From e2438d8dfcf4ced81caea7f70352f4138224c9f2 Mon Sep 17 00:00:00 2001
From: Alex Carter <alex.carter@ibm.com>
Date: Mon, 23 Jan 2023 18:36:18 +0000
Subject: [PATCH] CC: Add image signature tests for SEV Inserts resource
 information to  kbs for signing adds example cosign and policy files to be
 used along with signing tests

Add currently one test for:
signed imagage with no required measurement

Fixes: #5412
---
 .../confidential/fixtures/cosign.pub          |   4 +
 .../confidential/fixtures/cosignWrong.pub     |   4 +
 .../confidential/fixtures/policy.json         |  30 +++++
 integration/kubernetes/confidential/sev.bats  | 121 +++++++++++++++++-
 versions.yaml                                 |   2 +-
 5 files changed, 158 insertions(+), 3 deletions(-)
 create mode 100644 integration/kubernetes/confidential/fixtures/cosign.pub
 create mode 100644 integration/kubernetes/confidential/fixtures/cosignWrong.pub
 create mode 100644 integration/kubernetes/confidential/fixtures/policy.json

diff --git a/integration/kubernetes/confidential/fixtures/cosign.pub b/integration/kubernetes/confidential/fixtures/cosign.pub
new file mode 100644
index 000000000..9920c37c0
--- /dev/null
+++ b/integration/kubernetes/confidential/fixtures/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1gHGbfk1AqOweLEM8HfT0bmfQE3b
+9fcp/LU75FMfxVZXmNVtUprsHM1thuuiBKOofv8KV7TrFl4p8NJCiXUkhA==
+-----END PUBLIC KEY-----
diff --git a/integration/kubernetes/confidential/fixtures/cosignWrong.pub b/integration/kubernetes/confidential/fixtures/cosignWrong.pub
new file mode 100644
index 000000000..cc8da380f
--- /dev/null
+++ b/integration/kubernetes/confidential/fixtures/cosignWrong.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwkHKoZIzj0CAQYIKoZIzj0DAkcDQgAE1gHGbfk1AqOweoEM8HfT0bmf2E3b
+9fcp/LU75FMfxVZXmNVtUprsHM1thuuiBKOofv8KV7TrFl4p8NJCiXUkhA==
+-----END PUBLIC KEY-----
diff --git a/integration/kubernetes/confidential/fixtures/policy.json b/integration/kubernetes/confidential/fixtures/policy.json
new file mode 100644
index 000000000..c2bc471cd
--- /dev/null
+++ b/integration/kubernetes/confidential/fixtures/policy.json
@@ -0,0 +1,30 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "quay.io/kata-containers/confidential-containers": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "/run/image-security/simple_signing/pubkey.gpg"
+                }
+            ],
+            "quay.io/kata-containers/confidential-containers:cosign-signed": [
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/run/image-security/cosign/cosign.pub"
+                }
+            ],
+            "quay.io/kata-containers/confidential-containers:cosign-signed-key2": [
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/run/image-security/cosign/cosign.pub"
+                }
+            ]
+        }
+    }
+}
\ No newline at end of file
diff --git a/integration/kubernetes/confidential/sev.bats b/integration/kubernetes/confidential/sev.bats
index 2c63bfa39..43e7811bf 100644
--- a/integration/kubernetes/confidential/sev.bats
+++ b/integration/kubernetes/confidential/sev.bats
@@ -150,18 +150,22 @@ delete_pods() {
   local encrypted_pod_name=$(esudo kubectl get pod -o wide | grep encrypted-image-tests | awk '{print $1;}' || true)
   local unencrypted_pod_name=$(esudo kubectl get pod -o wide | grep unencrypted-image-tests | awk '{print $1;}' || true)
   local encrypted_pod_name_es=$(esudo kubectl get pod -o wide | grep encrypted-image-tests-es | awk '{print $1;}' || true)
+  local signed_pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}' || true)
 
