e2e/contrasttest: use real minimumTCB values on bare-metal runners

.github/workflows/e2e.yml

@@ -79,7 +79,8 @@ jobs:
             --image-replacements workspace/just.containerlookup \
             --namespace-file workspace/e2e.namespace \
             --platform ${{ inputs.platform }} \
-            --namespace-suffix="-ci"
+            --namespace-suffix="-ci" \
+            --minimum-tcb-file ./e2e/internal/contrasttest/testdata/snp-minimum-tcb.json \
       - name: Download logs
         if: always()
         run: |

e2e/internal/contrasttest/contrasttest.go

@@ -41,6 +41,7 @@ type testFlags struct {
 	ImageReplacementsFile string
 	NamespaceFile         string
 	NamespaceSuffix       string
+	MinimumTcbFile        string
 }
 
 // RegisterFlags registers the flags that are shared between all tests.
@@ -49,6 +50,7 @@ func RegisterFlags() {
 	flag.StringVar(&Flags.NamespaceFile, "namespace-file", "", "file to store the namespace in")
 	flag.StringVar(&Flags.NamespaceSuffix, "namespace-suffix", "", "suffix to append to the namespace")
 	flag.StringVar(&Flags.PlatformStr, "platform", "", "Deployment platform")
+	flag.StringVar(&Flags.MinimumTcbFile, "minimum-tcb-file", "", "path to overwrite file of minimumTcb values (baremetal SNP)")
 }
 
 // ContrastTest is the Contrast test helper struct.
@@ -178,8 +180,9 @@ func (ct *ContrastTest) Generate(t *testing.T) {
 	hash, err := os.ReadFile(path.Join(ct.WorkDir, "coordinator-policy.sha256"))
 	require.NoError(err)
 	require.NotEmpty(hash, "expected apply to fill coordinator policy hash")
-
-	ct.PatchManifest(t, patchReferenceValues(ct.Platform))
+	patchManifestFunc, err := patchReferenceValues(ct.Platform, Flags.MinimumTcbFile)
+	require.NoError(err)
+	ct.PatchManifest(t, patchManifestFunc)
 }
 
 // PatchManifestFunc defines a function type allowing the given manifest to be modified.
@@ -199,7 +202,21 @@ func (ct *ContrastTest) PatchManifest(t *testing.T, patchFn PatchManifestFunc) {
 
 // patchReferenceValues returns a PatchManifestFunc which modifies a manifest to contain multiple reference values for testing
 // cases with multiple validators, as well as filling in bare-metal SNP-specific values.
-func patchReferenceValues(platform platforms.Platform) PatchManifestFunc {
+func patchReferenceValues(platform platforms.Platform, tcbSpecificationFile string) (PatchManifestFunc, error) {
+	var baremetalRefVal manifest.ReferenceValues
+	if platform == platforms.K3sQEMUSNP || platform == platforms.MetalQEMUSNP {
+		// load minimumTCB specification for bare metal runners from path tcbSpecificationFile
+		tcbSpecs, err := os.ReadFile(tcbSpecificationFile)
+		if err != nil {
+			return nil, fmt.Errorf("Failed reading minimum tcb specification file: "+tcbSpecificationFile, "error", err)
+		}
+
+		err = json.Unmarshal(tcbSpecs, &baremetalRefVal)
+		if err != nil {
+			return nil, fmt.Errorf("Failed unmarshaling minimum tcb specification file: %s with error :%w", tcbSpecificationFile, err)
+		}
+	}
+
 	return func(m manifest.Manifest) manifest.Manifest {
 		switch platform {
 		case platforms.AKSCloudHypervisorSNP:
@@ -215,14 +232,20 @@ func patchReferenceValues(platform platforms.Platform) PatchManifestFunc {
 			}
 		case platforms.MetalQEMUSNP, platforms.K3sQEMUSNP:
 			// The generate command doesn't fill in all required fields when
-			// generating a manifest for baremetal SNP. Do that now.
-			for i, snp := range m.ReferenceValues.SNP {
-				snp.MinimumTCB.BootloaderVersion = toPtr(manifest.SVN(0))
-				snp.MinimumTCB.TEEVersion = toPtr(manifest.SVN(0))
-				snp.MinimumTCB.SNPVersion = toPtr(manifest.SVN(0))
-				snp.MinimumTCB.MicrocodeVersion = toPtr(manifest.SVN(0))
-				m.ReferenceValues.SNP[i] = snp
+			// generating a manifest for baremetal SNP.
+			// Overwrite the real minimumTCB values, loaded from the path tcbSpecificationFile.
+			var referenceValues []manifest.SNPReferenceValues
+			for i, manifestSNP := range m.ReferenceValues.SNP {
+				for j, overwriteSNP := range baremetalRefVal.SNP {
+					if manifestSNP.ProductName == overwriteSNP.ProductName {
+						m.ReferenceValues.SNP[i].MinimumTCB = baremetalRefVal.SNP[j].MinimumTCB
+						// Filter to only use the reference values of specified baremetal SNP runners
+						referenceValues = append(referenceValues, m.ReferenceValues.SNP[i])
+					}
+				}
 			}
+			m.ReferenceValues.SNP = referenceValues
+			fmt.Printf("%#v", m)
 		case platforms.MetalQEMUTDX, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 			// The generate command doesn't fill in all required fields when
 			// generating a manifest for baremetal TDX. Do that now.
@@ -233,7 +256,7 @@ func patchReferenceValues(platform platforms.Platform) PatchManifestFunc {
 			}
 		}
 		return m
-	}
+	}, nil
 }
 
 // Apply the generated resources to the Kubernetes test environment.

e2e/internal/contrasttest/testdata/snp-minimum-tcb.json

@@ -0,0 +1,15 @@
+{
+    "snp": [
+      {
+        "MinimumTCB": {
+          "BootloaderVersion": 7,
+          "TEEVersion": 0,
+          "SNPVersion": 15,
+          "MicrocodeVersion": 72
+        },
+        "ProductName": "Genoa",
+        "TrustedMeasurement": ""
+      }
+
+    ]
+}

justfile

@@ -72,7 +72,8 @@ e2e target=default_deploy_target platform=default_platform: soft-clean coordinat
             --image-replacements ./{{ workspace_dir }}/just.containerlookup \
             --namespace-file ./{{ workspace_dir }}/just.namespace \
             --platform {{ platform }} \
-            --namespace-suffix=${namespace_suffix-}
+            --namespace-suffix=${namespace_suffix-} \
+            --minimum-tcb-file ./e2e/internal/contrasttest/testdata/snp-minimum-tcb.json \
 
 # Generate policies, apply Kubernetes manifests.
 deploy target=default_deploy_target cli=default_cli platform=default_platform: (runtime target platform) (apply "runtime") (populate target platform) (generate cli platform) (apply target)