kinvolk · mkulke · Nov 18, 2024 · Oct 24, 2024
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -22,29 +22,26 @@ jobs:
     - name: Install deps
       run: sudo apt-get update && sudo apt-get install -y libtss2-dev
 
-    - uses: actions-rs/toolchain@v1
+    - uses: actions-rust-lang/setup-rust-toolchain@v1
       with:
-        profile: minimal
         toolchain: stable
+        components: rustfmt, clippy
         override: true
 
-    - name: Install additional components
-      shell: bash
-      run: |
-        rustup component add rustfmt
-        rustup component add clippy
-
     - name: Build
-      run: cargo build --verbose --all
+      run: cargo build --all
 
     - name: Check verifier-only
-      run: cargo check --verbose --no-default-features --features=verifier
+      run: cargo check --no-default-features --features=verifier
 
     - name: Check attester-only
-      run: cargo check --verbose --no-default-features --features=attester
+      run: cargo check --no-default-features --features=attester
 
     - name: Run tests
-      run: cargo test --verbose --all
+      run: cargo test --all
+
+    - name: Compile integration tests
+      run: cargo test --all --features integration_test --no-run
 
     - name: Format
       run: cargo fmt --all -- --check

diff --git a/az-cvm-vtpm/Cargo.toml b/az-cvm-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-cvm-vtpm"
-version = "0.7.0"
+version = "0.7.1"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -48,3 +48,4 @@ thiserror = "1.0.38"
 sev = "4.0.0"
 ureq = { version = "2.6.2", default-features = false, features = ["json"] }
 zerocopy = { version = "0.7.26", features = ["derive"] }
+hex = "0.4"
diff --git a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-snp-vtpm"
-version = "0.7.0"
+version = "0.7.1"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -17,7 +17,7 @@ path = "src/main.rs"
 required-features = ["attester", "verifier"]
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.7.0" }
+az-cvm-vtpm = { path = "..", version = "0.7.1" }
 bincode.workspace = true
 clap.workspace = true
 openssl = { workspace = true, optional = true }
@@ -26,7 +26,12 @@ sev.workspace = true
 thiserror.workspace = true
 ureq.workspace = true
 
