Skip to content

Commit

Permalink
ci: add az-tdx-vtpm workflow for e2e tests
Browse files Browse the repository at this point in the history
This adds a target for the az-tdx-vtpm TEE. TDX verifiers need an SGX
quoting environment, for this we need to configure the dcap
configuration.

Signed-off-by: Magnus Kulke <[email protected]>
  • Loading branch information
mkulke committed Feb 15, 2024
1 parent edc416e commit bdc9738
Show file tree
Hide file tree
Showing 3 changed files with 76 additions and 1 deletion.
63 changes: 63 additions & 0 deletions .github/workflows/kbs-e2e-az-tdx-vtpm.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: KBS e2e with az-tdx-vtpm TEE

on:
push:
branches:
- main
# Note on repository checkout: pull_request_target sets `GITHUB_SHA` to the
# "last commit on the PR base branch", meaning that by default `actions/checkout`
# is going to checkout the repository main branch. In order to pick up the pull
# request code, this workflow uses the `github.event.pull_request.head.sha`
# property to get the last commit on the HEAD branch. One limitation of this approach
# is that, unlike the `pull_request` event, the checked pull request isn't necessarily
# rebased to main (so it is up to the workflow to ensure the pull request is rebased
# **before* the workflow is triggering)
pull_request_target:
types:
- opened
- synchronize
- reopened
# This workflow will be run if the pull request is labeled 'test_e2e'
- labeled
branches:
- 'main'

jobs:
authorize:
runs-on: ubuntu-latest
if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test_e2e')
steps:
- run: "true"

checkout-and-rebase:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
# fetch main on push, otherwise the head of the PR
ref: ${{ github.event_name == 'push' && 'main' || github.event.pull_request.head.sha }}

- name: Rebase the source
if: github.event_name != 'push'
run: |
git config --global user.name "GH Actions Workflow"
git config --global user.email "<rebase@gh-actions-workflow>"
./kbs/hack/ci-helper.sh rebase-atop-of-the-latest-target-branch
- name: Archive source
run: git archive -o kbs.tar.gz HEAD

- uses: actions/upload-artifact@v4
with:
path: ./kbs.tar.gz

e2e-test:
needs:
- authorize
- checkout-and-rebase
uses: ./.github/workflows/kbs-e2e.yaml
with:
runs-on: '["self-hosted","azure-cvm-tdx"]'
tarball: kbs.tar.gz
6 changes: 6 additions & 0 deletions .github/workflows/kbs-e2e.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,12 @@ jobs:
target/
key: rust-${{ hashFiles('./Cargo.lock') }}

- name: Set up SGX/TDX certificates cache
uses: actions/cache@v4
with:
path: /root/.dcap-qcnl
key: ${{ runner.os }}-dcap-qcnl

- name: Install dependencies
working-directory: kbs/test
run: |
Expand Down
8 changes: 7 additions & 1 deletion kbs/test/Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
OS := $(shell lsb_release -si)
RELEASE := $(shell lsb_release -sr)
SGX_REPO_URL := https://download.01.org/intel-sgx/sgx_repo/ubuntu
SGX_COLLATERAL_URL := https://api.trustedservices.intel.com/sgx/certification/v4/
SGX_QCNL_CONFIG := /etc/sgx_default_qcnl.conf
KBS_REPO_PATH := ./data/repository
KBS_CONFIG_PATH := ./data/e2e
MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
Expand All @@ -26,13 +28,17 @@ install-dependencies:
build-essential \
clang \
libsgx-dcap-default-qpl \
libsgx-dcap-quote-verify \
libsgx-dcap-quote-verify-dev \
libsgx-urts \
libssl-dev \
libtdx-attest \
libtdx-attest-dev \
libtss2-dev \
openssl \
pkg-config \
protobuf-compiler
protobuf-compiler && \
echo '{"collateral_service": "$(SGX_COLLATERAL_URL)"}' | sudo tee $(SGX_QCNL_CONFIG)

kbs:
cd $(PROJECT_DIR) && \
Expand Down

0 comments on commit bdc9738

Please sign in to comment.