Add isolated AMDSEV initrd tests (#439)

Adds an isolated AMDSEV initrd test script for archive validation and plain QEMU boot smoke checks.

Author: kariy

.github/workflows/amdsev-initrd-test.yml

@@ -0,0 +1,102 @@
+name: amdsev-initrd-test
+
+on:
+    push:
+        branches:
+            - main
+        paths:
+            - "misc/AMDSEV/**"
+            - "scripts/build-musl.sh"
+            - ".github/workflows/amdsev-initrd-test.yml"
+
+    pull_request:
+        types: [opened, synchronize, ready_for_review]
+        paths:
+            - "misc/AMDSEV/**"
+            - "scripts/build-musl.sh"
+            - ".github/workflows/amdsev-initrd-test.yml"
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+    cancel-in-progress: true
+
+env:
+    CARGO_TERM_COLOR: always
+
+jobs:
+    amdsev-initrd-test:
+        runs-on: ubuntu-latest
+        timeout-minutes: 90
+        if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.draft == false)
+        container:
+            image: ghcr.io/dojoengine/katana-dev:latest
+
+        steps:
+            - uses: actions/checkout@v4
+              with:
+                  submodules: recursive
+
+            # Workaround for https://github.com/actions/runner-images/issues/6775
+            - run: git config --global --add safe.directory "*"
+
+            - name: Install dependencies
+              run: |
+                  export DEBIAN_FRONTEND=noninteractive
+                  apt-get update
+                  apt-get install -y \
+                      qemu-system-x86 \
+                      cpio \
+                      zstd \
+                      e2fsprogs \
+                      curl \
+                      socat \
+                      musl-tools \
+                      clang \
+                      file
+
+            - name: Add Ubuntu package repo for AMDSEV artifacts
+              run: |
+                  cat >/etc/apt/sources.list.d/ubuntu-noble.list <<'EOF'
+                  deb [trusted=yes] http://archive.ubuntu.com/ubuntu noble main universe
+                  deb [trusted=yes] http://archive.ubuntu.com/ubuntu noble-updates main universe
+                  deb [trusted=yes] http://security.ubuntu.com/ubuntu noble-security main universe
+                  EOF
+                  apt-get update
+
+            - uses: Swatinem/rust-cache@v2
+              with:
+                  key: ci-${{ github.job }}
+                  shared-key: katana-ci-cache-musl
+
+            - name: Build contract artifacts
+              run: make contracts
+
+            - name: Build required VM components
+              shell: bash
+              run: |
+                  set -euo pipefail
+                  set -a
+                  source misc/AMDSEV/build-config
+                  set +a
+                  export SOURCE_DATE_EPOCH="$(git log -1 --format=%ct)"
+
+                  ./scripts/build-musl.sh
+                  KATANA_BINARY="./target/x86_64-unknown-linux-musl/performance/katana"
+
+                  ./misc/AMDSEV/build-kernel.sh ./misc/AMDSEV/output/qemu
+                  ./misc/AMDSEV/build-initrd.sh "$KATANA_BINARY" ./misc/AMDSEV/output/qemu/initrd.img "$KERNEL_VERSION"
+
+                  cp "$KATANA_BINARY" ./misc/AMDSEV/output/qemu/katana
+
+            - name: Run isolated initrd tests
+              run: |
+                  ./misc/AMDSEV/test-initrd.sh --output-dir ./misc/AMDSEV/output/qemu --timeout 300
+
+            - name: Upload AMDSEV build output on failure
+              if: failure()
+              uses: actions/upload-artifact@v4
+              with:
+                  name: amdsev-initrd-output-${{ github.run_id }}
+                  if-no-files-found: ignore
+                  path: |
+                      misc/AMDSEV/output/qemu

misc/AMDSEV/README.md

@@ -39,6 +39,7 @@ If `--katana` is not provided, `build.sh` prompts for confirmation (`y/N`) befor
 | `build-ovmf.sh` | Builds OVMF firmware from AMD's fork with SEV-SNP support |
 | `build-kernel.sh` | Downloads and extracts Ubuntu kernel (`vmlinuz`) |
 | `build-initrd.sh` | Creates minimal initrd with busybox, SEV-SNP modules, and katana |
+| `test-initrd.sh` | Runs isolated initrd boot smoke test in plain QEMU |
 | `build-config` | Pinned versions and checksums for reproducible builds |
 | `start-vm.sh` | Starts a TEE VM with SEV-SNP and launches Katana asynchronously |
 
@@ -155,6 +156,18 @@ The script:
 - Forwards RPC port 5050 to host port 15051
 - Outputs serial log to a temp file and follows it
 
+## Isolated Initrd Testing
+
+Use `test-initrd.sh` for focused initrd boot validation without the full SEV-SNP launch path:
+
+```sh
+# Run plain-QEMU boot smoke test
+./misc/AMDSEV/test-initrd.sh
+
+# Custom timeout/output directory
+./misc/AMDSEV/test-initrd.sh --output-dir ./misc/AMDSEV/output/qemu --timeout 300
+```
+
 ### Launch Measurement Verification
 
 To verify a TEE VM's integrity, compute the expected launch measurement using `snp-digest`:

misc/AMDSEV/build-initrd.sh

@@ -84,8 +84,17 @@ if [[ $# -lt 2 ]] || [[ "${1:-}" == "-h" ]] || [[ "${1:-}" == "--help" ]]; then
     usage
 fi
 
-KATANA_BINARY="$1"
-OUTPUT_INITRD="$2"
+to_abs_path() {
+    local path="$1"
+    if [[ "$path" = /* ]]; then
+        printf '%s\n' "$path"
+    else
+        printf '%s/%s\n' "$(pwd -P)" "$path"
+    fi
+}
+
+KATANA_BINARY="$(to_abs_path "$1")"
+OUTPUT_INITRD="$(to_abs_path "$2")"
 KERNEL_VERSION="${3:-${KERNEL_VERSION:?KERNEL_VERSION must be set or passed as third argument}}"
 OUTPUT_DIR="$(dirname "$OUTPUT_INITRD")"
 

misc/AMDSEV/build-kernel.sh

@@ -51,7 +51,16 @@ if [[ $# -lt 1 ]] || [[ "${1:-}" == "-h" ]] || [[ "${1:-}" == "--help" ]]; then
     usage
 fi
 
-DEST="$1"
+to_abs_path() {
+    local path="$1"
+    if [[ "$path" = /* ]]; then
+        printf '%s\n' "$path"
+    else
+        printf '%s/%s\n' "$(pwd -P)" "$path"
+    fi
+}
+
+DEST="$(to_abs_path "$1")"
 
 # Validate required environment variables
 KERNEL_VER="${KERNEL_VERSION:?KERNEL_VERSION not set - source build-config first}"