From 19333aa1b20b4fcf619c253161fd9b67737da0a9 Mon Sep 17 00:00:00 2001 From: Magnus Kulke Date: Mon, 12 Feb 2024 16:56:17 +0100 Subject: [PATCH] ci: add az-tdx-vtpm workflow for e2e tests This adds a target for the az-tdx-vtpm TEE. TDX verifiers need an SGX quoting environment, for this we need to configure the dcap configuration. Signed-off-by: Magnus Kulke --- .github/workflows/kbs-e2e-az-tdx-vtpm.yaml | 63 ++++++++++++++++++++++ kbs/test/Makefile | 8 ++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/kbs-e2e-az-tdx-vtpm.yaml diff --git a/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml b/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml new file mode 100644 index 0000000000..22824ab9a9 --- /dev/null +++ b/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml @@ -0,0 +1,63 @@ +name: KBS e2e with az-tdx-vtpm TEE + +on: + push: + branches: + - main + # Note on repository checkout: pull_request_target sets `GITHUB_SHA` to the + # "last commit on the PR base branch", meaning that by default `actions/checkout` + # is going to checkout the repository main branch. In order to pick up the pull + # request code, this workflow uses the `github.event.pull_request.head.sha` + # property to get the last commit on the HEAD branch. One limitation of this approach + # is that, unlike the `pull_request` event, the checked pull request isn't necessarily + # rebased to main (so it is up to the workflow to ensure the pull request is rebased + # **before* the workflow is triggering) + pull_request_target: + types: + - opened + - synchronize + - reopened + # This workflow will be run if the pull request is labeled 'test_e2e' + - labeled + branches: + - 'main' + +jobs: + authorize: + runs-on: ubuntu-latest + if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test_e2e') + steps: + - run: "true" + + checkout-and-rebase: + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + # fetch main on push, otherwise the head of the PR + ref: ${{ github.event_name == 'push' && 'main' || github.event.pull_request.head.sha }} + + - name: Rebase the source + if: github.event_name != 'push' + run: | + git config --global user.name "GH Actions Workflow" + git config --global user.email "" + ./kbs/hack/ci-helper.sh rebase-atop-of-the-latest-target-branch + + - name: Archive source + run: git archive -o kbs.tar.gz HEAD + + - uses: actions/upload-artifact@v4 + with: + path: ./kbs.tar.gz + + e2e-test: + needs: + - authorize + - checkout-and-rebase + uses: ./.github/workflows/kbs-e2e.yaml + with: + runs-on: '["self-hosted","azure-cvm-tdx"]' + tarball: kbs.tar.gz diff --git a/kbs/test/Makefile b/kbs/test/Makefile index feaec706f3..2f76edb6e4 100644 --- a/kbs/test/Makefile +++ b/kbs/test/Makefile @@ -1,6 +1,8 @@ OS := $(shell lsb_release -si) RELEASE := $(shell lsb_release -sr) SGX_REPO_URL := https://download.01.org/intel-sgx/sgx_repo/ubuntu +SGX_COLLATERAL_URL := https://api.trustedservices.intel.com/sgx/certification/v4/ +SGX_QCNL_CONFIG := /etc/sgx_default_qcnl.conf KBS_REPO_PATH := ./data/repository KBS_CONFIG_PATH := ./data/e2e MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) @@ -26,13 +28,17 @@ install-dependencies: build-essential \ clang \ libsgx-dcap-default-qpl \ + libsgx-dcap-quote-verify \ libsgx-dcap-quote-verify-dev \ + libsgx-urts \ libssl-dev \ + libtdx-attest \ libtdx-attest-dev \ libtss2-dev \ openssl \ pkg-config \ - protobuf-compiler + protobuf-compiler && \ + echo '{"collateral_service": "$(SGX_COLLATERAL_URL)"}' | sudo tee $(SGX_QCNL_CONFIG) kbs: cd $(PROJECT_DIR) && \