ci: add az-tdx-vtpm workflow for e2e tests

This adds a target for the az-tdx-vtpm TEE. TDX verifiers need an SGX
quoting environment, for this we need to startup a local certificate
caching service (PCCS) and point the quoting config to it.

The PCCS itself will need an API key to be able to query certificates
from Intel's servers. If the apikey secret is set as a param to the
callable workflow, it will install PCCS localy.

Signed-off-by: Magnus Kulke <[email protected]>

.github/workflows/kbs-e2e-az-tdx-vtpm.yaml

@@ -0,0 +1,65 @@
+name: KBS e2e with az-tdx-vtpm TEE
+
+on:
+  push:
+    branches:
+    - main
+  # Note on repository checkout: pull_request_target sets `GITHUB_SHA` to the
+  # "last commit on the PR base branch", meaning that by default `actions/checkout`
+  # is going to checkout the repository main branch. In order to pick up the pull
+  # request code, this workflow uses the `github.event.pull_request.head.sha`
+  # property to get the last commit on the HEAD branch. One limitation of this approach
+  # is that, unlike the `pull_request` event, the checked pull request isn't necessarily
+  # rebased to main (so it is up to the workflow to ensure the pull request is rebased
+  # **before* the workflow is triggering)
+  pull_request_target:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    # This workflow will be run if the pull request is labeled 'test_e2e'
+    - labeled
+    branches:
+    - 'main'
+
+jobs:
+  authorize:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test_e2e')
+    steps:
+    - run: "true"
+
+  checkout-and-rebase:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        # fetch main on push, otherwise the head of the PR
+        ref: ${{ github.event_name == 'push' && 'main' || github.event.pull_request.head.sha }}
+
+    - name: Rebase the source
+      if: github.event_name != 'push'
+      run: |
+        git config --global user.name "GH Actions Workflow"
+        git config --global user.email "<rebase@gh-actions-workflow>"
+        ./kbs/hack/ci-helper.sh rebase-atop-of-the-latest-target-branch
+
+    - name: Archive source
+      run: git archive -o kbs.tar.gz HEAD
+
+    - uses: actions/upload-artifact@v4
+      with:
+        path: ./kbs.tar.gz
+
+  e2e-test:
+    needs:
+    - authorize
+    - checkout-and-rebase
+    uses: ./.github/workflows/kbs-e2e.yaml
+    with:
+      runs-on: '["self-hosted","azure-cvm-tdx"]'
+      tarball: kbs.tar.gz
+    secrets:
+      sgx-pccs-apikey: ${{ secrets.SGX_PCCS_APIKEY }}

.github/workflows/kbs-e2e.yaml

@@ -14,6 +14,9 @@ on:
         type: string
         description: Artifact containing checked out source from a prior job
         required: true
+    secrets:
+      sgx-pccs-apikey:
+        required: false
 
 # Self-hosted runners do not set -o pipefail otherwise
 defaults:
@@ -23,6 +26,8 @@ defaults:
 jobs:
   e2e-test:
     runs-on: ${{ fromJSON(inputs.runs-on) }}
+    env:
+      SGX_PCCS_APIKEY: ${{ secrets.sgx-pccs-apikey }}
 
     steps:
     - uses: actions/download-artifact@v4
@@ -68,6 +73,11 @@ jobs:
       if: inputs.sample == true
       run: echo "AA_SAMPLE_ATTESTER_TEST=1" >> "$GITHUB_ENV"
 
+    - name: Install SGX certificate cache
+      if: env.SGX_PCCS_APIKEY != '' 
+      working-directory: kbs/test
+      run: sudo make install-sgx-pccs
+
     - name: Run e2e test
       working-directory: kbs/test
       run: sudo -E make e2e-test

kbs/test/Makefile

@@ -1,6 +1,9 @@
 OS := $(shell lsb_release -si)
 RELEASE := $(shell lsb_release -sr)
 SGX_REPO_URL := https://download.01.org/intel-sgx/sgx_repo/ubuntu
+SGX_QCNL_CONFIG := /etc/sgx_default_qcnl.conf
+SGX_PCCS_PATH := /opt/intel/sgx-dcap-pccs
+SGX_PCCS_CONFIG := $(SGX_PCCS_PATH)/config/default.json
 KBS_REPO_PATH := ./data/repository
 KBS_CONFIG_PATH := ./data/e2e
 MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
@@ -16,6 +19,31 @@ else
     $(error "This Makefile requires Ubuntu")
 endif
 
+.PHONY: install-nodejs-lts
+install-nodejs-lts:
+	curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - && \
+	sudo apt-get install -y nodejs
+
+.PHONY: install-sgx-pccs
+install-sgx-pccs: install-dependencies install-nodejs-lts
+	$(if $(SGX_PCCS_APIKEY),,$(error Must set SGX_PCCS_APIKEY))
+	sudo -E apt-get install -y \
+		cracklib-runtime \
+		jq \
+		moreutils \
+		python3 \
+		sgx-dcap-pccs && \
+	sudo npm install --prefix=$(SGX_PCCS_PATH) && \
+	openssl genrsa -out /tmp/pccs-key.pem 2048 && \
+	openssl req -new -key /tmp/pccs-key.pem -out /tmp/pccs-csr.pem -subj "/O=CNCF/OU=CoCo/CN=sgx-pccs-root" && \
+	openssl x509 -req -days 365 -in /tmp/pccs-csr.pem -signkey /tmp/pccs-key.pem -out /tmp/pccs.crt && \
+	sudo install -D -o pccs -g pccs --compare /tmp/pccs.crt $(SGX_PCCS_PATH)/ssl_key/file.crt && \
+	sudo install -D -o pccs -g pccs --compare /tmp/pccs-key.pem $(SGX_PCCS_PATH)/ssl_key/private.pem && \
+	sudo jq --arg apikey "$(SGX_PCCS_APIKEY)" '.ApiKey = $$apikey' $(SGX_PCCS_CONFIG) | sudo sponge $(SGX_PCCS_CONFIG) && \
+	sudo chown pccs:pccs $(SGX_PCCS_CONFIG) && \
+	sudo systemctl restart pccs && \
+	echo '{"pccs_url": "https://localhost:8081/sgx/certification/v4/", "use_secure_cert": false}' | sudo tee $(SGX_QCNL_CONFIG)
+
 .PHONY: install-dependencies
 install-dependencies:
 	curl -L "$(SGX_REPO_URL)/intel-sgx-deb.key" | sudo apt-key add - && \
@@ -26,8 +54,11 @@ install-dependencies:
 		build-essential \
 		clang \
 		libsgx-dcap-default-qpl \
+		libsgx-dcap-quote-verify \
 		libsgx-dcap-quote-verify-dev \
+		libsgx-urts \
 		libssl-dev \
+		libtdx-attest \
 		libtdx-attest-dev \
 		libtss2-dev \
 		openssl \