ci: add az-tdx-vtpm workflow for e2e tests

This adds a target for the az-tdx-vtpm TEE. TDX verifiers need an SGX
quoting environment, for this we need to configure the dcap
configuration.

Signed-off-by: Magnus Kulke <[email protected]>

.github/workflows/kbs-e2e-az-snp-vtpm.yaml

@@ -31,6 +31,7 @@ jobs:
 
   checkout-and-rebase:
     runs-on: ubuntu-latest
+    needs: authorize
     steps:
     - name: Checkout Code
       uses: actions/checkout@v4

.github/workflows/kbs-e2e-az-tdx-vtpm.yaml

@@ -0,0 +1,64 @@
+name: KBS e2e with az-tdx-vtpm TEE
+
+on:
+  push:
+    branches:
+    - main
+  # Note on repository checkout: pull_request_target sets `GITHUB_SHA` to the
+  # "last commit on the PR base branch", meaning that by default `actions/checkout`
+  # is going to checkout the repository main branch. In order to pick up the pull
+  # request code, this workflow uses the `github.event.pull_request.head.sha`
+  # property to get the last commit on the HEAD branch. One limitation of this approach
+  # is that, unlike the `pull_request` event, the checked pull request isn't necessarily
+  # rebased to main (so it is up to the workflow to ensure the pull request is rebased
+  # **before* the workflow is triggering)
+  pull_request_target:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    # This workflow will be run if the pull request is labeled 'test_e2e'
+    - labeled
+    branches:
+    - 'main'
+
+jobs:
+  authorize:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test_e2e')
+    steps:
+    - run: "true"
+
+  checkout-and-rebase:
+    runs-on: ubuntu-latest
+    needs: authorize
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        # fetch main on push, otherwise the head of the PR
+        ref: ${{ github.event_name == 'push' && 'main' || github.event.pull_request.head.sha }}
+
+    - name: Rebase the source
+      if: github.event_name != 'push'
+      run: |
+        git config --global user.name "GH Actions Workflow"
+        git config --global user.email "<rebase@gh-actions-workflow>"
+        ./kbs/hack/ci-helper.sh rebase-atop-of-the-latest-target-branch
+
+    - name: Archive source
+      run: git archive -o kbs.tar.gz HEAD
+
+    - uses: actions/upload-artifact@v4
+      with:
+        path: ./kbs.tar.gz
+
+  e2e-test:
+    needs:
+    - authorize
+    - checkout-and-rebase
+    uses: ./.github/workflows/kbs-e2e.yaml
+    with:
+      runs-on: '["self-hosted","azure-cvm-tdx"]'
+      tarball: kbs.tar.gz

.github/workflows/kbs-e2e.yaml

@@ -49,6 +49,12 @@ jobs:
           target/
         key: rust-${{ hashFiles('./Cargo.lock') }}
 
+    - name: Set up SGX/TDX certificates cache
+      uses: actions/cache@v4
+      with:
+        path: /root/.dcap-qcnl
+        key: ${{ runner.os }}-dcap-qcnl
+
     - name: Install dependencies
       working-directory: kbs/test
       run: |

kbs/test/Makefile

@@ -1,6 +1,8 @@
 OS := $(shell lsb_release -si)
 RELEASE := $(shell lsb_release -sr)
 SGX_REPO_URL := https://download.01.org/intel-sgx/sgx_repo/ubuntu
+SGX_COLLATERAL_URL := https://api.trustedservices.intel.com/sgx/certification/v4/
+SGX_QCNL_CONFIG := /etc/sgx_default_qcnl.conf
 KBS_REPO_PATH := ./data/repository
 KBS_CONFIG_PATH := ./data/e2e
 MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
@@ -26,13 +28,17 @@ install-dependencies:
 		build-essential \
 		clang \
 		libsgx-dcap-default-qpl \
+		libsgx-dcap-quote-verify \
 		libsgx-dcap-quote-verify-dev \
+		libsgx-urts \
 		libssl-dev \
+		libtdx-attest \
 		libtdx-attest-dev \
 		libtss2-dev \
 		openssl \
 		pkg-config \
-		protobuf-compiler
+		protobuf-compiler && \
+	echo '{"collateral_service": "$(SGX_COLLATERAL_URL)"}' | sudo tee $(SGX_QCNL_CONFIG)
 
 kbs:
 	cd $(PROJECT_DIR) && \