diff --git a/qemu/deps/sev-snp/regular_attestation_workflow.sh b/qemu/deps/sev-snp/regular_attestation_workflow.sh new file mode 100644 index 0000000000..649930c86c --- /dev/null +++ b/qemu/deps/sev-snp/regular_attestation_workflow.sh @@ -0,0 +1,48 @@ +#!/bin/bash +set -e + +fetch_retry() { + local command=$1 + local max_retries=3 + local retry_count=0 + + while (( retry_count < max_retries )); do + eval "$command" + if [[ $? -eq 0 ]]; then + return 0 + fi + retry_count=$((retry_count + 1)) + echo "Command '$command' failed. Retry $retry_count/$max_retries in 20s..." + sleep 20 + done + echo "Command '$command' failed after $max_retries attempts." + return 1 +} + +# Verify regular attestation workflow on snp guest +snpguest report attestation-report.bin request-data.txt --random +snpguest display report attestation-report.bin + +# Get cpu model +cpu_familly_id=$(cat /proc/cpuinfo | grep 'cpu family' | head -1 | cut -d ":" -f 2 | tr -d " ") +model_id=$(cat /proc/cpuinfo | grep 'model' | head -1 | cut -d ":" -f 2 | tr -d " ") +dict_cpu=([251]="milan" [2517]="genoa" [2617]="turin") +cpu_model=${dict_cpu[${cpu_familly_id}${model_id}]} + +# Fetch cert +set +e +fetch_retry "snpguest fetch ca pem ${cpu_model} ./ -e vcek" +if [[ $? -ne 0 ]]; then + echo "ok" + exit 1 +fi + +fetch_retry "snpguest fetch vcek pem ${cpu_model} ./ attestation-report.bin" +if [[ $? -ne 0 ]]; then + exit 1 +fi + +# Verify certs +set -e +snpguest verify certs ./ +snpguest verify attestation ./ attestation-report.bin diff --git a/qemu/tests/cfg/snp_basic_config.cfg b/qemu/tests/cfg/snp_basic_config.cfg new file mode 100644 index 0000000000..98b72aee7e --- /dev/null +++ b/qemu/tests/cfg/snp_basic_config.cfg @@ -0,0 +1,33 @@ +- snp_basic_config: + type = snp_basic_config + only Linux + kill_vm = yes + login_timeout = 240 + start_vm = no + image_snapshot = yes + mem = 8192 + smp = 8 + vm_secure_guest_type = snp + vm_sev_reduced_phys_bits = 1 + vm_sev_cbitpos = 51 + virtio_dev_disable_legacy = on + bios_path = /usr/share/edk2/ovmf/OVMF.amdsev.fd + snp_module_path = "/sys/module/kvm_amd/parameters/sev_snp" + module_status = Y y 1 + snp_guest_check = "journalctl|grep -i -w snp" + guest_tool_install = "dnf install -y snpguest" + attestation_script = regular_attestation_workflow.sh + guest_dir = /home + guest_cmd = ${guest_dir}/${attestation_script} + host_script = sev-snp/${attestation_script} + variants: + - policy_default: + snp_policy = 196608 + vm_secure_guest_object_options = "policy=${snp_policy}" + - policy_debug: + snp_policy = 720896 + vm_secure_guest_object_options = "policy=${snp_policy}" + - policy_singlesocket: + socket_count_cmd = 'lscpu |grep Socket|head -1 | cut -d ":" -f 2 | tr -d " "' + snp_policy = 77824 + vm_secure_guest_object_options = "policy=${snp_policy}" diff --git a/qemu/tests/snp_basic_config.py b/qemu/tests/snp_basic_config.py new file mode 100644 index 0000000000..b2177e19e7 --- /dev/null +++ b/qemu/tests/snp_basic_config.py @@ -0,0 +1,73 @@ +import os + +from avocado.utils import process +from virttest import data_dir as virttest_data_dir +from virttest import error_context +from virttest.utils_misc import verify_dmesg + + +@error_context.context_aware +def run(test, params, env): + """ + Qemu snp basic test on Milan and above host: + 1. Check host snp capability + 2. Boot snp VM + 3. Verify snp enabled in guest + 4. Check snp qmp cmd and policy + + :param test: QEMU test object + :param params: Dictionary with the test parameters + :param env: Dictionary with test environment. + """ + + error_context.context("Start sev-snp test", test.log.info) + timeout = params.get_numeric("login_timeout", 240) + + snp_module_path = params["snp_module_path"] + if os.path.exists(snp_module_path): + with open(snp_module_path) as f: + output = f.read().strip() + if output not in params.objects("module_status"): + test.cancel("Host sev-snp support check fail.") + else: + test.cancel("Host sev-snp support check fail.") + socket_count_cmd = params.get("socket_count_cmd") + if socket_count_cmd: + if int(process.getoutput(socket_count_cmd, shell=True)) != 1: + test.cancel("Host cpu has more than 1 socket, skip the case.") + + vm_name = params["main_vm"] + vm = env.get_vm(vm_name) + vm.create() + vm.verify_alive() + session = vm.wait_for_login(timeout=timeout) + verify_dmesg() + vm_policy = vm.params.get_numeric("snp_policy") + guest_check_cmd = params["snp_guest_check"] + sev_guest_info = vm.monitor.query_sev() + if sev_guest_info["snp-policy"] != vm_policy: + test.fail("QMP snp policy doesn't match %s." % vm_policy) + try: + session.cmd_output(guest_check_cmd, timeout=240) + except Exception as e: + test.fail("Guest snp verify fail: %s" % str(e)) + else: + # Verify attestation + error_context.context("Start to do attestation", test.log.info) + guest_dir = params["guest_dir"] + host_script = params["host_script"] + guest_cmd = params["guest_cmd"] + deps_dir = virttest_data_dir.get_deps_dir() + host_file = os.path.join(deps_dir, host_script) + try: + vm.copy_files_to(host_file, guest_dir) + session.cmd_output(params["guest_tool_install"], timeout=240) + session.cmd_output("chmod 755 %s" % guest_cmd) + except Exception as e: + test.fail("Guest test preperation fail: %s" % str(e)) + s = session.cmd_status(guest_cmd, timeout=360) + if s: + test.fail("Guest script error") + finally: + session.close() + vm.destroy()