Test Oak Functions in SEV-SNP

[Jdkhnjggf]

Hi,

I'm trying to test the wasm runtime with oak_functions_containers_launcher

Is there any guidance available for testing with SEV-SNP? The current one under /oak_functions_containers_launcher/ seems to be outdated.

Thanks

[conradgrobler]

Hi,

You should be able to test with SEV-SNP by adding another command-linne argument to the launcher: --vm-type=sev-snp

Also, please note that full SEV-SNP support might require some OS and software updates. If you are running the latest stable version of Debian (bookworm) it also requires the latest upstream Linux kernel (6.12) and QEMU 9.1.1.

[Jdkhnjggf]

Thank you for the information!

It works with the command:

cargo run --bin=oak_containers_launcher -- \
 --system-image=../artifacts/oak_containers_system_image.tar.xz \
    --container-bundle=../bazel-bin/cc/containers/hello_world_enclave_app/bundle.tar \
    --vmm-binary=../../AMDSEV/usr/local/bin/qemu-system-x86_64 \
    --stage0-binary=../artifacts/stage0_bin \
    --kernel=../bazel-bin/oak_containers/kernel/bzImage \
    --initrd=../bazel-bin/oak_containers/stage1_bin/stage1.cpio \
    --ramdrive-size=5000000 \
    --memory-size=10G \
    --vm-type=sev-snp

Do you know how to test the WASM lookup inside the container? I use run_oak_functions_containers_launcher but get Error: couldn't create untrusted launcher

[conradgrobler]

The run_oak_functions_containers_launcher just rule needs some additional parameters.

I will update the readme in /oak_functions_containers_launcher to reflect the correct commands.

In the meantime you should be able to run it with the following set of commands:

just all_oak_functions_containers_binaries

just stage1_cpio

just all_wasm_test_crates

artifacts/oak_functions_containers_launcher \
    --vmm-binary=$(which qemu-system-x86_64) \
    --stage0-binary=artifacts/stage0_bin \
    --kernel=artifacts/oak_containers_kernel \
    --initrd=artifacts/stage1.cpio \
    --system-image=artifacts/oak_containers_system_image.tar.xz \
    --container-bundle=bazel-bin/oak_functions_containers_app/bundle.tar \
    --ramdrive-size=1000000 \
    --memory-size=10G \
    --wasm=target/wasm32-unknown-unknown/release/key_value_lookup.wasm \
    --lookup-data=oak_functions_launcher/mock_lookup_data \
    --vm-type=sev-snp

While the server is running you can use the following command in a separate shell to test the lookup functionality:

bazel run //cc/client:cli -- --address=127.0.0.1:8080 --request=test_key

[Jdkhnjggf]

@conradgrobler Thanks! I can run it after patching dingelish/qemu@876e262.

But the cli command failed to connect the remote host

grpc_streaming_transport.cc:100] couldn't stop gRPC stream: failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:8080: Failed to connect to remote host: Connection refused
E0000 00:00:1736347559.967288   85664 grpc_client_cli.cc:72] couldn't create Oak client: UNAVAILABLE: while writing request: failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:8080: Failed to connect to remote host: Connection refused

[conradgrobler]

That is weird if it happens while the launcher is running. I have two suggestions to try:

• try IPv6 (use [::1] instead or 127.0.0.1)
• or use a different port by specifying the --port command-line argument when starting the launcher.