Add CI for system disk encryption test

.github/actions/run-aa-as/action.yml

@@ -0,0 +1,34 @@
+name: 'Run Attestation Agent and Attestation Service'
+runs:
+  using: "composite"
+  steps:
+    - name: Prepare attestation-agent
+      shell: bash
+      run: |
+        set -e
+        set -x
+
+        yum install -y attestation-agent
+        RUST_LOG=debug attestation-agent --attestation_sock unix:///run/confidential-containers/attestation-agent/attestation-agent.sock &
+
+    - name: Prepare attestation-service
+      shell: bash
+      run: |
+        set -e
+        set -x
+
+        yum install -y trustee
+
+        # Launch trustee
+        (/usr/bin/rvps --config /etc/trustee/rvps.json --address 127.0.0.1:50003 &) && sleep 1
+        (/usr/bin/grpc-as --socket 0.0.0.0:50004 --config-file /etc/trustee/as-config.json &) && sleep 1
+        (/usr/bin/kbs --config-file /etc/trustee/kbs-config.toml &) && sleep 1
+        (/usr/bin/trustee-gateway --config /etc/trustee/gateway.yml > /tmp/trustee-gateway.log 2>&1 &) && sleep 1
+
+        # Register passphrases
+        mkdir -p /opt/trustee/kbs/repository/default/local-resources/
+        echo -n "AAAaaawewe111" > /opt/trustee/kbs/repository/default/local-resources/volume
+        echo -n "AAAaaawewe222" > /opt/trustee/kbs/repository/default/local-resources/rootfs
+        echo -n "AAAaaawewe333" > /opt/trustee/kbs/repository/default/local-resources/data
+
+

.github/workflows/build-rpm.yml

@@ -57,7 +57,7 @@ jobs:
             ./rpmbuild/SRPMS/*.src.rpm
             ./rpmbuild/RPMS/*/*.rpm
 
-  test:
+  unit-test:
     strategy:
       fail-fast: false
       matrix:
@@ -114,10 +114,154 @@ jobs:
       - name: Run test script from repo
         run: make run-test
 
+  test-volume-encryption:
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: ["alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest"]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    needs: build
+    container:
+      image: ${{ matrix.distro }}
+      volumes:
+        - /run/udev/control:/run/udev/control
+        - /dev:/dev
+      options: --privileged --ipc=host
+    steps:
+      - name: Update yum mirror
+        run: |
+          set -e
+          set -x
+
+          # replace the mirror
+          sed -i -E 's|https?://mirrors.openanolis.cn/anolis/|https://mirrors.aliyun.com/anolis/|g' /etc/yum.repos.d/*.repo
+          sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo
+
+          # install rpmdevtools
+          yum install -y git yum-utils
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ./
+          merge-multiple: false
+
+      - name: Install RPM packages
+        run: |
+          set -e
+          set -x
+
+          # test rpm package install
+          yum install -y ./rpm-packages/RPMS/*/cryptpilot-*.rpm
+          cryptpilot --version
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+
+      - uses: ./.github/actions/run-aa-as
+
+      - name: Run volume encryption test
+        run: |
+          bash ./scripts/test/test-volume-encryption.sh
+
+  test-system-encryption:
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: ["alibaba-cloud-linux-3-registry.cn-hangzhou.cr.aliyuncs.com/alinux3/alinux3:latest"]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+    needs: build
+    container:
+      image: ${{ matrix.distro }}
+      volumes:
+        - /run/udev/control:/run/udev/control
+        - /dev:/dev
+        - /lib/modules/:/lib/modules/ # for kernel modules
+      options: --privileged --ipc=host
+    steps:
+      - name: Update yum mirror
+        run: |
+          set -e
+          set -x
+
+          # replace the mirror
+          sed -i -E 's|https?://mirrors.openanolis.cn/anolis/|https://mirrors.aliyun.com/anolis/|g' /etc/yum.repos.d/*.repo
+          sed -i -E 's|https?://mirrors.cloud.aliyuncs.com/|https://mirrors.aliyun.com/|g' /etc/yum.repos.d/*.repo
+
+          # install rpmdevtools
+          yum install -y git yum-utils
+
+          # install requirements
+          yum install -y libguestfs-tools
+
+      - name: Load nbd kernel module
+        run: |
+          yum install -y kmod zstd
+
+          MODULE_DIR="/lib/modules/$(uname -r)"
+          MODULE_FILE=$(find "$MODULE_DIR" -name "nbd.ko*" -type f | head -1)
+
+          if [ -z "$MODULE_FILE" ]; then
+              echo "No module file found in $MODULE_DIR"
+              exit 1
+          fi
+          echo "Found module file: $MODULE_FILE"
+
+          if [[ "$MODULE_FILE" == *.ko.zst ]]; then
+              echo "Found zstd compressed module file, decompressing..."
+
+              zstd -d "$MODULE_FILE" -o "/tmp/nbd.ko"
+              if [ $? -ne 0 ]; then
+                  echo "Failed to decompress module file"
+                  exit 1
+              fi
+
+              echo "Loading the decompressed module..."
+              insmod "/tmp/nbd.ko" || exit 1
+          else
+              echo "Loading the module with modprobe ..."
+              modprobe nbd
+          fi
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/
+          merge-multiple: false
+
+      - name: Install RPM packages
+        run: |
+          set -e
+          set -x
+
+          # test rpm package install
+          yum install -y /tmp/rpm-packages/RPMS/*/cryptpilot-*.rpm
+          cryptpilot --version
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: 'true'
+
+      - uses: ./.github/actions/run-aa-as
+
+      - name: Run system encryption test
+        run: |
+          export LIBGUESTFS_BACKEND=appliance # set this for virt-customize
+          timeout 1200s bash ./scripts/test/test-system-encryption.sh --ci --package /tmp/rpm-packages/RPMS/*/cryptpilot-*.rpm --trustee-url "http://10.0.2.2:8081/api/"
+
   release:
     if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
-    needs: test
+    needs: [unit-test, test-volume-encryption, test-system-encryption]
     steps:
       - name: Download artifacts
         uses: actions/download-artifact@v4

Makefile

@@ -115,7 +115,7 @@ shellcheck:
 	@command -v shellcheck >&- || { \
 		echo "shellcheck not found, please installing it from https://github.com/koalaman/shellcheck/releases/download/stable/shellcheck-stable.linux.x86_64.tar.xz" ; \
 	}
-	find . -name '*.sh' -exec shellcheck {} \;
+	@{ find . -name '*.sh' -printf '%P\0' | xargs -0 shellcheck ; } || { echo ; echo "Shellcheck finished. You can fix with:" ; echo "    find . -name '*.sh' -printf '%P\0' | xargs -0 shellcheck -f diff | patch -p1" ; echo ; exit 1 ; }
 
 .PHONE: clippy
 clippy:

README.md

@@ -230,6 +230,22 @@ Now you can read and write files in the mounted directory.
 systemctl enable --now cryptpilot.service
 ```
 
+## CI Tests
+
+This project includes CI tests for various encryption scenarios:
+
+1. System disk encryption test (test-system-encryption.sh) - Tests full disk encryption with exec provider
+2. KBS volume encryption test (test-kbs-volume.sh) - Tests data volume encryption with KBS-like provider
+
+You can run these tests locally:
+```sh
+# Run system encryption test
+sudo ./test-system-encryption.sh
+
+# Run KBS volume test
+sudo ./test-kbs-volume.sh
+```
+
 # Supported Distrubutions
 
 CryptPilot has been tested on the following distributions, and it may not work on other distributions.