Merge pull request #5594 from ryansavino/add-snp-test

snp: added snp unencrypted test

.ci/ci_job_flags.sh

@@ -106,7 +106,7 @@ case "${CI_JOB}" in
 	export CRI_RUNTIME="containerd"
 	export KATA_HYPERVISOR="qemu"
 	;;
-"CRI_CONTAINERD"|"CRI_CONTAINERD_K8S"|"CC_CRI_CONTAINERD"|"CC_CRI_CONTAINERD_K8S"|"CC_SEV_CRI_CONTAINERD_K8S")
+"CRI_CONTAINERD"|"CRI_CONTAINERD_K8S"|"CC_CRI_CONTAINERD"|"CC_CRI_CONTAINERD_K8S")
 	# This job only tests containerd + k8s
 	init_ci_flags
 	export CRI_CONTAINERD="yes"
@@ -116,22 +116,39 @@ case "${CI_JOB}" in
 		"CRI_CONTAINERD_K8S")
 			export KUBERNETES="yes"
 			;;
-		"CC_CRI_CONTAINERD"|"CC_CRI_CONTAINERD_K8S"|"CC_SEV_CRI_CONTAINERD_K8S")
+		"CC_CRI_CONTAINERD"|"CC_CRI_CONTAINERD_K8S")
 			# Export any CC specific environment variables
 			export KATA_BUILD_CC="yes"
 			export MEASURED_ROOTFS="yes"
 			export AA_KBC="offline_fs_kbc"
 			if [[ "${CI_JOB}" =~ K8S ]]; then
 				export KUBERNETES=yes
 			fi
-			if [[ "${CI_JOB}" =~ SEV ]]; then
-				export TEE_TYPE="sev"
-				export AA_KBC="online_sev_kbc"
-				export TEST_INITRD="yes"
-			fi
 			;;
 	esac
 	;;
+"CC_SEV_CRI_CONTAINERD_K8S"|"CC_SNP_CRI_CONTAINERD_K8S")
+	init_ci_flags
+	export CRI_CONTAINERD="yes"
+	export CRI_RUNTIME="containerd"
+	export KATA_HYPERVISOR="qemu"
+	export KATA_BUILD_CC="yes"
+	export AA_KBC="offline_fs_kbc"
+	export TEST_INITRD="yes"
+	if [[ "${CI_JOB}" =~ K8S ]]; then
+		export KUBERNETES=yes
+	fi
+	if [[ "${CI_JOB}" =~ SEV ]]; then
+		export TEE_TYPE="sev"
+		export AA_KBC="online_sev_kbc"
+		export KATA_BUILD_KERNEL_TYPE="sev"
+	fi
+	if [[ "${CI_JOB}" =~ SNP ]]; then
+		export TEE_TYPE="snp"
+		export KATA_BUILD_QEMU_TYPE="snp"
+		export KATA_BUILD_KERNEL_TYPE="sev"
+	fi
+	;;
 "CC_CRI_CONTAINERD_TDX_QEMU"|"CC_CRI_CONTAINERD_TDX_CLOUD_HYPERVISOR")
 	init_ci_flags
 	export CRI_CONTAINERD="yes"

.ci/install_kata.sh

@@ -33,6 +33,11 @@ if [ "${TEE_TYPE:-}" == "sev" ]; then
 	KATA_BUILD_KERNEL_TYPE=sev
 fi
 
+if [ "${TEE_TYPE:-}" == "snp" ]; then
+	KATA_BUILD_KERNEL_TYPE=snp
+	KATA_BUILD_QEMU_TYPE="${KATA_BUILD_QEMU_TYPE:-snp}"
+fi
+
 if [ "${KATA_HYPERVISOR:-}" == "dragonball" ]; then
 	KATA_BUILD_KERNEL_TYPE=dragonball
 fi
@@ -89,6 +94,8 @@ case "${KATA_HYPERVISOR}" in
 			"${cidir}/install_tdvf.sh"
 		elif [ "${TEE_TYPE:-}" == "sev" ]; then
 			"${cidir}/install_ovmf_sev.sh"
+		elif [ "${TEE_TYPE:-}" == "snp" ]; then
+			"${cidir}/install_ovmf_x86_64.sh"
 		fi
 		;;
 	"dragonball")

