CCF
CCF copied to clipboard
microsoft
CI setup for SEV-SNP enabled ACI
Once #4068 is complete, we should create an ACI setup to test the SEV-SNP variant of CCF in the CI.
- [x] 1. Add SEV-SNP ACI CI agent (https://github.com/microsoft/CCF/pull/4171)
- [ ] 2. Setup single node performance job, to be compared with equivalent SGX
- [ ] 3. Identity and fix tests that are currently stubbed on SEV-SNP
- [ ] 4. Add ability to spin up SEV-SNP ACI container from CI Python infra (see https://docs.microsoft.com/en-us/python/api/overview/azure/container-instance?view=azure-python)
- [ ] 5. Pass
SECURITY_POLICYenvvar to all nodes on startup
Risk: We may want to de-risk this early to make sure it is possible to the spin-up a SEV-SNP enabled ACI container with the existing version of the azure-mgmt-containerinstance.
Basic CI running as of https://github.com/microsoft/CCF/pull/4171
Additional tests for functionality should probably wait for/be done as part of changes to the attestation verification in https://github.com/microsoft/CCF/issues/4188 and https://github.com/microsoft/CCF/issues/4193
@DomAyre the pool/jobs are only in the Daily build, but not in the CI, is that correct?
Yeah, sorry for missing your message but it is on the daily
We need the following tests for security policy:
- Node being created with a raw/digested policy which don't match
- Primary populates the KV with a valid policy, we change it and then try to join with a new node (node joining with a different policy)
@DomAyre can we close this, and roll the remaining items into a freshly named ticket?