test: verify FCOS runs on TDX_CAPABLE instances in GCP

See coreos/fedora-coreos-tracker#1814 Use type `c3-standard-4` with only 1 disk that uses the NVMe interface, as Intel TDX `c3-standard-4-lssd` is not supported yet. (Refer to https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#limitations)
coreos · Feb 14, 2025 · 1dc0db3 · 1dc0db3
1 parent dab2ed4
commit 1dc0db3
Show file tree

Hide file tree

Showing 5 changed files with 123 additions and 81 deletions.
diff --git a/tests/kola/data/commonlib.sh b/tests/kola/data/commonlib.sh
@@ -137,3 +137,10 @@ vergt() {
 vergte() {
     vereq "$1" "$2" || vergt "$1" "$2"
 }
+
+# Verify the instance is Confidential VM type that matches expected
+assert_confidential_type_match() {
+    local cvm_type=$(systemd-detect-virt --cvm)
+    local expected=$1
+    [ "${cvm_type}" == "${expected}" ]
+}
diff --git a/tests/kola/platforms/gcp/confidential-vm-nvme-symlink b/tests/kola/platforms/gcp/confidential-vm-nvme-symlink
diff --git a/tests/kola/platforms/gcp/confidential-vm-snp-nvme-symlink b/tests/kola/platforms/gcp/confidential-vm-snp-nvme-symlink
@@ -0,0 +1,37 @@
+#!/bin/bash
+## kola:
+##   description: Verify new GCP udev rules work well on confidential instance.
+##   # Note: each local SSD is 375 GB in size, refer to https://cloud.google.com/compute/docs/disks/local-ssd
+##   additionalDisks: ["375G:channel=nvme"]
+##   platforms: gcp
+##   requiredTag: confidential-snp
+
+# See https://issues.redhat.com/browse/OCPBUGS-7582
+# https://github.com/coreos/fedora-coreos-tracker/issues/1457
+# https://github.com/coreos/coreos-assembler/issues/3556
+#
+# Force this test to not run by default unless named specifically
+# or `--tag confidential-snp` is passed to `kola run`, also requires
+# `--gcp-confidential-type sev_snp`. (By default using
+# `--gcp-machinetype n2d-standard-2`)
+#
+# It will create confidential instance on GCP with 1 nvme persistent disk
+# and 1 local ssd disk, then check the new udev rules make effect.
+
+set -xeuo pipefail
+
+# shellcheck disable=SC1091
+. "$KOLA_EXT_DATA/commonlib.sh"
+. $KOLA_EXT_DATA/gcp-lib.sh
+
+# Set global variable with NVME json info
+NVME_INFO=$(nvme list-subsys -o json)
+
+assert_confidential_type_match "sev-snp"
+assert_nvme_disk_count "${NVME_INFO}" "2"
+
+for disk in nvme0 nvme1; do
+    assert_nvme_disk_accessible $disk "${NVME_INFO}"
+    assert_expected_symlink_exists "/dev/${disk}n1"
+    ok "Found /dev/${disk}n1 symlink"
+done
diff --git a/tests/kola/platforms/gcp/confidential-vm-tdx-nvme-symlink b/tests/kola/platforms/gcp/confidential-vm-tdx-nvme-symlink
@@ -0,0 +1,38 @@
+#!/bin/bash
+## kola:
+##   description: Verify new GCP udev rules work well on confidential instance
+##     with Intel TDX type.
+##   platforms: gcp
+##   requiredTag: confidential-tdx
+
+# See https://issues.redhat.com/browse/OCPBUGS-7582
+# https://github.com/coreos/fedora-coreos-tracker/issues/1814
+# https://github.com/bgartzi/coreos-assembler/commit/5f659ed43979f752accf53d44d45681a0d5accd3
+#
+# Intel TDX `c3-standard-4-lssd` is not supported.
+# https://cloud.google.com/confidential-computing/confidential-vm/docs/supported-configurations#limitations
+#
+# Force this test to not run by default unless named specifically
+# or `--tag confidential-tdx` is passed to `kola run`, also requires
+# `--gcp-confidential-type tdx`. (By default using
+# `--gcp-machinetype c3-standard-4`)
+#
+# It will create confidential instance on GCP with 1 nvme persistent disk,
+# then check the new udev rules make effect.
+
+set -xeuo pipefail
+
+# shellcheck disable=SC1091
+. "$KOLA_EXT_DATA/commonlib.sh"
+. $KOLA_EXT_DATA/gcp-lib.sh
+
+# Set global variable with NVME json info
+NVME_INFO=$(nvme list-subsys -o json)
+
+assert_confidential_type_match "tdx"
+assert_nvme_disk_count "${NVME_INFO}" "1"
+
+disk=nvme0
+assert_nvme_disk_accessible $disk "${NVME_INFO}"
+assert_expected_symlink_exists "/dev/${disk}n1"
+ok "Found /dev/${disk}n1 symlink"
diff --git a/tests/kola/platforms/gcp/data/gcp-lib.sh b/tests/kola/platforms/gcp/data/gcp-lib.sh
@@ -0,0 +1,41 @@
+# This is a library created for our gcp tests
+
+# shellcheck disable=SC1091
+. "$KOLA_EXT_DATA/commonlib.sh"
+
+# check instance has nvme disks count that matches expected
+assert_nvme_disk_count() {
+    local nvme_info="$1"
+    local expected="$2"
+    local nvme_count=$(jq -r ".[].Subsystems | length" <<< "${nvme_info}")
+    [ "${nvme_count}" == "${expected}" ]
+}
+
+# check nvme device
+assert_nvme_disk_accessible() {
+    local disk=$1
+    local nvme_info="$2"
+    local nvme_disk=$(jq -r ".[].Subsystems[].Paths[] | select(.Name == \"${disk}\").Name" <<< "${nvme_info}")
+    if [ -n "${nvme_disk}" ]; then
+        if [ ! -e "/dev/${disk}n1" ]; then
+            fatal "instance has nvme device but no ${disk} accessible"
+        fi
+    else
+        fatal "can not find ${disk} on the instance"
+    fi
+}
+
+# check symlink
+assert_expected_symlink_exists() {
+    local device=$1
+    # Run google_nvme_id to populate ID_SERIAL_SHORT env var
+    eval $(/usr/lib/udev/google_nvme_id -d "${device}")
+    if [ ! -n "${ID_SERIAL_SHORT:-}" ]; then
+        fatal "can not get nvme ${device} ID_SERIAL_SHORT"
+    fi
+
+    local link="/dev/disk/by-id/google-${ID_SERIAL_SHORT}"
+    if ! ls -l "${link}"; then
+        fatal "can not find ${device} symlink ${link}"
+    fi
+}