From 540986bc8f9018830b23ee4ebba077c19f2bedfb Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Mon, 18 May 2026 08:20:24 +0200 Subject: [PATCH] test: skip CDH resource test for qemu-se without reference values Since gc and trustee were bumped (#13046), the test "Cannot get CDH resource when affirming policy is set without reference values" has started failing for IBM SEL. The attestation policy for IBM SEL returns an "affirming" result whenever the claim can be parsed successfully, meaning the evidence verification succeeds. As a result, the negative test above always produces a positive result. Skip this negative test for IBM SEL environments (e.g. qemu-se*). Signed-off-by: Hyounggyu Choi --- .../kubernetes/k8s-confidential-attestation.bats | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-confidential-attestation.bats b/tests/integration/kubernetes/k8s-confidential-attestation.bats index eeb536b3e2..86f5ff32af 100644 --- a/tests/integration/kubernetes/k8s-confidential-attestation.bats +++ b/tests/integration/kubernetes/k8s-confidential-attestation.bats @@ -117,9 +117,18 @@ setup() { # (the AS policy must return an affirming trust vector), but no # reference values are set. # -# This can run on all platforms. +# Skipped on IBM SEL / qemu-se* because that environment returns an +# affirming trust vector when verification completes successfully, even +# without reference values. @test "Cannot get CDH resource when affirming policy is set without reference values" { + if [[ "${KATA_HYPERVISOR}" == qemu-se* ]]; then + local skip_reason="IBM SEL returns an affirming trust vector if the verification process " + skip_reason+="completes successfully, even if no reference values are set. See " + skip_reason+="https://github.com/confidential-containers/trustee/blob/d4e317620c4039c89779b725f74974d8f005da66/attestation-service/src/ear_token/ear_default_policy_cpu.rego#L323-L339" + skip "${skip_reason}" + fi + # Require CPU0 to have affirming trust level. kbs_set_cpu0_resource_policy kubectl apply -f "${K8S_TEST_YAML}"