-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable e2e tests for real TEEs #223
Comments
To achieve this goal, two stages in my mind
|
If we use a pre-generated fixture as evidence, wouldn't this just be a unit-test for a validator? What I had in mind was simply running https://github.com/confidential-containers/kbs/blob/main/.github/workflows/kbs-e2e.yaml on a TEE-capable runner. If the test runs e.g. on a TDX worker it should work ootb ( |
Well, I misunderstood the idea. I thought there are two different e2e test
My last comment is for 1. Anyway, we both think that the action of obtaining evidence needs to be dynamically executed on the real TEE. |
Ah, I see. I was looking at #264. I saw fixtures in the To be able to register a self hosted runner (ephemeral or a bare-metal box) we need the following token: For ephemeral runners, we also need to configure a webhook + secret which listens on |
Agreed. For the runner setting, I think @fitzthum would help. For the self-host runner, we now have a CI machine in SGX (now working for |
yes, it can be shared. for non-ephemeral runners (like bare-metal machines) you have to pay attention to not pollute the node in your workflows, since there is no isolation and a side-effect might break another workflow |
Finally it needs to be restricted who can run those jobs, you don't want people executing arbitrary code on your runner, because they opened a malicious PR. Triggering an e2e test on real TEE on @wainersm can you confirm? 👆 |
great, thx. I'll reach out. |
Is this error related? https://github.com/confidential-containers/kbs/actions/runs/7523718849 |
yes, it is. There is a problem with referencing the reusable workflow. |
PTAL #291 |
We would like to enable e2e tests on the repo for real TEE's. At moment we only use the dummy TEE to test the integration of attester + verifier components in general. We'd like to extend the coverage to the integration with real TEEs.
To do this we need to run the workflows on self-hosted runners or external CI systems. For Azure-based TEE's (
az-{snp,tdx}-vtpm
) we can use GARM, which we use in other kata + coco circumstances already. To make this work we need to provide a token scoped to the repository to CoCo's Garm instance and register a webhook secret on the kbs repo.The text was updated successfully, but these errors were encountered: