Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tests: Add IBM SE to the basic confidential test #8914

Merged
merged 1 commit into from Jan 26, 2024
Merged

tests: Add IBM SE to the basic confidential test #8914

merged 1 commit into from Jan 26, 2024

Conversation

BbolroC
Copy link
Member

@BbolroC BbolroC commented Jan 25, 2024
edited

The existing confidential basic test titled Test unencrypted confidential container launch success and verify that we are running in a secure enclave has been updated to incorporate IBM Secure Execution (qemu-se).
Previously, a secure image was absent from kata-deploy, hindering the inclusion of IBM SE in the test.
Thanks to the #6755 update, it is now possible to test the TEE.

This modification extends the existing test by introducing qemu-se. The specific changes are outlined below:

  • Add an additional test cc-se-e2e-tests to s390x nightly
  • Expansion of REMOTE_COMMAND_PER_HYPERVISOR for qemu-se
  • Temporary exclusion of two test cases currently incompatible with IBM SE (cpu-ns is a common issue across all TEEs, while inotify will be addressed in a subsequent pull request for Pod stuck in StartError for k8s-inotify.bats on IBM Z16 LPAR #8906).

Reviewers, please note that the test has already been verified on Jenkins at http://jenkins.katacontainers.io/job/kata-containers-CCv0-ubuntu-20.04-s390x-SE-daily/374/. It can only be verified internally due to limitations in computing resources (SE capable). To address this, the test is triggered by the nightly GHA workflow. The test log fetched during the workflow will be the same as the one verified on Jenkins.

Fixes: #8913

Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com

@katacontainersbot katacontainersbot added the size/small Small and simple task label Jan 25, 2024
stevenhorsman
stevenhorsman approved these changes Jan 25, 2024
View reviewed changes
Copy link
Member

@stevenhorsman stevenhorsman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code LGTM and I can see that is passed in the daily run:

ok 1 Test unencrypted confidential container launch success and verify that we are running in a secure enclave.

Do you know if there are any plans for Marist to have an LPAR with SE available, or any other options for us to add an SE self-hosted runner in the future?

@hbrueckner
Copy link
Contributor

Hi @stevenhorsman

Do you know if there are any plans for Marist to have an LPAR with SE available, or any other options for us to add an SE self-hosted runner in the future?

I have to ask the Marist team on their plans. For other options, I will contact you offline and then let's circle back if there are options.

cc: @magowan

@BbolroC
Copy link
Member Author

BbolroC commented Jan 26, 2024

/test

@BbolroC
tests: Add IBM SE to the basic confidential test
ab462a4 
The existing confidential basic test titled `Test unencrypted
confidential container launch success and verify that we are
running in a secure enclave` has been updated to incorporate
IBM Secure Execution (`qemu-se`).
Previously, a secure image was absent from kata-deploy, hindering
the inclusion of IBM SE in the test.
Thanks to the kata-containers#6755 update, it is now possible to test the TEE.

This modification extends the existing test by introducing
`qemu-se`. The specific changes are outlined below:

- Add an additional test `cc-se-e2e-tests` to s390x nightly
- Expansion of `REMOTE_COMMAND_PER_HYPERVISOR` for `qemu-se`
- Temporary exclusion of two test cases currently incompatible with IBM SE
(`cpu-ns` is a common issue across all TEEs, while `inotify`
will be addressed in a subsequent pull request).

Fixes: kata-containers#8913

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
@BbolroC
Copy link
Member Author

BbolroC commented Jan 26, 2024

/test

@BbolroC
Copy link
Member Author

BbolroC commented Jan 26, 2024
edited

The CI jobs kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset kernel-nvidia-gpu-{snp,tdx-experimental} does not exist on main and in this PR, but marked as required and not triggered. Those jobs are blocker atm. @stevenhorsman @gkurz

gkurz
gkurz approved these changes Jan 26, 2024
View reviewed changes
Copy link
Member

@gkurz gkurz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks @BbolroC !

@gkurz gkurz merged commit f41fa75 into kata-containers:main Jan 26, 2024
279 of 288 checks passed
@BbolroC BbolroC deleted the basic-e2e-ibm-se branch January 26, 2024 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gkurz gkurz gkurz approved these changes

@GabyCT GabyCT GabyCT approved these changes

@stevenhorsman stevenhorsman stevenhorsman approved these changes

Assignees
No one assigned
Labels
ok-to-test size/small Small and simple task
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add confidential containers test for IBM Secure Execution
6 participants
@BbolroC @hbrueckner @gkurz @GabyCT @stevenhorsman @katacontainersbot