snp_basic_config: Add snp basic config test case

Signed-off-by: Zixi Chen <zixchen@redhat.com>
autotest · Dec 2, 2024 · c184836 · c184836
1 parent 74b8d3f
commit c184836
Show file tree

Hide file tree

Showing 3 changed files with 123 additions and 0 deletions.
diff --git a/qemu/deps/sev-snp/regular_attestation_workflow.sh b/qemu/deps/sev-snp/regular_attestation_workflow.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+# Verify regular attestation workflow on snp guest
+snpguest report attestation-report.bin request-data.txt --random
+snpguest display report attestation-report.bin
+# get cpu model
+cpu_familly_id=$(cat /proc/cpuinfo | grep 'cpu family' | head -1 | cut -d ":" -f 2 | tr -d " ")
+model_id=$(cat /proc/cpuinfo | grep 'model' | head -1 | cut -d ":" -f 2 | tr -d " ")
+dict_cpu=([251]="milan" [2517]="genoa")
+cpu_model=${dict_cpu[${cpu_familly_id}${model_id}]}
+snpguest fetch ca pem ${cpu_model} ./ -e vcek
+snpguest fetch vcek pem ${cpu_model} ./ attestation-report.bin
+snpguest verify certs ./
+snpguest verify attestation ./ attestation-report.bin
diff --git a/qemu/tests/cfg/snp_basic_config.cfg b/qemu/tests/cfg/snp_basic_config.cfg
@@ -0,0 +1,34 @@
+- snp_basic_config:
+    type = snp_basic_config
+    kill_vm = yes
+    login_timeout = 240
+    start_vm = no
+    image_snapshot = yes
+    mem = 8192
+    smp = 8
+    vm_secure_guest_type = snp
+    vm_sev_reduced_phys_bits = 1
+    vm_sev_cbitpos = 51
+    virtio_dev_disable_legacy = on
+    bios_path =  /usr/share/edk2/ovmf/OVMF.amdsev.fd
+    snp_module_path = "/sys/module/kvm_amd/parameters/sev_snp"
+    module_status = Y y 1
+    snp_guest_check = "journalctl|grep -i -w snp"
+    guest_tool_install = "dnf install -y snpguest"
+    attestation_script = regular_attestation_workflow.sh
+    guest_dir = /home
+    guest_cmd = ${guest_dir}/${attestation_script}
+    host_script = sev-snp/${attestation_script}
+    singlesocket_host_check = no
+    variants:
+        - policy_default:
+            snp_policy = 196608
+            vm_secure_guest_object_options = "policy=${snp_policy}"
+        - policy_debug:
+            snp_policy = 720896
+            vm_secure_guest_object_options = "policy=${snp_policy}"
+        - policy_singlesocket:
+            singlesocket_host_check = yes
+            singlesocket_check_cmd = 'lscpu |grep Socket|head -1 | cut -d ":" -f 2 | tr -d " "'
+            snp_policy = 77824
+            vm_secure_guest_object_options = "policy=${snp_policy}"
diff --git a/qemu/tests/snp_basic_config.py b/qemu/tests/snp_basic_config.py
@@ -0,0 +1,75 @@
+import os
+
+from avocado.utils import process
+from virttest import data_dir as virttest_data_dir
+from virttest import env_process, error_context
+from virttest.utils_misc import verify_dmesg
+
+
+@error_context.context_aware
+def run(test, params, env):
+    """
+    Qemu snp basic test on Milan and above host:
+    1. Check host snp capability
+    2. Boot snp VM
+    3. Verify snp enabled in guest
+    4. Check snp qmp cmd and policy
+
+    :param test: QEMU test object
+    :param params: Dictionary with the test parameters
+    :param env: Dictionary with test environment.
+    """
+
+    error_context.context("Start sev-snp test", test.log.info)
+    timeout = params.get_numeric("login_timeout", 240)
+
+    snp_module_path = params["snp_module_path"]
+    if os.path.exists(snp_module_path):
+        f = open(snp_module_path, "r")
+        output = f.read().strip()
+        f.close()
+        if output not in params.objects("module_status"):
+            test.cancel("Host sev-snp support check fail.")
+    else:
+        test.cancel("Host sev-snp support check fail.")
+    if params.get("singlesocket_host_check") == "yes":
+        s, o = process.getstatusoutput(params.get("singlesocket_check_cmd"), shell=True)
+        if s != 1:
+            test.cancel("Host cpu has more than 1 socket, skip the case.")
+
+    vm_name = params["main_vm"]
+    env_process.preprocess_vm(test, params, env, vm_name)
+    vm = env.get_vm(vm_name)
+    vm.create()
+    vm.verify_alive()
+    session = vm.wait_for_login(timeout=timeout)
+    verify_dmesg()
+    vm_policy = vm.params.get_numeric("snp_policy")
+    guest_check_cmd = params["snp_guest_check"]
+    sev_guest_info = vm.monitor.query_sev()
+    if sev_guest_info["snp-policy"] != vm_policy:
+        test.fail("QMP snp policy doesn't match %s." % vm_policy)
+    try:
+        session.cmd_output(guest_check_cmd, timeout=240)
+    except Exception as e:
+        test.fail("Guest snp verify fail: %s" % str(e))
+    else:
+        # Verify attestation
+        error_context.context("Start to do attestation", test.log.info)
+        guest_dir = params["guest_dir"]
+        host_script = params["host_script"]
+        guest_cmd = params["guest_cmd"]
+        deps_dir = virttest_data_dir.get_deps_dir()
+        host_file = os.path.join(deps_dir, host_script)
+        try:
+            vm.copy_files_to(host_file, guest_dir)
+            session.cmd_output(params["guest_tool_install"], timeout=240)
+            session.cmd_output("chmod 755 %s" % guest_cmd)
+        except Exception as e:
+            test.fail("Guest test preperation fail: %s" % str(e))
+        status, output = session.cmd_status_output(guest_cmd, timeout=360)
+        if status:
+            test.fail("Guest script error")
+    finally:
+        session.close()
+        vm.destroy()