${kernel_base_dir}/kata-containers-initrd-confidential.img" "${build_dir}/hdr/"
|
||||
# Build the secure image
|
||||
build_secure_image "${kernel_params_value}" "${build_dir}/hdr" "${build_dir}/hdr"
|
||||
# Get the secure image updated back to the kernel base directory
|
||||
if [ ! -f "${build_dir}/hdr/kata-containers-se.img" ]; then
|
||||
>&2 echo "ERROR: secure image not found: ${build_dir}/hdr/kata-containers-se.img"
|
||||
return 1
|
||||
fi
|
||||
sudo cp "${build_dir}/hdr/kata-containers-se.img" "${kernel_base_dir}/"
|
||||
if [ "${for_kbs}" == "true" ]; then
|
||||
# Rename kata-containers-se.img to hdr.bin and clean up kernel and initrd
|
||||
mv "${build_dir}/hdr/kata-containers-se.img" "${build_dir}/hdr/hdr.bin"
|
||||
rm -f ${build_dir}/hdr/{vmlinuz-confidential.container,kata-containers-initrd-confidential.img}
|
||||
else
|
||||
# Clean up the build directory completely
|
||||
rm -rf "${build_dir}"
|
||||
fi
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user