Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend virtctl to Support Interactive SEV Attestation #7595

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Extend virtctl to Support Interactive SEV Attestation #7595

wants to merge 2 commits into from
+663 −0

Conversation

Fuzzy-Math
Copy link
Contributor

@Fuzzy-Math Fuzzy-Math commented Apr 19, 2022
edited

What this PR does / why we need it:

This PR extends virtctl to support interactive attestation of SEV enabled workloads.

The following subcommands have been added:

  • virtctl sev fetch-cert-chain
  • virtctl sev setup-session
  • virtctl sev query-measurement
  • virtctl sev inject-secret

Special notes for your reviewer:

Release note:

Extending virtctl to support interactive attestation of AMD SEV enabled workloads

@kubevirt-bot kubevirt-bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Apr 19, 2022
@kubevirt-bot
Copy link
Contributor

Hi @Fuzzy-Math. Thanks for your PR.

I'm waiting for a kubevirt member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kubevirt-bot kubevirt-bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 19, 2022
@Fuzzy-Math
Copy link
Contributor Author

/hold

@kubevirt-bot kubevirt-bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 19, 2022
@Fuzzy-Math Fuzzy-Math changed the title [WIP]Extend virtctl to Support Interactive SEV Attestation Extend virtctl to Support Interactive SEV Attestation Apr 19, 2022
@kubevirt-bot kubevirt-bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 19, 2022
@kubevirt-bot kubevirt-bot added dco-signoff: no Indicates the PR's author has not DCO signed all their commits. and removed dco-signoff: yes Indicates the PR's author has DCO signed all their commits. labels Apr 20, 2022
@kubevirt-bot kubevirt-bot added dco-signoff: yes Indicates the PR's author has DCO signed all their commits. and removed dco-signoff: no Indicates the PR's author has not DCO signed all their commits. labels Apr 20, 2022
@vasiliy-ul vasiliy-ul mentioned this pull request Apr 20, 2022
Open
15 tasks
vasiliy-ul
vasiliy-ul reviewed Apr 20, 2022
View reviewed changes
Copy link
Contributor

@vasiliy-ul vasiliy-ul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Just added a few minor comments.

pkg/virtctl/sev/attestation.go Outdated
Comment on lines 229 to 230
if pathProvided {
if _, err := file.Write(data); err != nil {
log.Log.Errorf("[SEV] Failed to write certificate chain to %s", outpath)
return fmt.Errorf("Error %s/%s: %v", namespace, vmiName, err)
}
log.Log.Infof("[SEV]Writing platform certificate chain to %s", outpath)
} else {
fmt.Printf("%s\n", string(data))
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the code can be simplified by using https://pkg.go.dev/io/ioutil#WriteFile . That way you will not need the file, err = os.OpenFile(...) part above. Same applies for the COMMAND_QUERY_MEASUREMENT case.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using WriteFile() would overwrite the file if it already existed. As designed, I don't allow overwriting existing files and it's a failure condition if the file exists.

pkg/virtctl/sev/attestation_test.go Outdated Show resolved Hide resolved
pkg/virtctl/sev/attestation_test.go Outdated Show resolved Hide resolved
pkg/virtctl/sev/attestation_test.go Outdated Show resolved Hide resolved
vasiliy-ul
vasiliy-ul reviewed Apr 21, 2022
View reviewed changes
pkg/virtctl/sev/attestation.go Outdated Show resolved Hide resolved
pkg/virtctl/sev/attestation.go Outdated Show resolved Hide resolved
@kubevirt-bot kubevirt-bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 23, 2022
@vasiliy-ul vasiliy-ul mentioned this pull request Apr 25, 2022
Merged
@kubevirt-bot kubevirt-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 25, 2022
@fabiand
Copy link
Member

fabiand commented May 6, 2022

@alicefr thoughts?

