From ab462a4b89438cb2c097a31d1a0fcbc90b8dfa69 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Wed, 24 Jan 2024 13:59:15 +0100 Subject: [PATCH] tests: Add IBM SE to the basic confidential test The existing confidential basic test titled `Test unencrypted confidential container launch success and verify that we are running in a secure enclave` has been updated to incorporate IBM Secure Execution (`qemu-se`). Previously, a secure image was absent from kata-deploy, hindering the inclusion of IBM SE in the test. Thanks to the #6755 update, it is now possible to test the TEE. This modification extends the existing test by introducing `qemu-se`. The specific changes are outlined below: - Add an additional test `cc-se-e2e-tests` to s390x nightly - Expansion of `REMOTE_COMMAND_PER_HYPERVISOR` for `qemu-se` - Temporary exclusion of two test cases currently incompatible with IBM SE (`cpu-ns` is a common issue across all TEEs, while `inotify` will be addressed in a subsequent pull request). Fixes: #8913 Signed-off-by: Hyounggyu Choi --- .github/workflows/ci-nightly-s390x.yaml | 1 + tests/integration/kubernetes/confidential_common.sh | 1 + tests/integration/kubernetes/k8s-confidential.bats | 4 ++-- tests/integration/kubernetes/k8s-cpu-ns.bats | 6 ++++-- tests/integration/kubernetes/k8s-inotify.bats | 6 ++++-- 5 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-nightly-s390x.yaml b/.github/workflows/ci-nightly-s390x.yaml index d690fa8c50..40c3aff7af 100644 --- a/.github/workflows/ci-nightly-s390x.yaml +++ b/.github/workflows/ci-nightly-s390x.yaml @@ -11,6 +11,7 @@ jobs: matrix: test_title: - kata-vfio-ap-e2e-tests + - cc-se-e2e-tests steps: - name: Fetch a test result for {{ matrix.test_title }} run: | diff --git a/tests/integration/kubernetes/confidential_common.sh b/tests/integration/kubernetes/confidential_common.sh index 789e65b7fa..02337b0229 100644 --- a/tests/integration/kubernetes/confidential_common.sh +++ b/tests/integration/kubernetes/confidential_common.sh @@ -29,6 +29,7 @@ function get_remote_command_per_hypervisor() { REMOTE_COMMAND_PER_HYPERVISOR[qemu-sev]="dmesg | grep \"Memory Encryption Features active:.*\(SEV$\|SEV \)\"" REMOTE_COMMAND_PER_HYPERVISOR[qemu-snp]="dmesg | grep \"Memory Encryption Features active:.*SEV-SNP\"" REMOTE_COMMAND_PER_HYPERVISOR[qemu-tdx]="cpuid | grep TDX_GUEST" + REMOTE_COMMAND_PER_HYPERVISOR[qemu-se]="cd /sys/firmware/uv; cat prot_virt_guest | grep 1" echo "${REMOTE_COMMAND_PER_HYPERVISOR[${KATA_HYPERVISOR}]}" } diff --git a/tests/integration/kubernetes/k8s-confidential.bats b/tests/integration/kubernetes/k8s-confidential.bats index bf56ac3636..0d68b5895d 100644 --- a/tests/integration/kubernetes/k8s-confidential.bats +++ b/tests/integration/kubernetes/k8s-confidential.bats @@ -10,7 +10,7 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { - SUPPORTED_HYPERVISORS=("qemu-sev" "qemu-snp" "qemu-tdx") + SUPPORTED_HYPERVISORS=("qemu-sev" "qemu-snp" "qemu-tdx" "qemu-se") # This check must be done with "${KATA_HYPERVISOR}" to avoid # having substrings, like qemu, being matched with qemu-$something. @@ -36,7 +36,7 @@ setup() { warn "Failed to get pod IP address." else info "Pod IP address: ${pod_ip}" - coco_enabled=$(ssh -i ${SSH_KEY_FILE} -o "StrictHostKeyChecking no" -o "PasswordAuthentication=no" root@${pod_ip} /bin/sh -c "$(get_remote_command_per_hypervisor)") && break + coco_enabled=$(ssh -i ${SSH_KEY_FILE} -o "StrictHostKeyChecking no" -o "PasswordAuthentication=no" root@${pod_ip} "$(get_remote_command_per_hypervisor)" 2> /dev/null) && break warn "Failed to connect to pod." fi sleep 5 diff --git a/tests/integration/kubernetes/k8s-cpu-ns.bats b/tests/integration/kubernetes/k8s-cpu-ns.bats index 878e761a26..c3183698cb 100644 --- a/tests/integration/kubernetes/k8s-cpu-ns.bats +++ b/tests/integration/kubernetes/k8s-cpu-ns.bats @@ -12,7 +12,8 @@ setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" - ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) \ + ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ + [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ && skip "TEEs do not support memory / CPU hotplug" @@ -73,7 +74,8 @@ teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "dragonball" ] && skip "test not working see: ${dragonball_limitations}" - ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] ) \ + ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ + [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ && skip "TEEs do not support memory / CPU hotplug" # Debugging information diff --git a/tests/integration/kubernetes/k8s-inotify.bats b/tests/integration/kubernetes/k8s-inotify.bats index 9a87b0a96d..a06bf6774f 100644 --- a/tests/integration/kubernetes/k8s-inotify.bats +++ b/tests/integration/kubernetes/k8s-inotify.bats @@ -11,6 +11,8 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + issue_url="https://github.com/kata-containers/kata-containers/issues/8906" + [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" get_pod_config_dir } @@ -37,11 +39,11 @@ setup() { kubectl delete configmap cm } - - teardown() { [ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" + issue_url="https://github.com/kata-containers/kata-containers/issues/8906" + [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" # Debugging information kubectl describe "pod/$pod_name" kubectl delete pod "$pod_name"