Merge pull request #4224 from zixi-chen/snp_basic

snp_basic_config: Add snp basic config test case
autotest · Jan 9, 2025 · d0cbb78 · d0cbb78
2 parents fc98779 + 19f5023
commit d0cbb78
Show file tree

Hide file tree

Showing 3 changed files with 154 additions and 0 deletions.
diff --git a/qemu/deps/sev-snp/regular_attestation_workflow.sh b/qemu/deps/sev-snp/regular_attestation_workflow.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+set -e
+
+fetch_retry() {
+    local command=$1
+    local max_retries=3
+    local retry_count=0
+
+    while (( retry_count < max_retries )); do
+        eval "$command"
+        if [[ $? -eq 0 ]]; then
+            return 0
+        fi
+        retry_count=$((retry_count + 1))
+        echo "Command '$command' failed. Retry $retry_count/$max_retries in 20s..."
+        sleep 20
+    done
+    echo "Command '$command' failed after $max_retries attempts."
+    return 1
+}
+
+# Verify regular attestation workflow on snp guest
+snpguest report attestation-report.bin request-data.txt --random
+snpguest display report attestation-report.bin
+
+# Get cpu model
+cpu_familly_id=$(cat /proc/cpuinfo | grep 'cpu family' | head -1 | cut -d ":" -f 2 | tr -d " ")
+model_id=$(cat /proc/cpuinfo | grep 'model' | head -1 | cut -d ":" -f 2 | tr -d " ")
+dict_cpu=([251]="milan" [2517]="genoa" [2617]="turin")
+cpu_model=${dict_cpu[${cpu_familly_id}${model_id}]}
+
+# Fetch cert
+set +e
+fetch_retry "snpguest fetch ca pem ${cpu_model} ./ -e vcek"
+if [[ $? -ne 0 ]]; then
+   echo "ok"
+   exit 1
+fi
+
+fetch_retry "snpguest fetch vcek pem ${cpu_model} ./ attestation-report.bin"
+if [[ $? -ne 0 ]]; then
+    exit 1
+fi
+
+# Verify certs
+set -e
+snpguest verify certs ./
+snpguest verify attestation ./ attestation-report.bin
diff --git a/qemu/tests/cfg/snp_basic_config.cfg b/qemu/tests/cfg/snp_basic_config.cfg
@@ -0,0 +1,33 @@
+- snp_basic_config:
+    type = snp_basic_config
+    only Linux
+    kill_vm = yes
+    login_timeout = 240
+    start_vm = no
+    image_snapshot = yes
+    mem = 8192
+    smp = 8
+    vm_secure_guest_type = snp
+    vm_sev_reduced_phys_bits = 1
+    vm_sev_cbitpos = 51
+    virtio_dev_disable_legacy = on
+    bios_path =  /usr/share/edk2/ovmf/OVMF.amdsev.fd
+    snp_module_path = "/sys/module/kvm_amd/parameters/sev_snp"
+    module_status = Y y 1
+    snp_guest_check = "journalctl|grep -i -w snp"
+    guest_tool_install = "dnf install -y snpguest"
+    attestation_script = regular_attestation_workflow.sh
+    guest_dir = /home
+    guest_cmd = ${guest_dir}/${attestation_script}
+    host_script = sev-snp/${attestation_script}
+    variants:
+        - policy_default:
+            snp_policy = 196608
+            vm_secure_guest_object_options = "policy=${snp_policy}"
+        - policy_debug:
+            snp_policy = 720896
+            vm_secure_guest_object_options = "policy=${snp_policy}"
+        - policy_singlesocket:
+            socket_count_cmd = 'lscpu |grep Socket|head -1 | cut -d ":" -f 2 | tr -d " "'
+            snp_policy = 77824
+            vm_secure_guest_object_options = "policy=${snp_policy}"
diff --git a/qemu/tests/snp_basic_config.py b/qemu/tests/snp_basic_config.py
@@ -0,0 +1,73 @@
+import os
+
+from avocado.utils import process
+from virttest import data_dir as virttest_data_dir
+from virttest import error_context
+from virttest.utils_misc import verify_dmesg
+
+
+@error_context.context_aware
+def run(test, params, env):
+    """
+    Qemu snp basic test on Milan and above host:
+    1. Check host snp capability
+    2. Boot snp VM
+    3. Verify snp enabled in guest
+    4. Check snp qmp cmd and policy
+
+    :param test: QEMU test object
+    :param params: Dictionary with the test parameters
+    :param env: Dictionary with test environment.
+    """
+
+    error_context.context("Start sev-snp test", test.log.info)
+    timeout = params.get_numeric("login_timeout", 240)
+
+    snp_module_path = params["snp_module_path"]
+    if os.path.exists(snp_module_path):
+        with open(snp_module_path) as f:
+            output = f.read().strip()
+        if output not in params.objects("module_status"):
+            test.cancel("Host sev-snp support check fail.")
+    else:
+        test.cancel("Host sev-snp support check fail.")
+    socket_count_cmd = params.get("socket_count_cmd")
+    if socket_count_cmd:
+        if int(process.getoutput(socket_count_cmd, shell=True)) != 1:
+            test.cancel("Host cpu has more than 1 socket, skip the case.")
+
+    vm_name = params["main_vm"]
+    vm = env.get_vm(vm_name)
+    vm.create()
+    vm.verify_alive()
+    session = vm.wait_for_login(timeout=timeout)
+    verify_dmesg()
+    vm_policy = vm.params.get_numeric("snp_policy")
+    guest_check_cmd = params["snp_guest_check"]
+    sev_guest_info = vm.monitor.query_sev()
+    if sev_guest_info["snp-policy"] != vm_policy:
+        test.fail("QMP snp policy doesn't match %s." % vm_policy)
+    try:
+        session.cmd_output(guest_check_cmd, timeout=240)
+    except Exception as e:
+        test.fail("Guest snp verify fail: %s" % str(e))
+    else:
+        # Verify attestation
+        error_context.context("Start to do attestation", test.log.info)
+        guest_dir = params["guest_dir"]
+        host_script = params["host_script"]
+        guest_cmd = params["guest_cmd"]
+        deps_dir = virttest_data_dir.get_deps_dir()
+        host_file = os.path.join(deps_dir, host_script)
+        try:
+            vm.copy_files_to(host_file, guest_dir)
+            session.cmd_output(params["guest_tool_install"], timeout=240)
+            session.cmd_output("chmod 755 %s" % guest_cmd)
+        except Exception as e:
+            test.fail("Guest test preperation fail: %s" % str(e))
+        s = session.cmd_status(guest_cmd, timeout=360)
+        if s:
+            test.fail("Guest script error")
+    finally:
+        session.close()
+        vm.destroy()