github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-18 01:13:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9975 from niteeshkd/nd_snp_attestation

Browse Source 
gha: enable SNP attestation
This commit is contained in:
Wainer Moschetta 2024-07-10 18:59:05 -03:00 committed by GitHub
commit deb4627558
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/how-to/how-to-run-kata-containers-with-SNP-VMs.md
View File

@ -53,7 +53,14 @@ $ ./configure --enable-virtfs --target-list=x86_64-softmmu --enable-debug
$ make -j "$(nproc)" $ make -j "$(nproc)"
$ popd $ popd
``` ```
- Create cert-chain for SNP attestation ( using [snphost](https://github.com/virtee/snphost/blob/main/docs/snphost.1.adoc) )
```bash
$ git clone https://github.com/virtee/snphost.git && cd snphost/
$ cargo build
$ mkdir /tmp/certs
$ ./target/debug/snphost fetch vcek der /tmp/certs
$ ./target/debug/snphost import /tmp/certs /opt/snp/cert_chain.cert
```
### Kata Containers Configuration for SNP ### Kata Containers Configuration for SNP
The configuration file located at `/etc/kata-containers/configuration.toml` must be adapted as follows to support SNP-VMs: The configuration file located at `/etc/kata-containers/configuration.toml` must be adapted as follows to support SNP-VMs:
@ -100,6 +107,10 @@ sev_snp_guest = true
- Configure an OVMF (add path) - Configure an OVMF (add path)
```toml ```toml
firmware = "/path/to/kata-containers/tools/packaging/static-build/ovmf/opt/kata/share/ovmf/OVMF.fd" firmware = "/path/to/kata-containers/tools/packaging/static-build/ovmf/opt/kata/share/ovmf/OVMF.fd"
```
- SNP attestation (add cert-chain to default path or add the path with cert-chain)
```toml
snp_certs_path = "/path/to/cert-chain"
``` ```
## Test Kata Containers with Containerd ## Test Kata Containers with Containerd

1
tests/cmd/check-spelling/data/projects.txt
View File

@ -87,6 +87,7 @@ SELinux/B
SemaphoreCI/B SemaphoreCI/B
snapcraft/B snapcraft/B
snapd/B snapd/B
snphost/B
SQLite/B SQLite/B
StratoVirt/B StratoVirt/B
SUSE/B SUSE/B

3
tests/cmd/check-spelling/kata-dictionary.dic
View File

@ -1,4 +1,4 @@
387 392
ACPI/AB ACPI/AB
ACS/AB ACS/AB
API/AB API/AB
@ -340,6 +340,7 @@ serverless
signoff/A signoff/A
snapcraft/B snapcraft/B
snapd/B snapd/B
snphost/B
stalebot/B stalebot/B
startup startup
stderr/AB stderr/AB

6
tests/integration/kubernetes/k8s-confidential-attestation.bats
View File

@ -20,9 +20,6 @@ setup() {
if [ "${KBS}" = "false" ]; then if [ "${KBS}" = "false" ]; then
skip "Test skipped as KBS not setup" skip "Test skipped as KBS not setup"
fi fi
if [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then
skip "Test skipped as SNP attestation not setup"
fi
setup_common setup_common
get_pod_config_dir get_pod_config_dir
@ -93,9 +90,6 @@ teardown() {
if [ "${KBS}" = "false" ]; then if [ "${KBS}" = "false" ]; then
skip "Test skipped as KBS not setup" skip "Test skipped as KBS not setup"
fi fi
if [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then
skip "Test skipped as SNP attestation not setup"
fi
[ -n "${pod_name:-}" ] && kubectl describe "pod/${pod_name}" || true [ -n "${pod_name:-}" ] && kubectl describe "pod/${pod_name}" || true
[ -n "${pod_config_dir:-}" ] && kubectl delete -f "${K8S_TEST_YAML}" || true [ -n "${pod_config_dir:-}" ] && kubectl delete -f "${K8S_TEST_YAML}" || true