From d94b285189cd224559fd3e7abcb29d085a47f255 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Wed, 26 Jun 2024 12:51:09 +0200 Subject: [PATCH] tests: Enable k8s-confidential-attestation.bats for s390x For running a KBS with `se-verifier` in service, specific credentials need to be configured. (See https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se for details.) This commit introduces two procedures to support IBM SE attestation: - Prepare required files and directory structure - Set necessary environment variables for KBS deployment - Repackage a secure image once the KBS service address is determined These changes enable `k8s-confidential-attestation.bats` for s390x. Fixes: #9933 Signed-off-by: Hyounggyu Choi --- .../kubernetes/confidential_kbs.sh | 40 +++++++++++++++++++ .../k8s-confidential-attestation.bats | 9 +++++ tools/packaging/guest-image/lib_se.sh | 37 +++++++++++++++++ 3 files changed, 86 insertions(+) diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index f6aa88e5ab..90ee5b3aa7 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -12,6 +12,9 @@ kubernetes_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" source "${kubernetes_dir}/../../gha-run-k8s-common.sh" # shellcheck disable=1091 source "${kubernetes_dir}/../../../tests/common.bash" +source "${kubernetes_dir}/../../../tools/packaging/guest-image/lib_se.sh" +# For kata-runtime +export PATH="${PATH}:/opt/kata/bin" KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" # Where the trustee (includes kbs) sources will be cloned @@ -239,6 +242,14 @@ function kbs_k8s_deploy() { # expects at least one secret served at install time. echo "somesecret" > overlays/$(uname -m)/key.bin + # For qemu-se runtime, prepare the necessary resources + if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then + prepare_credentials_for_qemu_se + # SE_SKIP_CERTS_VERIFICATION should be set to true + # to skip the verification of the certificates + sed -i "s/false/true/g" overlays/s390x/patch.yaml + fi + echo "::group::Update the kbs container image" install_kustomize pushd base @@ -456,3 +467,32 @@ _handle_ingress_nodeport() { # By exporting this variable the kbs deploy script will install the nodeport service export DEPLOYMENT_DIR=nodeport } + + +# Prepare necessary resources for qemu-se runtime +# Documentation: https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se +prepare_credentials_for_qemu_se() { + echo "::group::Prepare credentials for qemu-se runtime" + if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then + >&2 echo "ERROR: IBM_SE_CREDS_DIR is empty" + return 1 + fi + config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml" + kata_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path')) + if [ ! -d ${HKD_PATH} ]; then + >&2 echo "ERROR: HKD_PATH is not set" + return 1 + fi + pushd "${IBM_SE_CREDS_DIR}" + mkdir {certs,crls,hdr,hkds,rsa} + openssl genrsa -aes256 -passout pass:test1234 -out encrypt_key-psw.pem 4096 + openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -pubout -out rsa/encrypt_key.pub + openssl rsa -in encrypt_key-psw.pem -passin pass:test1234 -out rsa/encrypt_key.pem + cp ${kata_base_dir}/kata-containers-se.img hdr/hdr.bin + cp ${HKD_PATH}/HKD-*.crt hkds/ + cp ${HKD_PATH}/ibm-z-host-key-gen2.crl crls/ + cp ${HKD_PATH}/DigiCertCA.crt ${HKD_PATH}/ibm-z-host-key-signing-gen2.crt certs/ + popd + ls -R ${IBM_SE_CREDS_DIR} + echo "::endgroup::" +} diff --git a/tests/integration/kubernetes/k8s-confidential-attestation.bats b/tests/integration/kubernetes/k8s-confidential-attestation.bats index edf722f69e..c9b51545db 100644 --- a/tests/integration/kubernetes/k8s-confidential-attestation.bats +++ b/tests/integration/kubernetes/k8s-confidential-attestation.bats @@ -47,6 +47,15 @@ setup() { set_metadata_annotation "${K8S_TEST_YAML}" \ "${kernel_params_annotation}" \ "${kernel_params_value}" + + # A secure boot image for IBM SE should be rebuilt according to the KBS configuration. + if [ "${KATA_HYPERVISOR}" == "qemu-se" ]; then + if [ -z "${IBM_SE_CREDS_DIR:-}" ]; then + >&2 echo "ERROR: IBM_SE_CREDS_DIR is empty" + return 1 + fi + repack_secure_image "${kernel_params_value}" "${IBM_SE_CREDS_DIR}" "true" + fi } @test "Get CDH resource" { diff --git a/tools/packaging/guest-image/lib_se.sh b/tools/packaging/guest-image/lib_se.sh index cd155dd408..2d5a97991f 100755 --- a/tools/packaging/guest-image/lib_se.sh +++ b/tools/packaging/guest-image/lib_se.sh @@ -81,3 +81,40 @@ EOF return 1 fi } + +function repack_secure_image() { + kernel_params_value="${1:-}" + build_dir="${2:-}" + for_kbs="${3:-false}" + if [ -z "${build_dir}" ]; then + >&2 echo "ERROR: build_dir for secure image is not specified" + return 1 + fi + config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml" + if [ ! -f "${config_file_path}" ]; then + >&2 echo "ERROR: config file not found: ${config_file_path}" + return 1 + fi + kernel_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path')) + # Make sure ${build_dir}/hdr exists + mkdir -p "${build_dir}/hdr" + # Prepare required files for building the secure image + cp "${kernel_base_dir}/vmlinuz-confidential.container" "${build_dir}/hdr/" + cp "${kernel_base_dir}/kata-containers-initrd-confidential.img" "${build_dir}/hdr/" + # Build the secure image + build_secure_image "${kernel_params_value}" "${build_dir}/hdr" "${build_dir}/hdr" + # Get the secure image updated back to the kernel base directory + if [ ! -f "${build_dir}/hdr/kata-containers-se.img" ]; then + >&2 echo "ERROR: secure image not found: ${build_dir}/hdr/kata-containers-se.img" + return 1 + fi + sudo cp "${build_dir}/hdr/kata-containers-se.img" "${kernel_base_dir}/" + if [ "${for_kbs}" == "true" ]; then + # Rename kata-containers-se.img to hdr.bin and clean up kernel and initrd + mv "${build_dir}/hdr/kata-containers-se.img" "${build_dir}/hdr/hdr.bin" + rm -f ${build_dir}/hdr/{vmlinuz-confidential.container,kata-containers-initrd-confidential.img} + else + # Clean up the build directory completely + rm -rf "${build_dir}" + fi +}