config: Add runtimeclass kata-qemu-se

This is to add a new runtimeclass `kata-qemu-se` and update its payload image for e2e test. Fixes: #190 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
confidential-containers · Jun 16, 2023 · fd2160f · fd2160f
1 parent 83b5134
commit fd2160f
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 3 deletions.
diff --git a/bundle/manifests/cc-operator.clusterserviceversion.yaml b/bundle/manifests/cc-operator.clusterserviceversion.yaml
@@ -214,6 +214,7 @@ metadata:
                 "kata-clh-tdx-eaa-kbc"
                 "kata-qemu",
                 "kata-qemu-sev",
+                "kata-qemu-se",
                 "kata-qemu-tdx",
                 "kata-qemu-tdx-eaa-kbc",
                 "kata-remote"

diff --git a/config/samples/ccruntime/default/kustomization.yaml b/config/samples/ccruntime/default/kustomization.yaml
@@ -10,8 +10,8 @@ images:
 - name: quay.io/confidential-containers/container-engine-for-cc-payload
   newTag: 98a790e8abdcc06c4b629b290ebaa217bf82e305
 - name: quay.io/confidential-containers/runtime-payload
-  newName: quay.io/confidential-containers/runtime-payload
-  newTag: kata-containers-338e18e4fd46756643cb1a307b6a20f24c350ad4
+  newName: quay.io/confidential-containers/runtime-payload-ci
+  newTag: kata-containers-128f0282e11fb33f648c0ecf1d75a40f13985e01
 
 patches:
 - patch: |-

diff --git a/config/samples/ccruntime/s390x/kustomization.yaml b/config/samples/ccruntime/s390x/kustomization.yaml
@@ -10,6 +10,6 @@ patches:
 - patch: |-
     - op: replace
       path: /spec/config/runtimeClassNames
-      value: ["kata", "kata-qemu"]
+      value: ["kata", "kata-qemu", "kata-qemu-se"]
   target:
     kind: CcRuntime
diff --git a/tests/e2e/tests_runner.sh b/tests/e2e/tests_runner.sh
@@ -93,6 +93,28 @@ run_non_tee_tests() {
 
 }
 
+run_kata_qemu_se_tests() {
+	local aa_kbc="${1:-"offline_fs_kbc"}"
+	export AA_KBC="${aa_kbc}"
+
+	local runtime_config_file="/opt/confidential-containers/share/defaults/kata-containers/"
+	runtime_config_file+="configuration-qemu-se.toml"
+	# TODO: a kernel parameter `agent.enable_signature_verification=false` should be only left for
+	# SE test. But a verity hash is included in the kernel parameter if a build target `rootfs-image`
+	# precedes `shim-v2`. This prohibits a secure image from being decrypted, which leads to a test failure.
+	# ATM, we put `rootfs-image` and `rootfs-initrd` together into a runtime-payload image to make
+	# the image testable for a runtimeclass `kata-qemu` and `kata-qemu-se`.
+	# We need to treat 2 root file systems separately for the production-ready build.
+	sed -i "s/\(^kernel_params = \"\).*\(agent\.enable.*\)/\1 \2/" $runtime_config_file
+	sed -i "s#kata-runtime kata-env#kata-runtime --config $runtime_config_file kata-env#g" \
+		../../../lib/common.bash
+
+	bats \
+		"agent_image.bats" \
+		"agent_image_encrypted.bats" \
+		"${script_dir}/operator_tests.bats"
+}
+
 # Tests for CC with QEMU on SEV HW
 run_kata_qemu_sev_tests() {
 	bats "sev.bats"
@@ -122,6 +144,13 @@ main() {
 			echo "INFO: Running non-TEE tests for $runtimeclass using OfflineFS KBC"
 			run_non_tee_tests "$runtimeclass"
 			;;
+		kata-qemu-se)
+			echo "INFO: Running TEE tests for $runtimeclass using OfflineFS KBC"
+			# A kernel parameter 'initcall_debug' leads to a booting failure for SE
+			export CI=false
+			export DEBUG=false
+			run_kata_qemu_se_tests
+			;;
 		kata-qemu-tdx)
 			echo "INFO: Running non-TEE tests for $runtimeclass using CC KBC"
 			run_non_tee_tests "$runtimeclass" "cc_kbc"