github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-16 22:39:01 +00:00
Code Issues Projects Releases Wiki Activity

tests: Enable k8s-confidential-attestation.bats for s390x

Browse Source 
For running a KBS with `se-verifier` in service,
specific credentials need to be configured.
(See https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se for details.)

This commit introduces two procedures to support IBM SE attestation:

- Prepare required files and directory structure
- Set necessary environment variables for KBS deployment
- Repackage a secure image once the KBS service address is determined

These changes enable `k8s-confidential-attestation.bats` for s390x.

Fixes: #9933

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
Hyounggyu Choi
2024-06-26 12:51:09 +02:00
parent 5d0f74cd70
commit d94b285189
3 changed files with 86 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
tools/packaging/guest-image/lib_se.sh
View File

@@ -81,3 +81,40 @@ EOF
return 1
fi
}
function repack_secure_image() {
kernel_params_value="${1:-}"
build_dir="${2:-}"
for_kbs="${3:-false}"
if [ -z "${build_dir}" ]; then
>&2 echo "ERROR: build_dir for secure image is not specified"
return 1
fi
config_file_path="/opt/kata/share/defaults/kata-containers/configuration-qemu-se.toml"
if [ ! -f "${config_file_path}" ]; then
>&2 echo "ERROR: config file not found: ${config_file_path}"
return 1
fi
kernel_base_dir=$(dirname $(kata-runtime --config ${config_file_path} env --json | jq -r '.Kernel.Path'))
# Make sure ${build_dir}/hdr exists
mkdir -p "${build_dir}/hdr"
# Prepare required files for building the secure image
cp "${kernel_base_dir}/vmlinuz-confidential.container" "${build_dir}/hdr/"
cp "${kernel_base_dir}/kata-containers-initrd-confidential.img" "${build_dir}/hdr/"
# Build the secure image
build_secure_image "${kernel_params_value}" "${build_dir}/hdr" "${build_dir}/hdr"
# Get the secure image updated back to the kernel base directory
if [ ! -f "${build_dir}/hdr/kata-containers-se.img" ]; then
>&2 echo "ERROR: secure image not found: ${build_dir}/hdr/kata-containers-se.img"
return 1
fi
sudo cp "${build_dir}/hdr/kata-containers-se.img" "${kernel_base_dir}/"
if [ "${for_kbs}" == "true" ]; then
# Rename kata-containers-se.img to hdr.bin and clean up kernel and initrd
mv "${build_dir}/hdr/kata-containers-se.img" "${build_dir}/hdr/hdr.bin"
rm -f ${build_dir}/hdr/{vmlinuz-confidential.container,kata-containers-initrd-confidential.img}
else
# Clean up the build directory completely
rm -rf "${build_dir}"
fi
}