From 3b155ab0b1050192aa01895dcb9e1d4e9e6fe9e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 7 Apr 2026 11:59:05 +0200 Subject: [PATCH 1/2] ci: Run runtime-rs tests for SNP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As we're in the process to stabilise runtime-rs for the coming 4.0.0 release, we better start running as many tests as possible with that. Signed-off-by: Fabiano FidĂȘncio --- .github/workflows/run-kata-coco-tests.yaml | 2 ++ tests/gha-run-k8s-common.sh | 2 +- .../integration/kubernetes/confidential_common.sh | 4 ++-- tests/integration/kubernetes/gha-run.sh | 6 +++--- tests/integration/kubernetes/k8s-cpu-ns.bats | 4 ++-- .../kubernetes/k8s-measured-rootfs.bats | 14 +++++++++----- tests/integration/kubernetes/setup.sh | 2 +- tests/integration/kubernetes/tests_common.sh | 6 +++--- 8 files changed, 23 insertions(+), 17 deletions(-) diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index be06c5bf02..ad267ab3de 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -53,6 +53,8 @@ jobs: vmm: qemu-tdx - runner: sev-snp vmm: qemu-snp + - runner: sev-snp + vmm: qemu-snp-runtime-rs runs-on: ${{ matrix.runner }} env: DOCKER_REGISTRY: ${{ inputs.registry }} diff --git a/tests/gha-run-k8s-common.sh b/tests/gha-run-k8s-common.sh index 4f132601f6..6b6aa8a738 100644 --- a/tests/gha-run-k8s-common.sh +++ b/tests/gha-run-k8s-common.sh @@ -635,7 +635,7 @@ function helm_helper() { base_values_file="${helm_chart_dir}/try-kata-nvidia-gpu.values.yaml" fi ;; - qemu-snp|qemu-tdx|qemu-se|qemu-se-runtime-rs|qemu-cca|qemu-coco-dev|qemu-coco-dev-runtime-rs) + qemu-snp|qemu-snp-runtime-rs|qemu-tdx|qemu-se|qemu-se-runtime-rs|qemu-cca|qemu-coco-dev|qemu-coco-dev-runtime-rs) # Use TEE example file if [[ -f "${helm_chart_dir}/try-kata-tee.values.yaml" ]]; then base_values_file="${helm_chart_dir}/try-kata-tee.values.yaml" diff --git a/tests/integration/kubernetes/confidential_common.sh b/tests/integration/kubernetes/confidential_common.sh index 0f8e5a2136..2036b47b6d 100644 --- a/tests/integration/kubernetes/confidential_common.sh +++ b/tests/integration/kubernetes/confidential_common.sh @@ -11,7 +11,7 @@ source "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/confidential_kbs.sh" SUPPORTED_GPU_TEE_HYPERVISORS=("qemu-nvidia-gpu-snp" "qemu-nvidia-gpu-tdx") -SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-tdx" "qemu-se" "qemu-se-runtime-rs" "${SUPPORTED_GPU_TEE_HYPERVISORS[@]}") +SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-snp-runtime-rs" "qemu-tdx" "qemu-se" "qemu-se-runtime-rs" "${SUPPORTED_GPU_TEE_HYPERVISORS[@]}") SUPPORTED_NON_TEE_HYPERVISORS=("qemu-coco-dev" "qemu-coco-dev-runtime-rs") function setup_unencrypted_confidential_pod() { @@ -36,7 +36,7 @@ function get_remote_command_per_hypervisor() { qemu-se*) echo "cd /sys/firmware/uv; cat prot_virt_guest | grep 1" ;; - qemu-snp) + qemu-snp|qemu-snp-runtime-rs) echo "dmesg | grep \"Memory Encryption Features active:.*SEV-SNP\"" ;; qemu-tdx) diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 6055005d64..b60a9e861f 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -187,7 +187,7 @@ function deploy_kata() { # Workaround to avoid modifying the workflow yaml files case "${KATA_HYPERVISOR}" in - qemu-tdx|qemu-snp|qemu-nvidia-gpu-*) + qemu-tdx|qemu-snp|qemu-snp-runtime-rs|qemu-nvidia-gpu-*) USE_EXPERIMENTAL_SETUP_SNAPSHOTTER=true SNAPSHOTTER="nydus" EXPERIMENTAL_FORCE_GUEST_PULL=false @@ -447,7 +447,7 @@ function cleanup() { } function deploy_snapshotter() { - if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" ]]; then + if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" || "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ]]; then echo "[Skip] ${SNAPSHOTTER} is pre-installed in the TEE machine" return fi @@ -461,7 +461,7 @@ function deploy_snapshotter() { } function cleanup_snapshotter() { - if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" ]]; then + if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" || "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ]]; then echo "[Skip] ${SNAPSHOTTER} is pre-installed in the TEE machine" return fi diff --git a/tests/integration/kubernetes/k8s-cpu-ns.bats b/tests/integration/kubernetes/k8s-cpu-ns.bats index cd64d7a362..718fefae2e 100644 --- a/tests/integration/kubernetes/k8s-cpu-ns.bats +++ b/tests/integration/kubernetes/k8s-cpu-ns.bats @@ -15,7 +15,7 @@ setup() { [ "${KATA_HYPERVISOR}" == "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && skip "Requires CPU hotplug which disabled by static_sandbox_resource_mgmt" ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ - [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ + [ "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ] || [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ && skip "TEEs do not support memory / CPU hotplug" pod_name="constraints-cpu-test" @@ -121,7 +121,7 @@ teardown() { [ "${KATA_HYPERVISOR}" == "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet" [[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && skip "Requires CPU hotplug which disabled by static_sandbox_resource_mgmt" ( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ - [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ + [ "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ] || [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \ && skip "TEEs do not support memory / CPU hotplug" # Debugging information diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index a86069c583..88fe7773d0 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -9,14 +9,18 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/lib.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh" -# Currently only the Go runtime provides the config path used here. -# If a Rust hypervisor runs this test, mirror the enabling_hypervisor -# pattern in tests/common.bash to select the correct runtime-rs config. -shim_config_file="/opt/kata/share/defaults/kata-containers/configuration-${KATA_HYPERVISOR}.toml" +case "${KATA_HYPERVISOR}" in + *-runtime-rs) + shim_config_file="/opt/kata/share/defaults/kata-containers/runtime-rs/runtimes/${KATA_HYPERVISOR}/configuration-${KATA_HYPERVISOR}.toml" + ;; + *) + shim_config_file="/opt/kata/share/defaults/kata-containers/runtimes/${KATA_HYPERVISOR}/configuration-${KATA_HYPERVISOR}.toml" + ;; +esac check_and_skip() { case "${KATA_HYPERVISOR}" in - qemu-tdx|qemu-coco-dev|qemu-snp) + qemu-tdx|qemu-coco-dev|qemu-snp|qemu-snp-runtime-rs) if [ "$(uname -m)" == "s390x" ]; then skip "measured rootfs tests not implemented for s390x" fi diff --git a/tests/integration/kubernetes/setup.sh b/tests/integration/kubernetes/setup.sh index 761e4dbd21..49daf92e4b 100644 --- a/tests/integration/kubernetes/setup.sh +++ b/tests/integration/kubernetes/setup.sh @@ -138,7 +138,7 @@ add_runtime_handler_annotations() { fi case "${KATA_HYPERVISOR}" in - qemu-coco-dev | qemu-snp | qemu-tdx | qemu-coco-dev-runtime-rs) + qemu-coco-dev | qemu-snp | qemu-snp-runtime-rs | qemu-tdx | qemu-coco-dev-runtime-rs) info "Add runtime handler annotations for ${KATA_HYPERVISOR}" local