From ff04154fdb80a82caaebbe55a121466923f3e16d Mon Sep 17 00:00:00 2001 From: Niteesh Dubey Date: Tue, 9 Jul 2024 18:18:17 +0000 Subject: [PATCH 1/2] gha: enable SNP attestation This removes the code to skip the SNP attestation. Signed-off-by: Niteesh Dubey --- .../kubernetes/k8s-confidential-attestation.bats | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/integration/kubernetes/k8s-confidential-attestation.bats b/tests/integration/kubernetes/k8s-confidential-attestation.bats index edf722f69e..a3e45de0f0 100644 --- a/tests/integration/kubernetes/k8s-confidential-attestation.bats +++ b/tests/integration/kubernetes/k8s-confidential-attestation.bats @@ -20,9 +20,6 @@ setup() { if [ "${KBS}" = "false" ]; then skip "Test skipped as KBS not setup" fi - if [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then - skip "Test skipped as SNP attestation not setup" - fi setup_common get_pod_config_dir @@ -93,9 +90,6 @@ teardown() { if [ "${KBS}" = "false" ]; then skip "Test skipped as KBS not setup" fi - if [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then - skip "Test skipped as SNP attestation not setup" - fi [ -n "${pod_name:-}" ] && kubectl describe "pod/${pod_name}" || true [ -n "${pod_config_dir:-}" ] && kubectl delete -f "${K8S_TEST_YAML}" || true From e8a3f8571e6edb512ebd396bf417b6b093b3a6cd Mon Sep 17 00:00:00 2001 From: Niteesh Dubey Date: Tue, 9 Jul 2024 18:35:53 +0000 Subject: [PATCH 2/2] docs: update for SNP attestation This updates how-to document for SNP attestation. Signed-off-by: Niteesh Dubey --- .../how-to-run-kata-containers-with-SNP-VMs.md | 13 ++++++++++++- tests/cmd/check-spelling/data/projects.txt | 1 + tests/cmd/check-spelling/kata-dictionary.dic | 3 ++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md b/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md index 9028d5fce2..962e43698e 100644 --- a/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md +++ b/docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md @@ -53,7 +53,14 @@ $ ./configure --enable-virtfs --target-list=x86_64-softmmu --enable-debug $ make -j "$(nproc)" $ popd ``` - +- Create cert-chain for SNP attestation ( using [snphost](https://github.com/virtee/snphost/blob/main/docs/snphost.1.adoc) ) +```bash +$ git clone https://github.com/virtee/snphost.git && cd snphost/ +$ cargo build +$ mkdir /tmp/certs +$ ./target/debug/snphost fetch vcek der /tmp/certs +$ ./target/debug/snphost import /tmp/certs /opt/snp/cert_chain.cert +``` ### Kata Containers Configuration for SNP The configuration file located at `/etc/kata-containers/configuration.toml` must be adapted as follows to support SNP-VMs: @@ -100,6 +107,10 @@ sev_snp_guest = true - Configure an OVMF (add path) ```toml firmware = "/path/to/kata-containers/tools/packaging/static-build/ovmf/opt/kata/share/ovmf/OVMF.fd" +``` + - SNP attestation (add cert-chain to default path or add the path with cert-chain) +```toml +snp_certs_path = "/path/to/cert-chain" ``` ## Test Kata Containers with Containerd diff --git a/tests/cmd/check-spelling/data/projects.txt b/tests/cmd/check-spelling/data/projects.txt index 997ce6dc54..3530c215e7 100644 --- a/tests/cmd/check-spelling/data/projects.txt +++ b/tests/cmd/check-spelling/data/projects.txt @@ -87,6 +87,7 @@ SELinux/B SemaphoreCI/B snapcraft/B snapd/B +snphost/B SQLite/B StratoVirt/B SUSE/B diff --git a/tests/cmd/check-spelling/kata-dictionary.dic b/tests/cmd/check-spelling/kata-dictionary.dic index bd40d1aa4e..9a76d1e62c 100644 --- a/tests/cmd/check-spelling/kata-dictionary.dic +++ b/tests/cmd/check-spelling/kata-dictionary.dic @@ -1,4 +1,4 @@ -387 +392 ACPI/AB ACS/AB API/AB @@ -340,6 +340,7 @@ serverless signoff/A snapcraft/B snapd/B +snphost/B stalebot/B startup stderr/AB