diff --git a/.github/workflows/kbs-e2e-az-snp-vtpm.yaml b/.github/workflows/kbs-e2e-az-snp-vtpm.yaml index 23e253c39..58073ab4c 100644 --- a/.github/workflows/kbs-e2e-az-snp-vtpm.yaml +++ b/.github/workflows/kbs-e2e-az-snp-vtpm.yaml @@ -31,6 +31,7 @@ jobs: checkout-and-rebase: runs-on: ubuntu-latest + needs: authorize steps: - name: Checkout Code uses: actions/checkout@v4 diff --git a/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml b/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml new file mode 100644 index 000000000..33acb6275 --- /dev/null +++ b/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml @@ -0,0 +1,64 @@ +name: KBS e2e with az-tdx-vtpm TEE + +on: + push: + branches: + - main + # Note on repository checkout: pull_request_target sets `GITHUB_SHA` to the + # "last commit on the PR base branch", meaning that by default `actions/checkout` + # is going to checkout the repository main branch. In order to pick up the pull + # request code, this workflow uses the `github.event.pull_request.head.sha` + # property to get the last commit on the HEAD branch. One limitation of this approach + # is that, unlike the `pull_request` event, the checked pull request isn't necessarily + # rebased to main (so it is up to the workflow to ensure the pull request is rebased + # **before* the workflow is triggering) + pull_request_target: + types: + - opened + - synchronize + - reopened + # This workflow will be run if the pull request is labeled 'test_e2e' + - labeled + branches: + - 'main' + +jobs: + authorize: + runs-on: ubuntu-latest + if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test_e2e') + steps: + - run: "true" + + checkout-and-rebase: + runs-on: ubuntu-latest + needs: authorize + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + # fetch main on push, otherwise the head of the PR + ref: ${{ github.event_name == 'push' && 'main' || github.event.pull_request.head.sha }} + + - name: Rebase the source + if: github.event_name != 'push' + run: | + git config --global user.name "GH Actions Workflow" + git config --global user.email "" + ./kbs/hack/ci-helper.sh rebase-atop-of-the-latest-target-branch + + - name: Archive source + run: git archive -o kbs.tar.gz HEAD + + - uses: actions/upload-artifact@v4 + with: + path: ./kbs.tar.gz + + e2e-test: + needs: + - authorize + - checkout-and-rebase + uses: ./.github/workflows/kbs-e2e.yaml + with: + runs-on: '["self-hosted","azure-cvm-tdx"]' + tarball: kbs.tar.gz diff --git a/.github/workflows/kbs-e2e.yaml b/.github/workflows/kbs-e2e.yaml index 183e12d75..04ebd4ed1 100644 --- a/.github/workflows/kbs-e2e.yaml +++ b/.github/workflows/kbs-e2e.yaml @@ -49,6 +49,12 @@ jobs: target/ key: rust-${{ hashFiles('./Cargo.lock') }} + - name: Set up SGX/TDX certificates cache + uses: actions/cache@v4 + with: + path: /root/.dcap-qcnl + key: ${{ runner.os }}-dcap-qcnl + - name: Install dependencies working-directory: kbs/test run: | diff --git a/kbs/test/Makefile b/kbs/test/Makefile index 576e82cb6..346832772 100644 --- a/kbs/test/Makefile +++ b/kbs/test/Makefile @@ -1,6 +1,8 @@ OS := $(shell lsb_release -si) RELEASE := $(shell lsb_release -sr) SGX_REPO_URL := https://download.01.org/intel-sgx/sgx_repo/ubuntu +SGX_COLLATERAL_URL := https://api.trustedservices.intel.com/sgx/certification/v4/ +SGX_QCNL_CONFIG := /etc/sgx_default_qcnl.conf KBS_REPO_PATH := ./data/repository KBS_CONFIG_PATH := ./data/e2e MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST)))) @@ -26,13 +28,17 @@ install-dependencies: build-essential \ clang \ libsgx-dcap-default-qpl \ + libsgx-dcap-quote-verify \ libsgx-dcap-quote-verify-dev \ + libsgx-urts \ libssl-dev \ + libtdx-attest \ libtdx-attest-dev \ libtss2-dev \ openssl \ pkg-config \ - protobuf-compiler + protobuf-compiler && \ + echo '{"collateral_service": "$(SGX_COLLATERAL_URL)"}' | sudo tee $(SGX_QCNL_CONFIG) kbs: cd $(PROJECT_DIR) && \