@vladikr
Copy link
Member

vladikr commented May 6, 2022

@jean-edouard @iholder-redhat

@iholder101
Copy link
Contributor

@jean-edouard @iholder-redhat

Thanks for the FYI!
/assign @iholder-redhat

alicefr
alicefr reviewed May 9, 2022
View reviewed changes
pkg/virtctl/sev/attestation.go Outdated
}
defer file.Close()

if sevPlatformInfo, err := virtClient.VirtualMachineInstance(namespace).SEVFetchCertChain(vmiName); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rewrite this as:

sevPlatformInfo, err := virtClient.VirtualMachineInstance(namespace).SEVFetchCertChain(vmiName)
if err != nil {
    return fmt.Errorf("Error %s/%s: %v", namespace, vmiName, err)
}

It can avoid one level indentation

pkg/virtctl/sev/attestation.go Outdated

case COMMAND_FETCH_CERT_CHAIN:
var file *os.File
pathProvided := outpath != ""
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you evaluate this statement before the switch as you are repeating it 3 times there?

pkg/virtctl/sev/attestation.go Outdated
return fmt.Errorf("Error %s/%s: %v", namespace, vmiName, err)
}
}
defer file.Close()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be this placed inside the if pathProvided as otherwise you don't open the file?Just wondering if you don't get a nil pointer?

Copy link
Member

@alicefr alicefr May 9, 2022
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally for the write and open of the file you could create a function since you are repeating it. It could also help improve the readability of the code

@kubevirt-bot
Copy link
Contributor

@dhiller: Reopened this PR.

In response to this:

/reopen
/remove-lifecycle rotten

/test pull-kubevirt-e2e-k8s-1.26-sev

@Fuzzy-Math @alicefr @iholder101 @xpivarc IIUC we now have a manual test lane for AMD SEV testing in place.

Up to you folks whether you want to continue pushing this one.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kubevirt-bot kubevirt-bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jul 7, 2023
@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from iholder101. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@vasiliy-ul
Copy link
Contributor

vasiliy-ul commented Jul 7, 2023
edited

/reopen /remove-lifecycle rotten

/test pull-kubevirt-e2e-k8s-1.26-sev

@Fuzzy-Math @alicefr @iholder101 @xpivarc IIUC we now have a manual test lane for AMD SEV testing in place.

Up to you folks whether you want to continue pushing this one.

#7197 is now merged. I think this PR is also good to go in (after rebase and another review round).

alicefr
alicefr reviewed Jul 7, 2023
View reviewed changes
pkg/virtctl/sev/attestation.go
* See the License for the specific language governing permissions and
* limitations under the License.
*
* Copyright 2022
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably can be updated

pkg/virtctl/sev/attestation.go
Comment on lines +209 to +223
if outpath != "" {
file, err := os.OpenFile(outpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, output_perm)
if err != nil {
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err)
}
defer file.Close()

_, err = file.Write(data)
if err != nil {
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err)
}
log.Log.Infof(logFmt, outpath)
} else {
fmt.Printf("%s\n", string(data))
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if outpath != "" {
file, err := os.OpenFile(outpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, output_perm)
if err != nil {
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err)
}
defer file.Close()
_, err = file.Write(data)
if err != nil {
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err)
}
log.Log.Infof(logFmt, outpath)
} else {
fmt.Printf("%s\n", string(data))
}
if output == "" {
fmt.Printf("%s\n", string(data))
return nil
}
file, err := os.OpenFile(outpath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, output_perm)
if err != nil {
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err)
}
defer file.Close()
_, err = file.Write(data)
if err != nil {
return fmt.Errorf(errFmt, namespace, vmiName, outpath, err)
}
log.Log.Infof(logFmt, outpath)

pkg/virtctl/sev/attestation_test.go

Describe("The 'setup-session' command", func() {
Context("Creation", func() {
It("should succeed", func() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this test?

pkg/virtctl/sev/attestation_test.go
Expect(cmd).ToNot(BeNil())
})
})
Context("With no argument", func() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about grouping this and the next 3 tests into a table?

pkg/virtctl/sev/attestation_test.go
})
})
Context("With no argument", func() {
It("should fail", func() {
Copy link
Member

@alicefr alicefr Jul 7, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again, as above, try to group tests that has very similar code into a table

@alicefr
Copy link
Member

alicefr commented Jul 7, 2023

@vasiliy-ul @Fuzzy-Math do we plan to add also functional tests for this?