.ci/install_kata_image.sh

@@ -21,7 +21,9 @@ TEE_TYPE="${TEE_TYPE:-}"
 
 build_image_for_cc () {
 	if [ "${TEST_INITRD}" == "yes" ]; then
-		[ "${TEE_TYPE}" == "sev" ] || die "SEV is the only TEE type that supports initrd"
+		if [ "${TEE_TYPE}" != "sev" ] && [ "${TEE_TYPE}" != "snp" ]; then
+		  die "SEV and SNP are the only TEE types that supports initrd"
+		fi
 		build_static_artifact_and_install "sev-rootfs-initrd"
 	else
 		[ "${osbuilder_distro:-ubuntu}" == "ubuntu" ] || \

.ci/install_kata_kernel.sh

@@ -34,9 +34,12 @@ build_and_install_kernel_for_cc() {
 	local artifact="kernel"
 
 	case "$kernel_type" in
-		tdx|sev)
+		tdx)
 			artifact="${kernel_type}-${artifact}"
 			;;
+		sev|snp)
+			artifact="sev-${artifact}"
+			;;
 		vanilla) ;;
 		*)
 			die_unsupported_kernel_type "$kernel_type"
@@ -67,7 +70,7 @@ Usage:
 Options:
     -d          : Enable bash debug.
     -h          : Display this help.
-    -t <kernel> : kernel type, such as vanilla, experimental, dragonball, etc
+    -t <kernel> : kernel type, such as vanilla, experimental, dragonball, tdx, sev, snp.
 EOF
 	exit "$exit_code"
 }

.ci/install_ovmf_sev.sh

@@ -21,7 +21,6 @@ main() {
 	pushd $katacontainers_repo_dir
 	sudo -E PATH=$PATH bash ${buildscript} --build=cc-sev-ovmf
 	sudo tar -xvJpf build/kata-static-cc-sev-ovmf.tar.xz -C /
-	sudo ln -sf /opt/confidential-containers/share/ovmf /usr/share/ovmf
 	popd
 }
 

.ci/install_ovmf_x86_64.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# Copyright 2022 Advanced Micro Devices, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o errtrace
+
+cidir=$(dirname "$0")
+source "${cidir}/lib.sh"
+
+main() {
+	build_static_artifact_and_install x86_64-ovmf
+}
+
+main "$@"

.ci/install_qemu.sh

@@ -29,7 +29,7 @@ build_and_install_qemu_for_cc() {
 	local artifact="qemu"
 
 	case "${qemu_type}" in
-		tdx)
+		tdx|snp)
 			artifact="${qemu_type}-${artifact}"
 			;;
 		vanilla) ;;
@@ -109,6 +109,12 @@ main() {
 
 	export qemu_type
 	case "${qemu_type}" in
+		snp)
+			CURRENT_QEMU_VERSION=$(get_version "assets.hypervisor.qemu-snp-experimental.tag")
+			QEMU_REPO_URL=$(get_version "assets.hypervisor.qemu-snp-experimental.url")
+			qemu_latest_build_url="${jenkins_url}/job/kata-containers-2.0-qemu-snp-$(uname -m)/${cached_artifacts_path}"
+			qemu_type="snp-qemu"
+			;;
 		vanilla)
 			qemu_type="qemu"
 			;;

.ci/install_runtime.sh

@@ -134,6 +134,8 @@ case "${KATA_HYPERVISOR}" in
 			enable_hypervisor_config "${PKGDEFAULTSDIR}/configuration-qemu-tdx.toml"
 		elif [ "$TEE_TYPE" == "sev" ]; then
 			enable_hypervisor_config "${PKGDEFAULTSDIR}/configuration-qemu-sev.toml"
+		elif [ "$TEE_TYPE" == "snp" ]; then
+			enable_hypervisor_config "${PKGDEFAULTSDIR}/configuration-qemu-snp.toml"
 		elif [ "$TEE_TYPE" == "se" ]; then
 			enable_hypervisor_config "${PKGDEFAULTSDIR}/configuration-qemu-se.toml"
 		else

.ci/lib.sh

@@ -56,7 +56,6 @@ if [ "$(uname -m)" == "s390x" ] && grep -Eq "\<(fedora|suse)\>" /etc/os-release
 	export CC=gcc
 fi
 
-tests_repo="${tests_repo:-github.com/kata-containers/tests}"
 lib_script="${GOPATH}/src/${tests_repo}/lib/common.bash"
 source "${lib_script}"
 

