snp: added snp unencrypted test

[ryansavino]

Fixes: #5593

added makefile target as well
moved common functions out of sev.bats
few minor fixes in separate commits

Signed-Off-By: Ryan Savino [email protected]

[zvonkok]

No newline at EOF

[ryansavino]

done

[fitzthum]

A few comments.

There may be some more code that could be shared with the non-tee tests, but I'm not sure it's worth getting into that given the impending merge and certain organizational issues with the tests.

I'm not very familiar with the stuff in .ci. Hopefully somoene else can help review those changes.

We will also need a new case in tests_runner.sh in the operator repo.

[fitzthum]

We shouldn't really have anything relating to keyses in the code anymore. I guess deleting them is fine as a precaution.

[ryansavino]

done

[fitzthum]

Setting the policy and kbs_uri via annoation is not supported for SNP. The annotations will just be ignored so it isn't too bad, but this function isn't quite as general as it might seem.

[ryansavino]

fixed

[fitzthum]

Not all of these are required currently. I don't think we use cpuid yet, for instance, since we don't calculate launch measurement. On the other hand maybe we should make these deps generic and move them to the common file.

[ryansavino]

I like the idea of maintaining the packages to be installed in the script that needs them. I added these packages in anticipation for when attestation tests would be added, but for now I've trimmed them down to what's required.

[fitzthum]

Only for SEV. SNP policies have different layout, but they don't get set here anyway (see below).

[ryansavino]

Resolved by other fix from above.

[fitzthum]

LGTM with one little note.

Also, I think the lib code is probably in the wrong place, but I'm not sure what the optimal location is.

[fitzthum]

This can be used for unencrypted images as well. It might be best to just have a yaml generation function for SEV and one for SNP. That is currently the fundamental difference in what annotations are available.

[ryansavino]

Are there any annotations we need to apply for the unencrypted?

[fitzthum]

The policy annotation is totally separate from whether the image is encrypted or not. The policy enables SEV-ES. It is totally valid to use -ES with an unencrypted image. The KBS URI isn't directly tied to encryption either, actually. You need to set that for signed images as well. So none of the annotations are directly related to whether the image is encrypted. That is determined by the format of the image itself. SEV and SNP do have different annotations as of today, though.

[ryansavino]

Updated. Check it out now. I think this way might be better. Created a k8s_yaml_set_annotation method in common.bash and removed the specific method from sev.bats.

[fitzthum]

New approach is good.

[UnmeshDeodhar]

/test

[UnmeshDeodhar]

/test-sev

[UnmeshDeodhar]

/test

[UnmeshDeodhar]

/test

[UnmeshDeodhar]

Thanks @wainersm for the review. I have addressed all your comments. Please let me know if this looks good now.

[UnmeshDeodhar]

/test

[wainersm]

Hi @UnmeshDeodhar , I prefer the other way around: change the name of the functions that you are introducing on this PR to Kubernetes_, and leave the existing non-snp tests untouched. I want to avoid any regressions on the exsiting tests at this point :)

[UnmeshDeodhar]

Changed all the functions back to kubernetes_*

[wainersm]

In a VM where I ran this script I got the qemu for snp installed with another name:

$ crudini --get /opt/confidential-containers/share/defaults/kata-containers/configuration-qemu-snp.toml hypervisor.qemu path
"/opt/confidential-containers/bin/qemu-system-x86_64-snp-experimental"
$ ls /opt/confidential-containers/bin/
containerd-shim-kata-v2  kata-collect-data.sh  kata-monitor  kata-runtime  qemu-system-x86_64-snp-experimental

Maybe some code on this install_qemu_experimental.sh script is bogus?

[UnmeshDeodhar]

Good catch @wainersm.
I have removed the bogus code in build_qemu_experimental.sh

[UnmeshDeodhar]

/test

[UnmeshDeodhar]

/test

[fitzthum]

Last week there was some discussion about organizing this PR in a way that is easier to review or possibly splitting it into multiple. At this point I'm not really sure what would be most efficient, but let me make a few notes to help anyone who looks at this.

• Commits 1 and 2 fix small miscellaneous issues in the SEV tests.
• Commit 3 (the majority of the changes in this PR) extracts functions from the SEV tests that will also be used in the SNP test and moves them alongside some of the common code for the non-tee tests. This doesn't close all the gaps between the SEV tests and the non-tee tests, but it's a good start.
• Commit 4 actually adds the SNP test, which is relatively simple.
• Commits 5-9 fix SNP issues that snuck in during the merge from main to CCv0. It might have been better to put these in a separate PR. Since they are here, SNP will be broken until we can merge this. We could still move these into another PR, but it is getting pretty late in the day either way.

[wainersm]

I see that in http://jenkins.katacontainers.io/job/tests-CCv0-ubuntu-20.04_snp-x86_64-CC_SNP_CRI_CONTAINERD_K8S-PR/64/consoleFull the SNP test introduced on this PR ran fine:

20:17:54 INFO: Run tests
20:17:54 1..1
20:18:21 ok 1 [cc][kubernetes][containerd][snp] Test SNP unencrypted container launch success
20:18:24 ~/workspace/tests-CCv0-ubuntu-20.04_snp-x86_64-CC_SNP_CRI_CONTAINERD_K8S-PR/go/src/github.com/kata-containers/tests

BTW, that job was manually created just to test this PR. It will be automatically created again once we get kata-containers/ci#547 merged (which depends on this PR).

One last thing before we merge this.... the TDX job failed. @fidencio could you please tell us the failure is related with this PR (or not)?

[wainersm]

/test-tdx

[wainersm]

@UnmeshDeodhar @ryansavino I think it can be merged now. Any improvement and fixes made to follow up PRs. Thanks!