handler_value="kata-${KATA_HYPERVISOR}" for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index eda214a4ba..f1027fdb4b 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -82,7 +82,7 @@ auto_generate_policy_enabled() { is_coco_platform() { case "${KATA_HYPERVISOR}" in - "qemu-tdx"|"qemu-snp"|"qemu-coco-dev"|"qemu-coco-dev-runtime-rs"|"qemu-nvidia-gpu-tdx"|"qemu-nvidia-gpu-snp") + "qemu-tdx"|"qemu-snp"|"qemu-snp-runtime-rs"|"qemu-coco-dev"|"qemu-coco-dev-runtime-rs"|"qemu-nvidia-gpu-tdx"|"qemu-nvidia-gpu-snp") return 0 ;; *) @@ -148,7 +148,7 @@ install_genpolicy_drop_ins() { # 20-* OCI version overlay if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/" - elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then + elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/" fi @@ -340,7 +340,7 @@ hard_coded_policy_tests_enabled() { # CI is testing hard-coded policies just on a the platforms listed here. Outside of CI, # users can enable testing of the same policies (plus the auto-generated policies) by # specifying AUTO_GENERATE_POLICY=yes. - local -r enabled_hypervisors=("qemu-coco-dev" "qemu-snp" "qemu-tdx" "qemu-coco-dev-runtime-rs") + local -r enabled_hypervisors=("qemu-coco-dev" "qemu-snp" "qemu-snp-runtime-rs" "qemu-tdx" "qemu-coco-dev-runtime-rs") for enabled_hypervisor in "${enabled_hypervisors[@]}" do if [[ "${enabled_hypervisor}" == "${KATA_HYPERVISOR}" ]]; then From 5e1ab0aa7dffe540ab1f5ea05c7419333c1b8f3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 7 Apr 2026 14:46:56 +0200 Subject: [PATCH 2/2] tests: Support runtime-rs QEMU cmdline format in attestation test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The k8s-confidential-attestation test extracts the QEMU command line from journal logs to compute the SNP launch measurement. It only matched the Go runtime's log format ("launching with: []"), but runtime-rs logs differently ("qemu args: "). Handle both formats so the test works with qemu-snp-runtime-rs. Made-with: Cursor Signed-off-by: Fabiano FidĂȘncio --- .../kubernetes/k8s-confidential-attestation.bats | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/k8s-confidential-attestation.bats b/tests/integration/kubernetes/k8s-confidential-attestation.bats index 7ce61e822b..eeb536b3e2 100644 --- a/tests/integration/kubernetes/k8s-confidential-attestation.bats +++ b/tests/integration/kubernetes/k8s-confidential-attestation.bats @@ -146,15 +146,22 @@ setup() { kbs_set_cpu0_resource_policy # get measured artifacts from qemu command line of previous test + # Go runtime logs: "launching with: []" + # runtime-rs logs: "qemu args: " log_line=$(sudo journalctl -r -x -t kata | grep -m 1 'launching.*qemu.*with:' || true) - qemu_cmd=$(echo "$log_line" | sed 's/.*with: \[\(.*\)\]".*/\1/') + if [[ -n "$log_line" ]]; then + qemu_cmd=$(echo "$log_line" | sed 's/.*with: \[\(.*\)\]".*/\1/') + else + log_line=$(sudo journalctl -r -x -t kata | grep -m 1 'qemu args:' || true) + qemu_cmd=$(echo "$log_line" | sed 's/.*qemu args: //') + fi [[ -n "$qemu_cmd" ]] || { echo "Could not find QEMU command line"; return 1; } kernel_path=$(echo "$qemu_cmd" | grep -oP -- '-kernel \K[^ ]+') initrd_path=$(echo "$qemu_cmd" | grep -oP -- '-initrd \K[^ ]+' || true) firmware_path=$(echo "$qemu_cmd" | grep -oP -- '-bios \K[^ ]+') vcpu_count=$(echo "$qemu_cmd" | grep -oP -- '-smp \K\d+') - append=$(echo "$qemu_cmd" | sed -n 's/.*-append \(.*\) -bios.*/\1/p') + append=$(echo "$qemu_cmd" | grep -oP -- '-append \K.*?(?= -(smp|bios) )') # Remove escape backslashes for quotes from output for dm-mod.create parameters append="${append//\\\"/\"}"