github.com/kata-containers/tests@v0.0.0-20240307153542-772105b56064/functional/tdx/lib/common-tdx.bash (about) 1 #!/bin/bash 2 # 3 # Copyright (c) 2022 Intel Corporation 4 # 5 # SPDX-License-Identifier: Apache-2.0 6 # 7 8 script_path=$(dirname "$0") 9 source "${script_path}/../../../lib/common.bash" 10 tdx_tmp_dir=$(mktemp -d) 11 container_qmp_socket="${tdx_tmp_dir}/qmp.sock" 12 qemu_tdx_wrapper_path="${tdx_tmp_dir}/qemu-tdx.sh" 13 config_file="" 14 jenkins_job_url="http://jenkins.katacontainers.io/job" 15 FIRMWARE="${FIRMWARE:-}" 16 FIRMWARE_VOLUME="${FIRMWARE_VOLUME:-}" 17 KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" 18 kernel_tdx_path="/usr/share/kata-containers/vmlinuz-tdx.container" 19 qemu_tdx_path="/usr/local/bin/qemu-system-x86_64" 20 21 trap remove_tdx_tmp_dir EXIT 22 23 setup_tdx() { 24 [ "$(uname -m)" == "x86_64" ] || die "Only x86_64 is supported" 25 [ -d "/sys/firmware/tdx_seam" ] || die "Intel TDX is not available in this system" 26 27 [ -n "${FIRMWARE}" ] || die "FIRMWARE environment variable is not set" 28 [ -n "${FIRMWARE_VOLUME}" ] || warn "FIRMWARE_VOLUME environment variable is not set" 29 30 [ "${KATA_HYPERVISOR}" == "qemu" ] || die "This test only supports QEMU for now" 31 32 local config_file="$(get_config_file)" 33 sudo cp "${config_file}" "${config_file}.bak" 34 35 # we need other qmp socket because the default socket is used by kata-shim 36 cat > ${qemu_tdx_wrapper_path} <<EOF 37 #!/bin/bash 38 ${qemu_tdx_path} -qmp unix:${container_qmp_socket},server=on,wait=off "\$@" 39 EOF 40 chmod +x ${qemu_tdx_wrapper_path} 41 } 42 43 get_config_file() { 44 if [ -z "${config_file}" ]; then 45 for f in $(kata-runtime --show-default-config-paths); do 46 [ -f "${f}" ] && config_file="${f}" && break 47 done 48 fi 49 echo "${config_file}" 50 } 51 52 install_kernel_tdx() { 53 local kernel_url="${jenkins_job_url}/kata-containers-2.0-kernel-tdx-x86_64-nightly/lastSuccessfulBuild/artifact/artifacts" 54 local latest=$(curl ${kernel_url}/latest) 55 curl -L ${kernel_url}/vmlinuz-${latest} -o vmlinuz-tdx.container 56 sudo mv -f vmlinuz-tdx.container ${kernel_tdx_path} 57 } 58 59 install_qemu_tdx() { 60 local qemu_url="${jenkins_job_url}/kata-containers-2.0-qemu-tdx-x86_64/lastSuccessfulBuild/artifact/artifacts/kata-static-qemu.tar.gz" 61 curl "${qemu_url}" | sudo tar --strip-components=1 -C /usr/local/ -zxf - 62 } 63 64 enable_confidential_computing() { 65 local conf_file="$(get_config_file)" 66 [ -n "${conf_file}" ] || die "configuration file not found" 67 sudo crudini --set "${conf_file}" 'hypervisor.qemu' 'path' '"'${qemu_tdx_wrapper_path}'"' 68 sudo crudini --set "${conf_file}" 'hypervisor.qemu' 'kernel' '"'${kernel_tdx_path}'"' 69 sudo crudini --set "${conf_file}" 'hypervisor.qemu' 'kernel_params' '"force_tdx_guest tdx_disable_filter"' 70 sudo crudini --set "${conf_file}" 'hypervisor.qemu' 'firmware' '"'${FIRMWARE}'"' 71 sudo crudini --set "${conf_file}" 'hypervisor.qemu' 'firmware_volume' '"'${FIRMWARE_VOLUME}'"' 72 sudo crudini --set "${conf_file}" 'hypervisor.qemu' 'cpu_features' '"pmu=off,-kvm-steal-time"' 73 sudo sed -i 's|^# confidential_guest.*|confidential_guest = true|' "${conf_file}" 74 } 75 76 remove_tdx_tmp_dir() { 77 sudo rm -rf ${tdx_tmp_dir} 78 }