-  # Delete both encrypted and unencrypted pods
+  # Delete encrypted, unencrypted, and signed pods
   esudo kubectl delete -f \
     "${TEST_DIR}/unencrypted-image-tests.yaml" 2>/dev/null || true
   esudo kubectl delete -f \
     "${TEST_DIR}/encrypted-image-tests.yaml" 2>/dev/null || true
   esudo kubectl delete -f \
     "${TEST_DIR}/encrypted-image-tests-es.yaml" 2>/dev/null || true
-  
+  esudo kubectl delete -f \
+    "${TEST_DIR}/signed-image-tests.yaml" 2>/dev/null || true
+
   [ -z "${encrypted_pod_name}" ] || (kubernetes_wait_for_pod_delete_state "${encrypted_pod_name}" || true)
   [ -z "${unencrypted_pod_name}" ] || (kubernetes_wait_for_pod_delete_state "${unencrypted_pod_name}" || true)
   [ -z "${encrypted_pod_name_es}" ] || (kubernetes_wait_for_pod_delete_state "${encrypted_pod_name_es}" || true)
+  [ -z "${signed_pod_name}" ] || (kubernetes_wait_for_pod_delete_state "${signed_pod_name}" || true)
 }
 
 run_kbs() {
@@ -177,6 +181,12 @@ run_kbs() {
 
   pushd simple-kbs
   git checkout -b "branch_${simple_kbs_tag}" "${simple_kbs_tag}"
+
+  #copy resources
+  cp ${TESTS_REPO_DIR}/integration/kubernetes/confidential/fixtures/policy.json resources/
+  cp ${TESTS_REPO_DIR}/integration/kubernetes/confidential/fixtures/cosign.pub resources/
+  cp ${TESTS_REPO_DIR}/integration/kubernetes/confidential/fixtures/cosignWrong.pub resources/
+  
   esudo docker-compose build
 
   esudo docker-compose up -d
@@ -315,6 +325,7 @@ setup_file() {
 
   generate_service_yaml "unencrypted-image-tests" "${IMAGE_REPO}:unencrypted"
   generate_service_yaml "encrypted-image-tests" "${IMAGE_REPO}:encrypted"
+  generate_service_yaml "signed-image-tests" "quay.io/kata-containers/confidential-containers:cosign-signed"
 
   # SEV-ES policy is 7:
   # - NODBG (1): Debugging of the guest is disallowed when set
@@ -339,10 +350,26 @@ setup() {
 EOF
 }
 
+setup_cosign_signatures_files() {
+    local key_file="${1:cosign.pub}"
+
+    mysql -u${KBS_DB_USER} -p${KBS_DB_PW} -h ${KBS_DB_HOST} -D ${KBS_DB} <<EOF
+      INSERT INTO secrets VALUES (10, 'key_id1', '${ENCRYPTION_KEY}', 10);
+      INSERT INTO keysets VALUES (10, 'KEYSET-1', '["key_id1"]', 10);
+      # see https://github.com/confidential-containers/simple-kbs/blob/8507253e9060fb081fd1eac7bf2841ebf02c0847/db/db-mysql.sql#L140
+      # INSERT INTO resources VALUES (10, 0, resource_type, resource_path, 10);
+      INSERT INTO resources SET resource_type="Policy", resource_path="policy.json";
+      INSERT INTO resources SET resource_type="Cosign Key", resource_path="${key_file}";
+EOF
+}
+
 @test "$test_tag Test SEV unencrypted container launch success" {
   # Turn off pre-attestation. It is not necessary for an unencrypted image.
   esudo sed -i 's/guest_pre_attestation = true/guest_pre_attestation = false/g' ${SEV_CONFIG}
   
+  # Turn off signature verification
+  esudo sed -i 's/agent.enable_signature_verification=true/agent.enable_signature_verification=false/g' ${SEV_CONFIG}
+  
   # Start the service/deployment/pod
   esudo kubectl apply -f "${TEST_DIR}/unencrypted-image-tests.yaml"
   