.ci/run.sh

@@ -79,6 +79,10 @@ case "${CI_JOB}" in
 		info "Running Confidential Containers tests for AMD SEV"
 		sudo -E PATH="$PATH" CRI_RUNTIME="containerd" bash -c "make cc-sev-kubernetes"
 		;;
+	"CC_SNP_CRI_CONTAINERD_K8S")
+		info "Running Confidential Containers tests for AMD SEV-SNP"
+		sudo -E PATH="$PATH" CRI_RUNTIME="containerd" bash -c "make cc-snp-kubernetes"
+		;;
 	"CC_CRI_CONTAINERD_K8S"|"CC_CRI_CONTAINERD_K8S_TDX_QEMU"|"CC_CRI_CONTAINERD_K8S_SE_QEMU"|"CC_CRI_CONTAINERD_K8S_TDX_CLOUD_HYPERVISOR")
 		info "Running Confidential Container tests"
 		sudo -E PATH="$PATH" CRI_RUNTIME="containerd" bash -c "make cc-kubernetes"

Makefile

@@ -113,6 +113,12 @@ cc-sev-kubernetes:
 	K8S_TEST_UNION="confidential/sev.bats" \
 	bash integration/kubernetes/run_kubernetes_tests.sh
 
+# Run the Confidential Containers AMD SNP specific tests.
+cc-snp-kubernetes:
+	bash -f .ci/install_bats.sh
+	K8S_TEST_UNION="confidential/snp.bats" \
+	bash integration/kubernetes/run_kubernetes_tests.sh
+
 log-parser:
 	make -C cmd/log-parser
 

integration/confidential/lib.sh

@@ -204,7 +204,7 @@ configure_cc_containerd() {
 	sudo systemctl stop containerd
 	sleep 5
 	[ -n "$saved_containerd_conf_file" ] && \
-		cp -f "$containerd_conf_file" "$saved_containerd_conf_file"
+		sudo cp -f "$containerd_conf_file" "$saved_containerd_conf_file"
 	sudo systemctl start containerd
 	waitForProcess 30 5 "sudo crictl info >/dev/null"
 
@@ -353,3 +353,90 @@ setup_credentials_files() {
 	CREDENTIAL="${auth_json}" envsubst < "${SHARED_FIXTURES_DIR}/offline-fs-kbc/aa-offline_fs_kbc-resources.json.in" > "${dest_file}"
 	cp_to_guest_img "etc" "${dest_file}"
 }
+
+###############################################################################
+
+# simple-kbs
+
+SIMPLE_KBS_DIR="${SIMPLE_KBS_DIR:-/tmp/simple-kbs}"
+KBS_DB_USER="${KBS_DB_USER:-kbsuser}"
+KBS_DB_PW="${KBS_DB_PW:-kbspassword}"
+KBS_DB="${KBS_DB:-simple_kbs}"
+#KBS_DB_TYPE="{KBS_DB_TYPE:-mysql}"
+
+# Run the simple-kbs
+simple_kbs_run() {
+  # Retrieve simple-kbs repo and tag from versions.yaml
+  local simple_kbs_url=$(get_test_version "externals.simple-kbs.url")
+  local simple_kbs_tag=$(get_test_version "externals.simple-kbs.tag")
+
+  # Cleanup and create installation directory
+  esudo rm -rf "${SIMPLE_KBS_DIR}" 
+  mkdir -p "${SIMPLE_KBS_DIR}"
+  pushd "${SIMPLE_KBS_DIR}"
+
+  # Clone and run
+  git clone "${simple_kbs_url}" --branch main
+  pushd simple-kbs
+
+  # Checkout, build and start
+  git checkout -b "branch_${simple_kbs_tag}" "${simple_kbs_tag}"
+  esudo docker-compose build
+  esudo docker-compose up -d
+
+  # Wait for simple-kbs to start
+  waitForProcess 15 1 "esudo docker-compose top | grep -q simple-kbs"
+  popd
+
+  # Get simple-kbs database container ip
+  local kbs_db_host=$(simple_kbs_get_db_ip)
+
+  # Confirm connection to the database is possible
+  waitForProcess 5 1 "mysql -u${KBS_DB_USER} -p${KBS_DB_PW} -h ${kbs_db_host} -D ${KBS_DB} -e '\q'"
+  popd
+}
+
+# Stop simple-kbs and database containers
+simple_kbs_stop() {
+  (cd ${SIMPLE_KBS_DIR}/simple-kbs && esudo docker-compose down 2>/dev/null)
+}
+
+# Delete all test inserted data in the simple-kbs
+simple_kbs_delete_data() {
+  # Get simple-kbs database container ip
+  local kbs_db_host=$(simple_kbs_get_db_ip)
+
+  # Delete all data with 'id = 10'
+  mysql -u${KBS_DB_USER} -p${KBS_DB_PW} -h ${kbs_db_host} -D ${KBS_DB} <<EOF
+    DELETE FROM secrets WHERE id = 10;
+    DELETE FROM policy WHERE id = 10;
+EOF
+}
+
+# Get the ip of the simple-kbs database docker container
+simple_kbs_get_db_ip() {
+  esudo docker network inspect simple-kbs_default \
+    | jq -r '.[].Containers[] | select(.Name | test("simple-kbs[_-]db.*")).IPv4Address' \
+    | sed "s|/.*$||g"
+}
+
+# Add key and keyset to database
+# If measurement is provided, add policy with measurement to database
+simple_kbs_add_key_to_db() {
+  local encryption_key="${1}"
+  local measurement="${2}"
+
+  # Get simple-kbs database container ip
+  local kbs_db_host=$(simple_kbs_get_db_ip)
+
+  if [ -n "${measurement}" ]; then
+    mysql -u${KBS_DB_USER} -p${KBS_DB_PW} -h ${kbs_db_host} -D ${KBS_DB} <<EOF
+      INSERT INTO secrets VALUES (10, 'default/key/ssh-demo', '${encryption_key}', 10);
+      INSERT INTO policy VALUES (10, '["${measurement}"]', '[]', 0, 0, '[]', now(), NULL, 1);
+EOF
+  else
+    mysql -u${KBS_DB_USER} -p${KBS_DB_PW} -h ${kbs_db_host} -D ${KBS_DB} <<EOF
+      INSERT INTO secrets VALUES (10, 'default/key/ssh-demo', '${encryption_key}', NULL);
+EOF
+  fi
+}

integration/kubernetes/confidential/fixtures/service.yaml.in

@@ -5,31 +5,28 @@
 kind: Service
 apiVersion: v1
 metadata:
-  name: $NAME
+  name: "$NAME"
 spec:
   selector:
-    app: $NAME
+    app: "$NAME"
   ports:
   - port: 22
 ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
-  name: $NAME
+  name: "$NAME"
 spec:
   selector:
     matchLabels:
-      app: $NAME
+      app: "$NAME"
   template:
     metadata:
       labels:
-        app: $NAME
-      annotations:
-        io.katacontainers.config.pre_attestation.uri: "$KBS_URI"
-        io.katacontainers.config.sev.policy: "$POLICY"
+        app: "$NAME"
     spec:
-      runtimeClassName: $RUNTIMECLASS
+      runtimeClassName: "$RUNTIMECLASS"
       containers:
-      - name: $NAME
-        image: $IMAGE
+      - name: "$NAME"
+        image: "$IMAGE"
         imagePullPolicy: Always

integration/kubernetes/confidential/lib.sh

@@ -118,3 +118,42 @@ setup_decryption_files_in_guest() {
 	add_kernel_params "agent.aa_kbc_params=offline_fs_kbc::null"
 	cp_to_guest_img "etc" "${doc_repo_dir}/demos/ssh-demo/aa-offline_fs_kbc-keys.json"
 }
+
+###############################################################################
+
+# Confidentiality - AMD
+
+# Generate the firmware measurement using sev-snp-measure
+generate_firmware_measurement_with_append() {
+  local config_file="${1}"
+  local append="${2}"
+  local mode="${3:-sev}"
+
+  # Get vcpu sig, get ovmf, kernel and initrd paths
+  local vcpu_sig=$(cpuid -1 --leaf 0x1 --raw | cut -s -f2 -d= | cut -f1 -d" ")
+  local ovmf_path=$(grep "firmware = " ${config_file} | cut -d'"' -f2)
+  local kernel_path="$(esudo /opt/confidential-containers/bin/kata-runtime \
+    --config ${config_file} kata-env --json | jq -r .Kernel.Path)"
+  local initrd_path="$(esudo /opt/confidential-containers/bin/kata-runtime \
+    --config ${config_file} kata-env --json | jq -r .Initrd.Path)"
+
+  # Return error if files don't exist
+  [ -f "${ovmf_path}" ] || return 1
+  [ -f "${kernel_path}" ] || return 1
+  [ -f "${initrd_path}" ] || return 1
+
+  # Generate digest from sev-snp-measure output - this also inserts measurement values inside OVMF image
+  # PATH setting here needed for pip installed binary to be found
+  measurement=$(PATH="${PATH}:${HOME}/.local/bin" sev-snp-measure \
+    --mode="${mode}" \
+    --vcpus=1 \
+    --vcpu-sig="${vcpu_sig}" \
+    --output-format=base64 \
+    --ovmf="${ovmf_path}" \
+    --kernel="${kernel_path}" \
+    --initrd="${initrd_path}" \
+    --append="${append}" \
+  )
+  if [[ -z "${measurement}" ]]; then return 1; fi
+  echo ${measurement}
+}