+[dev-dependencies]
+serde_json.workspace = true
+hex.workspace = true
+
 [features]
 default = ["attester", "verifier"]
 attester = []
 verifier = ["az-cvm-vtpm/openssl", "openssl", "ureq/tls"]
+integration_test = []
diff --git a/az-cvm-vtpm/az-snp-vtpm/README.md b/az-cvm-vtpm/az-snp-vtpm/README.md
@@ -71,3 +71,11 @@ signs ┌─  ┌─┴────────────┐ │  │ │
       └─  └─┬────────────┘ │
             └──────────────┘
 ```
+
+## Integration Tests
+
+The integration test suite can run on an SNP CVM. It needs to be executed as root and the tests have to run sequentially.
+
+```bash
+sudo -E env "PATH=$PATH" cargo t --features integration_test -- --test-threads 1
+```
diff --git a/az-cvm-vtpm/az-snp-vtpm/tests/integration_tests.rs b/az-cvm-vtpm/az-snp-vtpm/tests/integration_tests.rs
@@ -0,0 +1,49 @@
+#[cfg(feature = "integration_test")]
+mod tests {
+    use az_snp_vtpm::{hcl, report, vtpm};
+    use serde::Deserialize;
+
+    #[test]
+    fn get_report_with_varying_report_data_len() {
+        let mut report_data = "test".as_bytes();
+        vtpm::get_report_with_report_data(report_data).unwrap();
+        report_data = "test_test".as_bytes();
+        vtpm::get_report_with_report_data(report_data).unwrap();
+    }
+
+    #[derive(Deserialize, Debug)]
+    struct VarDataUserData {
+        #[serde(rename = "user-data")]
+        user_data: String,
+    }
+
+    #[test]
+    fn get_report_with_report_data() {
+        let mut report_data: [u8; 64] = [0; 64];
+        report_data[42] = 42;
+        let bytes = vtpm::get_report_with_report_data(&report_data).unwrap();
+        let hcl_report = hcl::HclReport::new(bytes).unwrap();
+        let var_data = hcl_report.var_data();
+        let VarDataUserData { user_data } = serde_json::from_slice(var_data).unwrap();
+        assert_eq!(user_data.to_lowercase(), hex::encode(report_data));
+
+        let var_data_hash = hcl_report.var_data_sha256();
+        let snp_report: report::AttestationReport = hcl_report.try_into().unwrap();
+        assert_eq!(var_data_hash, snp_report.report_data[..32]);
+    }
+
+    #[test]
+    fn get_report() {
+        let bytes = vtpm::get_report().unwrap();
+        let hcl_report = hcl::HclReport::new(bytes).unwrap();
+
+        let var_data_hash = hcl_report.var_data_sha256();
+        let snp_report: report::AttestationReport = hcl_report.try_into().unwrap();
+        assert_eq!(var_data_hash, snp_report.report_data[..32]);
+    }
+
+    #[test]
+    fn ak_pub() {
+        let _ = vtpm::get_ak_pub().unwrap();
+    }
+}
diff --git a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-tdx-vtpm"
-version = "0.7.0"
+version = "0.7.1"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -16,7 +16,7 @@ name = "tdx-vtpm"
 path = "src/main.rs"
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.7.0" }
+az-cvm-vtpm = { path = "..", version = "0.7.1" }
 base64-url = "3.0.0"
 bincode.workspace = true
 serde.workspace = true
@@ -27,8 +27,10 @@ zerocopy.workspace = true
 
 [dev-dependencies]
 openssl.workspace = true
+hex.workspace = true
 
 [features]
 default = ["attester", "verifier"]
 attester = []
 verifier = ["az-cvm-vtpm/verifier"]
+integration_test =[]
diff --git a/az-cvm-vtpm/az-tdx-vtpm/README.md b/az-cvm-vtpm/az-tdx-vtpm/README.md
@@ -20,3 +20,12 @@ On the TDX CVM, retrieve a TD Quote and write it to disk:
 ```bash
 sudo ./tdx-vtpm
 ```
+
+## Integration Tests
+
+The integration test suite can run on a TDX CVM. It needs to be executed as root and the tests have to run sequentially.
+
+```bash
+sudo -E env "PATH=$PATH" cargo t --features integration_test -- --test-threads 1
+```
+
diff --git a/az-cvm-vtpm/az-tdx-vtpm/tests/integration_tests.rs b/az-cvm-vtpm/az-tdx-vtpm/tests/integration_tests.rs
@@ -0,0 +1,49 @@
+#[cfg(feature = "integration_test")]
+mod tests {
+    use az_tdx_vtpm::{hcl, tdx, vtpm};
+    use serde::Deserialize;
+
+    #[test]
+    fn get_report_with_varying_report_data_len() {
+        let mut report_data = "test".as_bytes();
+        vtpm::get_report_with_report_data(report_data).unwrap();
+        report_data = "test_test".as_bytes();
+        vtpm::get_report_with_report_data(report_data).unwrap();
+    }
+
+    #[derive(Deserialize, Debug)]
+    struct VarDataUserData {
+        #[serde(rename = "user-data")]
+        user_data: String,
+    }
+
+    #[test]
+    fn get_report_with_report_data() {
+        let mut report_data: [u8; 64] = [0; 64];
+        report_data[42] = 42;
+        let bytes = vtpm::get_report_with_report_data(&report_data).unwrap();
+        let hcl_report = hcl::HclReport::new(bytes).unwrap();
+        let var_data = hcl_report.var_data();
+        let VarDataUserData { user_data } = serde_json::from_slice(var_data).unwrap();
+        assert_eq!(user_data.to_lowercase(), hex::encode(report_data));
+
+        let var_data_hash = hcl_report.var_data_sha256();
+        let td_report: tdx::TdReport = hcl_report.try_into().unwrap();
+        assert_eq!(var_data_hash, td_report.report_mac.reportdata[..32]);
+    }
+
+    #[test]
+    fn get_report() {
+        let bytes = vtpm::get_report().unwrap();
+        let hcl_report = hcl::HclReport::new(bytes).unwrap();
+
+        let var_data_hash = hcl_report.var_data_sha256();
+        let td_report: tdx::TdReport = hcl_report.try_into().unwrap();
+        assert_eq!(var_data_hash, td_report.report_mac.reportdata[..32]);
+    }
+
+    #[test]
+    fn ak_pub() {
+        let _ = vtpm::get_ak_pub().unwrap();
+    }
+}