Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added e2e test for CoCo-AS using SNP evidence #264

Merged
merged 1 commit into from
Jan 3, 2024

Conversation

Xynnn007
Copy link
Member

@Xynnn007 Xynnn007 commented Dec 21, 2023

Depends on #262

Use a fixed SGX SNP evidence to test gRPC and RESTful CoCoAS to get token

@Xynnn007 Xynnn007 force-pushed the as-e2e branch 5 times, most recently from 192cad5 to cdd8194 Compare December 21, 2023 04:57
@Xynnn007
Copy link
Member Author

Xynnn007 commented Dec 21, 2023

The error https://github.com/confidential-containers/kbs/actions/runs/7284163707/job/19849143732?pr=264 here is because PCCS cannot be connected (0xe019). I am not sure whether there is a accessable PCCS that is compatible with DCAP lib provided by Intel on GH Runner. Or we should use a self-hosted machine to run this test?

@mkulke
Copy link
Contributor

mkulke commented Dec 21, 2023

There should be a PCCS available in azure, but I doubt that works ootb on github runners. If that's the case, I would suggest a self-hosted runner. There is already an open issue for that. We could use the coco azure subscription to spawn ephemeral self-hosted runners that have access to the PCCS. Maybe we can look into that sometime early next year. We should be able to reuse the existing Garm setup from the infra repo.

https://learn.microsoft.com/en-us/azure/security/fundamentals/trusted-hardware-identity-management#how-do-i-use-intel-qpl-with-trusted-hardware-identity-management

@Xynnn007
Copy link
Member Author

@mkulke Ok. I think the original aim of #223 is to generate the evidence in real TEE and do the verification.
This PR only works for the second part, s.t. verify the evidence as a basic test case.

Let me try to change this PR into another platform test case like SNP which does not rely on the GH Runner env.

After this we can keep on #223

@Xynnn007 Xynnn007 changed the title Added e2e test for CoCo-AS using SGX evidence Added e2e test for CoCo-AS using SNP evidence Dec 21, 2023
@Xynnn007 Xynnn007 marked this pull request as ready for review December 30, 2023 16:53
@Xynnn007 Xynnn007 requested a review from sameo as a code owner December 30, 2023 16:53
In the e2e test, we use a given SNP evidence to request the CoCoAS in
both grpc and restful, and try to get the result token.

But still, the evidence is not generated runtime.

Fixes: confidential-containers#232

Signed-off-by: Xynnn007 <[email protected]>
@Xynnn007
Copy link
Member Author

Xynnn007 commented Jan 2, 2024

Updated the code for easily support real TEE in future.

Copy link
Member

@fitzthum fitzthum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

In the future maybe we can extend it to evaluate some policy as well.

Also, if we use a self-hosted runner it shouldn't be too difficult to get some real evidence to use.

@Xynnn007 Xynnn007 merged commit 4f64ec7 into confidential-containers:main Jan 3, 2024
7 checks passed
@Xynnn007 Xynnn007 deleted the as-e2e branch January 3, 2024 01:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants