diff --git a/mantle/cmd/kola/options.go b/mantle/cmd/kola/options.go index 00e37bd579..26863dc4da 100644 --- a/mantle/cmd/kola/options.go +++ b/mantle/cmd/kola/options.go @@ -168,8 +168,6 @@ func init() { bv(&kola.QEMUOptions.SecureExecution, "qemu-secex", false, "Run IBM Secure Execution Image") sv(&kola.QEMUOptions.SecureExecutionIgnitionPubKey, "qemu-secex-ignition-pubkey", "", "Path to Ignition GPG Public Key") sv(&kola.QEMUOptions.SecureExecutionHostKey, "qemu-secex-hostkey", "", "Path to Secure Execution HKD certificate") - // s390x CEX-specific options - bv(&kola.QEMUOptions.Cex, "qemu-cex", false, "Attach CEX device to guest") } // Sync up the command line options if there is dependency diff --git a/mantle/cmd/kola/qemuexec.go b/mantle/cmd/kola/qemuexec.go index 7b5143a78a..49d088a98d 100644 --- a/mantle/cmd/kola/qemuexec.go +++ b/mantle/cmd/kola/qemuexec.go @@ -391,14 +391,6 @@ func runQemuExec(cmd *cobra.Command, args []string) error { } } - // IBM Cex based luks encryption. - if kola.QEMUOptions.Cex { - err := builder.AddCexDevice() - if err != nil { - return err - } - } - if devshell && !devshellConsole { return runDevShellSSH(ctx, builder, config, sshCommand) } diff --git a/mantle/kola/tests/ignition/luks.go b/mantle/kola/tests/ignition/luks.go index ff920d16bb..13cd20ed54 100644 --- a/mantle/kola/tests/ignition/luks.go +++ b/mantle/kola/tests/ignition/luks.go @@ -2,7 +2,6 @@ package ignition import ( "fmt" - "os" "time" coreosarch "github.com/coreos/stream-metadata-go/arch" @@ -10,7 +9,6 @@ import ( "github.com/coreos/coreos-assembler/mantle/kola" "github.com/coreos/coreos-assembler/mantle/kola/cluster" "github.com/coreos/coreos-assembler/mantle/kola/register" - "github.com/coreos/coreos-assembler/mantle/kola/tests/coretest" ut "github.com/coreos/coreos-assembler/mantle/kola/tests/util" "github.com/coreos/coreos-assembler/mantle/platform" "github.com/coreos/coreos-assembler/mantle/platform/conf" @@ -52,20 +50,6 @@ func init() { ExcludeArchitectures: []string{"s390x"}, // no TPM backend support for s390x Tags: []string{"luks", "tpm", "tang", "sss", kola.NeedsInternetTag, "reprovision"}, }) - register.RegisterTest(®ister.Test{ - Run: runCexTest, - ClusterSize: 0, - Name: `luks.cex`, - Description: "Verify that CEX-based rootfs encryption works.", - Flags: []register.Flag{}, - Platforms: []string{"qemu"}, - Architectures: []string{"s390x"}, - Tags: []string{"luks", "cex", "reprovision"}, - NativeFuncs: map[string]register.NativeFuncWrap{ - "RHCOSGrowpart": register.CreateNativeFuncWrap(coretest.TestRHCOSGrowfs, []string{"fcos"}...), - "FCOSGrowpart": register.CreateNativeFuncWrap(coretest.TestFCOSGrowfs, []string{"rhcos"}...), - }, - }) } func setupTangMachine(c cluster.TestCluster) ut.TangServer { @@ -192,74 +176,6 @@ func runTest(c cluster.TestCluster, tpm2 bool, threshold int, killTangAfterFirst ut.LUKSSanityTest(c, tangd, m, tpm2, killTangAfterFirstBoot, rootPart) } -func runCexTest(c cluster.TestCluster) { - var err error - var m platform.Machine - - // To prevent the test to fail the whole run on s390x machine that does not have Cex Device - cex_uuid := os.Getenv("KOLA_CEX_UUID") - if cex_uuid == "" { - c.Skip("No CEX device found in KOLA_CEX_UUID env var") - } - - ignition := conf.Ignition(`{ - "ignition": { - "version": "3.5.0-experimental" - }, - "kernelArguments": { - "shouldExist": [ - "rd.luks.key=/etc/luks/cex.key" - ] - }, - "storage": { - "luks": [ - { - "name": "root", - "device": "/dev/disk/by-label/root", - "cex": { - "enabled": true - }, - "label": "root", - "wipeVolume": true - } - ], - "filesystems": [ - { - "device": "/dev/mapper/root", - "format": "xfs", - "wipeFilesystem": true, - "label": "root" - } - ] - } - }`) - - opts := platform.QemuMachineOptions{ - Cex: true, - } - opts.MinMemory = 8192 - - switch pc := c.Cluster.