Merge pull request #9975 from niteeshkd/nd_snp_attestation

gha: enable SNP attestation
2025-07-17 17:02:42 +00:00 · 2024-07-10 18:59:05 -03:00 · 2024-07-10 18:59:05 -03:00 · deb4627558
commit deb4627558
parent c40b3b4ce7 e8a3f8571e
4 changed files with 15 additions and 8 deletions
--- a/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md
+++ b/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md
@ -53,7 +53,14 @@ $ ./configure --enable-virtfs --target-list=x86_64-softmmu --enable-debug
 $ make -j "$(nproc)"
 $ popd
 ```
-
+- Create cert-chain for SNP attestation ( using [snphost](https://github.com/virtee/snphost/blob/main/docs/snphost.1.adoc) )
+```bash
+$ git clone https://github.com/virtee/snphost.git && cd snphost/
+$ cargo build
+$ mkdir /tmp/certs
+$ ./target/debug/snphost fetch vcek der /tmp/certs
+$ ./target/debug/snphost import /tmp/certs /opt/snp/cert_chain.cert
+```
 ### Kata Containers Configuration for SNP

 The configuration file located at `/etc/kata-containers/configuration.toml` must be adapted as follows to support SNP-VMs:
@ -100,6 +107,10 @@ sev_snp_guest = true
  - Configure an OVMF (add path)
 ```toml
 firmware = "/path/to/kata-containers/tools/packaging/static-build/ovmf/opt/kata/share/ovmf/OVMF.fd"
+```
+  - SNP attestation (add cert-chain to default path or add the path with cert-chain)
+```toml
+snp_certs_path = "/path/to/cert-chain"
 ```

 ## Test Kata Containers with Containerd
--- a/tests/cmd/check-spelling/data/projects.txt
+++ b/tests/cmd/check-spelling/data/projects.txt
@ -87,6 +87,7 @@ SELinux/B
 SemaphoreCI/B
 snapcraft/B
 snapd/B
+snphost/B
 SQLite/B
 StratoVirt/B
 SUSE/B
--- a/tests/cmd/check-spelling/kata-dictionary.dic
+++ b/tests/cmd/check-spelling/kata-dictionary.dic
@ -1,4 +1,4 @@
-387
+392
 ACPI/AB
 ACS/AB
 API/AB
@ -340,6 +340,7 @@ serverless
 signoff/A
 snapcraft/B
 snapd/B
+snphost/B
 stalebot/B
 startup
 stderr/AB
--- a/tests/integration/kubernetes/k8s-confidential-attestation.bats
+++ b/tests/integration/kubernetes/k8s-confidential-attestation.bats
@ -20,9 +20,6 @@ setup() {
 	if [ "${KBS}" = "false" ]; then
 		skip "Test skipped as KBS not setup"
 	fi
-	if [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then
-		skip "Test skipped as SNP attestation not setup"
-	fi

 	setup_common
 	get_pod_config_dir
@ -93,9 +90,6 @@ teardown() {
 	if [ "${KBS}" = "false" ]; then
 		skip "Test skipped as KBS not setup"
 	fi
-	if [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then
-		skip "Test skipped as SNP attestation not setup"
-	fi

 	[ -n "${pod_name:-}" ] && kubectl describe "pod/${pod_name}" || true
 	[ -n "${pod_config_dir:-}" ] && kubectl delete -f "${K8S_TEST_YAML}" || true