Add SEV-ES functional tests

Signed-off-by: Caleb Crane <[email protected]>

tests/framework/checks/checks.go

@@ -66,10 +66,10 @@ func HasFeature(feature string) bool {
 	return false
 }
 
-func IsSEVCapable(node *v1.Node) bool {
+func IsSEVCapable(node *v1.Node, sevLabel string) bool {
 	gomega.Expect(node).ToNot(gomega.BeNil())
 	for label, _ := range node.Labels {
-		if label == v12.SEVLabel {
+		if label == sevLabel {
 			return true
 		}
 	}

tests/framework/checks/skips.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/onsi/ginkgo/v2"
 
+	kubev1 "kubevirt.io/api/core/v1"
 	"kubevirt.io/client-go/kubecli"
 
 	virtconfig "kubevirt.io/kubevirt/pkg/virt-config"
@@ -118,13 +119,26 @@ func SkipTestIfNotSEVCapable() {
 	nodes := libnode.GetAllSchedulableNodes(virtClient)
 
 	for _, node := range nodes.Items {
-		if IsSEVCapable(&node) {
+		if IsSEVCapable(&node, kubev1.SEVLabel) {
 			return
 		}
 	}
 	ginkgo.Skip("no node capable of running SEV workloads detected", 1)
 }
 
+func SkipTestIfNotSEVESCapable() {
+	virtClient, err := kubecli.GetKubevirtClient()
+	util.PanicOnError(err)
+	nodes := libnode.GetAllSchedulableNodes(virtClient)
+
+	for _, node := range nodes.Items {
+		if IsSEVCapable(&node, kubev1.SEVESLabel) {
+			return
+		}
+	}
+	ginkgo.Skip("no node capable of running SEV-ES workloads detected", 1)
+}
+
 func SkipIfNonRoot(feature string) {
 	if HasFeature(virtconfig.NonRoot) {
 		ginkgo.Skip(fmt.Sprintf("NonRoot implementation doesn't support %s", feature))

tests/launchsecurity/sev.go

@@ -88,24 +88,33 @@ var _ = Describe("[sig-compute]AMD Secure Encrypted Virtualization (SEV)", decor
 			checks.SkipTestIfNotSEVCapable()
 		})
 
-		It("should start a SEV VM", func() {
-			const secureBoot = false
-			vmi := libvmi.NewFedora(libvmi.WithUefi(secureBoot), libvmi.WithSEV())
-			vmi = tests.RunVMIAndExpectLaunch(vmi, 240)
-
-			By("Expecting the VirtualMachineInstance console")
-			Expect(console.LoginToFedora(vmi)).To(Succeed())
-
-			By("Verifying that SEV is enabled in the guest")
-			err := console.SafeExpectBatch(vmi, []expect.Batcher{
-				&expect.BSnd{S: "\n"},
-				&expect.BExp{R: console.PromptExpression},
-				&expect.BSnd{S: "dmesg | grep --color=never SEV\n"},
-				&expect.BExp{R: "AMD Memory Encryption Features active: SEV"},
-				&expect.BSnd{S: "\n"},
-				&expect.BExp{R: console.PromptExpression},
-			}, 30)
-			Expect(err).ToNot(HaveOccurred())
-		})
+		DescribeTable("should start a SEV or SEV-ES VM",
+			func(withES bool, sevstr string) {
+				if withES {
+					checks.SkipTestIfNotSEVESCapable()
+				}
+				const secureBoot = false
+				vmi := libvmi.NewFedora(libvmi.WithUefi(secureBoot), libvmi.WithSEV(withES))
+				vmi = tests.RunVMIAndExpectLaunch(vmi, 240)
+
+				By("Expecting the VirtualMachineInstance console")
+				Expect(console.LoginToFedora(vmi)).To(Succeed())
+
+				By("Verifying that SEV is enabled in the guest")
+				err := console.SafeExpectBatch(vmi, []expect.Batcher{
+					&expect.BSnd{S: "\n"},
+					&expect.BExp{R: console.PromptExpression},
+					&expect.BSnd{S: "dmesg | grep --color=never SEV\n"},
+					&expect.BExp{R: "AMD Memory Encryption Features active: " + sevstr},
+					&expect.BSnd{S: "\n"},
+					&expect.BExp{R: console.PromptExpression},
+				}, 30)
+				Expect(err).ToNot(HaveOccurred())
+			},
+			// SEV-ES disabled, SEV enabled
+			Entry("It should launch with base SEV features enabled", false, "SEV"),
+			// SEV-ES enabled
+			Entry("It should launch with SEV-ES features enabled", true, "SEV SEV-ES"),
+		)
 	})
 })

tests/libvmi/vmi.go

@@ -169,12 +169,15 @@ func WithUefi(secureBoot bool) Option {
 }
 
 // WithSEV adds `launchSecurity` with `sev`.
-func WithSEV() Option {
+func WithSEV(isESEnabled bool) Option {
 	return func(vmi *v1.VirtualMachineInstance) {
-		if vmi.Spec.Domain.LaunchSecurity == nil {
-			vmi.Spec.Domain.LaunchSecurity = &v1.LaunchSecurity{}
+		vmi.Spec.Domain.LaunchSecurity = &v1.LaunchSecurity{
+			SEV: &v1.SEV{
+				Policy: &v1.SEVPolicy{
+					EncryptedState: &isESEnabled,
+				},
+			},
 		}
-		vmi.Spec.Domain.LaunchSecurity.SEV = &v1.SEV{}
 	}
 }