(type) { - case *qemu.Cluster: - m, err = pc.NewMachineWithQemuOptions(ignition, opts) - default: - panic("Unsupported cluster type") - } - - // copy over kolet into the machine - if err := kola.ScpKolet([]platform.Machine{m}); err != nil { - c.Fatal(err) - } - coretest.LocalTests(c) - - if err != nil { - c.Fatalf("Unable to create test machine: %v", err) - } - rootPart := "/dev/disk/by-partlabel/root" - - ut.LUKSSanityCEXTest(c, m, rootPart) -} - // Verify that the rootfs is encrypted with Tang func luksTangTest(c cluster.TestCluster) { runTest(c, false, 1, false) diff --git a/mantle/kola/tests/util/luks.go b/mantle/kola/tests/util/luks.go index 42b66a8019..5fbd122ce7 100644 --- a/mantle/kola/tests/util/luks.go +++ b/mantle/kola/tests/util/luks.go @@ -79,21 +79,3 @@ func LUKSSanityTest(c cluster.TestCluster, tangd TangServer, m platform.Machine, luksDump = c.MustSSH(m, "sudo cryptsetup luksDump "+rootPart) mustMatch(c, "Cipher: *aes", luksDump) } - -// LUKSSanityCEXTest verifies that the rootfs is encrypted with Cex based LUKS -func LUKSSanityCEXTest(c cluster.TestCluster, m platform.Machine, rootPart string) { - var err error - luksDump := c.MustSSH(m, "sudo cryptsetup luksDump "+rootPart) - mustMatch(c, "cipher: paes-*", luksDump) - mustNotMatch(c, "Cipher: *cipher_null-ecb", luksDump) - mustMatch(c, "0: paes-verification-pattern", luksDump) - mustNotMatch(c, "9: *coreos", luksDump) - - err = m.Reboot() - - if err != nil { - c.Fatalf("Failed to reboot the machine: %v", err) - } - luksDump = c.MustSSH(m, "sudo cryptsetup luksDump "+rootPart) - mustMatch(c, "cipher: paes-*", luksDump) -} diff --git a/mantle/platform/machine/qemu/cluster.go b/mantle/platform/machine/qemu/cluster.go index c23c6ffef8..1598e95b7b 100644 --- a/mantle/platform/machine/qemu/cluster.go +++ b/mantle/platform/machine/qemu/cluster.go @@ -150,12 +150,6 @@ func (qc *Cluster) NewMachineWithQemuOptions(userdata *conf.UserData, options pl primaryDisk = *diskp } - if qc.flight.opts.Cex || options.Cex { - if err := builder.AddCexDevice(); err != nil { - return nil, err - } - } - if qc.flight.opts.Nvme || options.Nvme { primaryDisk.Channel = "nvme" } diff --git a/mantle/platform/machine/qemu/flight.go b/mantle/platform/machine/qemu/flight.go index 4a008b1a0a..e54f7cbdcc 100644 --- a/mantle/platform/machine/qemu/flight.go +++ b/mantle/platform/machine/qemu/flight.go @@ -55,9 +55,6 @@ type Options struct { SecureExecutionIgnitionPubKey string SecureExecutionHostKey string - // Option to create IBM cex based luks encryption - Cex bool - *platform.Options } diff --git a/mantle/platform/qemu.go b/mantle/platform/qemu.go index 8d8d381b28..c97bbdf04a 100644 --- a/mantle/platform/qemu.go +++ b/mantle/platform/qemu.go @@ -74,7 +74,6 @@ type QemuMachineOptions struct { OverrideBackingFile string Firmware string Nvme bool - Cex bool } // QEMUMachine represents a qemu instance. @@ -2059,13 +2058,3 @@ func (builder *QemuBuilder) Close() { os.RemoveAll(builder.tempdir) } } - -// supports IBM Cex based LUKS encryption if it is s390x host (zKVM/LPAR) -func (builder *QemuBuilder) AddCexDevice() error { - cex_uuid := os.Getenv("KOLA_CEX_UUID") - if cex_uuid == "" { - return errors.New("cannot add CEX device: KOLA_CEX_UUID env var undefined") - } - builder.Append("-device", fmt.Sprintf("vfio-ap,sysfsdev=/sys/devices/vfio_ap/matrix/%s", cex_uuid)) - return nil -}