@@ -514,7 +541,97 @@ EOF
   fi
 }
 
+@test "$test_tag Test signed image with no required measurement" {
+  # Add resource files to 
+  setup_cosign_signatures_files
+
+  #change kernel command line for signature validation
+  esudo sed -i 's/agent.enable_signature_verification=false/agent.enable_signature_verification=true/g' ${SEV_CONFIG}
+
+  # Start the service/deployment/pod
+  esudo kubectl apply -f "${TEST_DIR}/signed-image-tests.yaml"
+
+  # Retrieve pod name, wait for it to come up, retrieve pod ip
+  pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}')
+  kubernetes_wait_for_pod_ready_state "$pod_name" 20
+  pod_ip=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $6;}')
+
+  print_service_info
+}
+
+@test "$test_tag Test signed image with no required measurement, but wrong key (failure)" {
+  # Add resource files to 
+  setup_cosign_signatures_files "cosignWrong.pub"
+
+  #change kernel command line for signature validation
+  esudo sed -i 's/agent.enable_signature_verification=false/agent.enable_signature_verification=true/g' ${SEV_CONFIG}
+
+  # Start the service/deployment/pod
+  esudo kubectl apply -f "${TEST_DIR}/signed-image-tests.yaml"
+
+  # Retrieve pod name, wait for it to come up, retrieve pod ip
+  pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}')
+  kubernetes_wait_for_pod_ready_state "$pod_name" 20
+  pod_ip=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $6;}')
+
+  print_service_info
+}
+
+@test "$test_tag Test signed image with required measurement" {
+  # Generate firmware measurement
+  local append=$(cat ${TEST_DIR}/guest-kernel-append)
+  echo "Kernel Append: ${append}"
+  measurement=$(generate_firmware_measurement_with_append "${append}")
+  echo "Firmware Measurement: ${measurement}"
+
+  # Add resource files to 
+  setup_cosign_signatures_files
+
+  # Add key to KBS with policy measurement
+  add_key_to_kbs_db ${measurement}
+
+  #change kernel command line for signature validation
+  esudo sed -i 's/agent.enable_signature_verification=false/agent.enable_signature_verification=true/g' ${SEV_CONFIG}
+
+  # Start the service/deployment/pod
+  esudo kubectl apply -f "${TEST_DIR}/signed-image-tests.yaml"
+
+  # Retrieve pod name, wait for it to come up, retrieve pod ip
+  pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}')
+  kubernetes_wait_for_pod_ready_state "$pod_name" 20
+  pod_ip=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $6;}')
+
+  print_service_info
+}
+
+@test "$test_tag Test signed image with INVALID measurement" {
+  # Generate firmware measurement
+  local append="INVALID-INPUT"
+  measurement=$(generate_firmware_measurement_with_append ${append})
+  echo "Firmware Measurement: ${measurement}"
+
+  # Add resource files to 
+  setup_cosign_signatures_files
 
+  # Add key to KBS with policy measurement
+  add_key_to_kbs_db ${measurement}
+
+  #change kernel command line for signature validation
+  esudo sed -i 's/agent.enable_signature_verification=false/agent.enable_signature_verification=true/g' ${SEV_CONFIG}
+
+  # Make sure pre-attestation is enabled. 
+  esudo sed -i 's/guest_pre_attestation = false/guest_pre_attestation = true/g' ${SEV_CONFIG}
+
+  # Start the service/deployment/pod
+  esudo kubectl apply -f "${TEST_DIR}/signed-image-tests.yaml"
+
+  # Retrieve pod name, wait for it to come up, retrieve pod ip
+  pod_name=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $1;}')
+  kubernetes_wait_for_pod_ready_state "$pod_name" 20
+  pod_ip=$(esudo kubectl get pod -o wide | grep signed-image-tests | awk '{print $6;}')
+
+  print_service_info
+}
 
 teardown_file() {
   echo "###############################################################################"
diff --git a/versions.yaml b/versions.yaml
index 120a0e40c..21a18a56c 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -72,7 +72,7 @@ externals:
   simple-kbs:
     description: "Simple KBS that hosts key storage with release policies"
     url: "https://github.com/confidential-containers/simple-kbs.git"
-    tag: "0.1.1"
+    tag: "v0.1.2"
 
   sonobuoy:
     description: "Tool to run kubernetes e2e conformance tests"