@alicefr
Copy link
Member

alicefr commented Jul 7, 2023

/ok-to-test

@kubevirt-bot kubevirt-bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 7, 2023
@vasiliy-ul
Copy link
Contributor

@vasiliy-ul @Fuzzy-Math do we plan to add also functional tests for this?

I think yes, now it makes sense since the API is in place.

@dhiller
Copy link
Contributor

dhiller commented Jul 7, 2023

@Fuzzy-Math I think a run of make generate and committing the changes is missing here: https://prow.ci.kubevirt.io/view/gs/kubevirt-prow/pr-logs/pull/kubevirt_kubevirt/7595/pull-kubevirt-generate/1677238768936947712#1:build-log.txt%3A1396

@kubevirt-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@kubevirt-bot kubevirt-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 5, 2023
@kubevirt-bot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

/lifecycle rotten

@kubevirt-bot kubevirt-bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 4, 2023
@kubevirt-bot
Copy link
Contributor

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

@kubevirt-bot
Copy link
Contributor

@kubevirt-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@dhiller
Copy link
Contributor

dhiller commented Dec 11, 2023

There's CI support on a periodic base for this here: https://testgrid.k8s.io/kubevirt-periodics#periodic-kubevirt-e2e-k8s-1.26-sev

/reopen
/remove-lifecycle rotten

@kubevirt-bot kubevirt-bot reopened this Dec 11, 2023
@kubevirt-bot
Copy link
Contributor

@dhiller: Reopened this PR.

In response to this:

There's CI support on a periodic base for this here: https://testgrid.k8s.io/kubevirt-periodics#periodic-kubevirt-e2e-k8s-1.26-sev

/reopen
/remove-lifecycle rotten

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@kubevirt-bot kubevirt-bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Dec 11, 2023
@dhiller
Copy link
Contributor

dhiller commented Dec 11, 2023

/test pull-kubevirt-e2e-k8s-1.26-sev

Let's see how the presubmit goes

@dhiller
Copy link
Contributor

dhiller commented Dec 11, 2023

Hey @vasiliy-ul @Fuzzy-Math, are you folks up to picking this up again?

@vasiliy-ul
Copy link
Contributor

Hey @vasiliy-ul @Fuzzy-Math, are you folks up to picking this up again?

Hi @dhiller. Thank you for the ping. The PR probably needs a rebase and also some updates to address the comments. Yes, definitely, we will look at it.

@dhiller dhiller marked this pull request as draft December 11, 2023 10:05
@kubevirt-bot kubevirt-bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 11, 2023
@dhiller
Copy link
Contributor

dhiller commented Dec 11, 2023

@vasiliy-ul I've converted it back to draft, just to reduce spent CI resources. Reconvert any time when it's ready.

@kubevirt-bot
Copy link
Contributor

@Fuzzy-Math: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubevirt-unit-test-arm64 34e5ce0 link false /test pull-kubevirt-unit-test-arm64
pull-kubevirt-goveralls 34e5ce0 link false /test pull-kubevirt-goveralls
pull-kubevirt-unit-test 34e5ce0 link true /test pull-kubevirt-unit-test
pull-kubevirt-build-arm64 34e5ce0 link true /test pull-kubevirt-build-arm64
pull-kubevirt-build 34e5ce0 link true /test pull-kubevirt-build
pull-kubevirt-generate 34e5ce0 link true /test pull-kubevirt-generate
pull-kubevirt-e2e-k8s-1.29-sig-compute-migrations 34e5ce0 link true /test pull-kubevirt-e2e-k8s-1.29-sig-compute-migrations
pull-kubevirt-e2e-k8s-1.30-sig-compute-serial 34e5ce0 link true /test pull-kubevirt-e2e-k8s-1.30-sig-compute-serial

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alicefr alicefr alicefr left review comments

@vasiliy-ul vasiliy-ul vasiliy-ul left review comments

@dhiller dhiller Awaiting requested review from dhiller

@xpivarc xpivarc Awaiting requested review from xpivarc

Assignees

@iholder101 iholder101

Labels
dco-signoff: yes Indicates the PR's author has DCO signed all their commits. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@Fuzzy-Math @kubevirt-bot @fabiand @vladikr @iholder101 @alicefr @xpivarc @dhiller @vasiliy-ul