From 0a31b5c76f7b32f5ab8c3beda71a17a1c7b66393 Mon Sep 17 00:00:00 2001 From: Zixi Chen Date: Mon, 2 Dec 2024 16:55:27 +0800 Subject: [PATCH 1/2] snp_basic_config: Add snp basic config test case Signed-off-by: Zixi Chen --- qemu/tests/cfg/sev_basic_config.cfg | 1 + qemu/tests/cfg/snp_basic_config.cfg | 32 +++++++++++++ qemu/tests/snp_basic_config.py | 73 +++++++++++++++++++++++++++++ 3 files changed, 106 insertions(+) create mode 100644 qemu/tests/cfg/snp_basic_config.cfg create mode 100644 qemu/tests/snp_basic_config.py diff --git a/qemu/tests/cfg/sev_basic_config.cfg b/qemu/tests/cfg/sev_basic_config.cfg index 8f21091c5d..0a04a5b31c 100644 --- a/qemu/tests/cfg/sev_basic_config.cfg +++ b/qemu/tests/cfg/sev_basic_config.cfg @@ -1,5 +1,6 @@ - sev_basic_config: type = sev_basic_config + only Linux kill_vm = yes login_timeout = 240 image_snapshot = yes diff --git a/qemu/tests/cfg/snp_basic_config.cfg b/qemu/tests/cfg/snp_basic_config.cfg new file mode 100644 index 0000000000..cfe2ad71ff --- /dev/null +++ b/qemu/tests/cfg/snp_basic_config.cfg @@ -0,0 +1,32 @@ +- snp_basic_config: + type = snp_basic_config + kill_vm = yes + login_timeout = 240 + start_vm = no + image_snapshot = yes + mem = 8192 + smp = 8 + vm_secure_guest_type = snp + vm_sev_reduced_phys_bits = 1 + vm_sev_cbitpos = 51 + virtio_dev_disable_legacy = on + bios_path = /usr/share/edk2/ovmf/OVMF.amdsev.fd + snp_module_path = "/sys/module/kvm_amd/parameters/sev_snp" + module_status = Y y 1 + snp_guest_check = "journalctl|grep -i -w snp" + guest_tool_install = "dnf install -y snpguest" + attestation_script = regular_attestation_workflow.sh + guest_dir = /home + guest_cmd = ${guest_dir}/${attestation_script} + host_script = sev-snp/${attestation_script} + variants: + - policy_default: + snp_policy = 196608 + vm_secure_guest_object_options = "policy=${snp_policy}" + - policy_debug: + snp_policy = 720896 + vm_secure_guest_object_options = "policy=${snp_policy}" + - policy_singlesocket: + socket_count_cmd = 'lscpu |grep Socket|head -1 | cut -d ":" -f 2 | tr -d " "' + snp_policy = 77824 + vm_secure_guest_object_options = "policy=${snp_policy}" diff --git a/qemu/tests/snp_basic_config.py b/qemu/tests/snp_basic_config.py new file mode 100644 index 0000000000..b2177e19e7 --- /dev/null +++ b/qemu/tests/snp_basic_config.py @@ -0,0 +1,73 @@ +import os + +from avocado.utils import process +from virttest import data_dir as virttest_data_dir +from virttest import error_context +from virttest.utils_misc import verify_dmesg + + +@error_context.context_aware +def run(test, params, env): + """ + Qemu snp basic test on Milan and above host: + 1. Check host snp capability + 2. Boot snp VM + 3. Verify snp enabled in guest + 4. Check snp qmp cmd and policy + + :param test: QEMU test object + :param params: Dictionary with the test parameters + :param env: Dictionary with test environment. + """ + + error_context.context("Start sev-snp test", test.log.info) + timeout = params.get_numeric("login_timeout", 240) + + snp_module_path = params["snp_module_path"] + if os.path.exists(snp_module_path): + with open(snp_module_path) as f: + output = f.read().strip() + if output not in params.objects("module_status"): + test.cancel("Host sev-snp support check fail.") + else: + test.cancel("Host sev-snp support check fail.") + socket_count_cmd = params.get("socket_count_cmd") + if socket_count_cmd: + if int(process.getoutput(socket_count_cmd, shell=True)) != 1: + test.cancel("Host cpu has more than 1 socket, skip the case.") + + vm_name = params["main_vm"] + vm = env.get_vm(vm_name) + vm.create() + vm.verify_alive() + session = vm.wait_for_login(timeout=timeout) + verify_dmesg() + vm_policy = vm.params.get_numeric("snp_policy") + guest_check_cmd = params["snp_guest_check"] + sev_guest_info = vm.monitor.query_sev() + if sev_guest_info["snp-policy"] != vm_policy: + test.fail("QMP snp policy doesn't match %s." % vm_policy) + try: + session.cmd_output(guest_check_cmd, timeout=240) + except Exception as e: + test.fail("Guest snp verify fail: %s" % str(e)) + else: + # Verify attestation + error_context.context("Start to do attestation", test.log.info) + guest_dir = params["guest_dir"] + host_script = params["host_script"] + guest_cmd = params["guest_cmd"] + deps_dir = virttest_data_dir.get_deps_dir() + host_file = os.path.join(deps_dir, host_script) + try: + vm.copy_files_to(host_file, guest_dir) + session.cmd_output(params["guest_tool_install"], timeout=240) + session.cmd_output("chmod 755 %s" % guest_cmd) + except Exception as e: + test.fail("Guest test preperation fail: %s" % str(e)) + s = session.cmd_status(guest_cmd, timeout=360) + if s: + test.fail("Guest script error") + finally: + session.close() + vm.destroy() From 19f5023849bee5e127019f96d88912430892b1b7 Mon Sep 17 00:00:00 2001 From: Zixi Chen Date: Tue, 3 Dec 2024 17:22:45 +0800 Subject: [PATCH 2/2] Add snp attestation guest test script Signed-off-by: Zixi Chen --- .../sev-snp/regular_attestation_workflow.sh | 48 +++++++++++++++++++ qemu/tests/cfg/sev_basic_config.cfg | 1 - qemu/tests/cfg/snp_basic_config.cfg | 1 + 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 qemu/deps/sev-snp/regular_attestation_workflow.sh diff --git a/qemu/deps/sev-snp/regular_attestation_workflow.sh b/qemu/deps/sev-snp/regular_attestation_workflow.sh new file mode 100644 index 0000000000..649930c86c --- /dev/null +++ b/qemu/deps/sev-snp/regular_attestation_workflow.sh @@ -0,0 +1,48 @@ +#!/bin/bash +set -e + +fetch_retry() { + local command=$1 + local max_retries=3 + local retry_count=0 + + while (( retry_count < max_retries )); do + eval "$command" + if [[ $? -eq 0 ]]; then + return 0 + fi + retry_count=$((retry_count + 1)) + echo "Command '$command' failed. Retry $retry_count/$max_retries in 20s..." + sleep 20 + done + echo "Command '$command' failed after $max_retries attempts." + return 1 +} + +# Verify regular attestation workflow on snp guest +snpguest report attestation-report.bin request-data.txt --random +snpguest display report attestation-report.bin + +# Get cpu model +cpu_familly_id=$(cat /proc/cpuinfo | grep 'cpu family' | head -1 | cut -d ":" -f 2 | tr -d " ") +model_id=$(cat /proc/cpuinfo | grep 'model' | head -1 | cut -d ":" -f 2 | tr -d " ") +dict_cpu=([251]="milan" [2517]="genoa" [2617]="turin") +cpu_model=${dict_cpu[${cpu_familly_id}${model_id}]} + +# Fetch cert +set +e +fetch_retry "snpguest fetch ca pem ${cpu_model} ./ -e vcek" +if [[ $? -ne 0 ]]; then + echo "ok" + exit 1 +fi + +fetch_retry "snpguest fetch vcek pem ${cpu_model} ./ attestation-report.bin" +if [[ $? -ne 0 ]]; then + exit 1 +fi + +# Verify certs +set -e +snpguest verify certs ./ +snpguest verify attestation ./ attestation-report.bin diff --git a/qemu/tests/cfg/sev_basic_config.cfg b/qemu/tests/cfg/sev_basic_config.cfg index 0a04a5b31c..8f21091c5d 100644 --- a/qemu/tests/cfg/sev_basic_config.cfg +++ b/qemu/tests/cfg/sev_basic_config.cfg @@ -1,6 +1,5 @@ - sev_basic_config: type = sev_basic_config - only Linux kill_vm = yes login_timeout = 240 image_snapshot = yes diff --git a/qemu/tests/cfg/snp_basic_config.cfg b/qemu/tests/cfg/snp_basic_config.cfg index cfe2ad71ff..98b72aee7e 100644 --- a/qemu/tests/cfg/snp_basic_config.cfg +++ b/qemu/tests/cfg/snp_basic_config.cfg @@ -1,5 +1,6 @@ - snp_basic_config: type = snp_basic_config + only Linux kill_vm = yes login_timeout = 240 start_vm = no