From f9a6b32f6a30524ed5644f153074862b8174986b Mon Sep 17 00:00:00 2001 From: Caleb Crane Date: Fri, 13 May 2022 12:21:36 -0400 Subject: [PATCH] Add SEV-ES functional tests Signed-off-by: Caleb Crane --- tests/framework/checks/checks.go | 4 +-- tests/framework/checks/skips.go | 16 ++++++++++- tests/launchsecurity/sev.go | 47 +++++++++++++++++++------------- tests/libvmi/vmi.go | 11 +++++--- 4 files changed, 52 insertions(+), 26 deletions(-) diff --git a/tests/framework/checks/checks.go b/tests/framework/checks/checks.go index 2334fc80dca1..fdc18f5143c0 100644 --- a/tests/framework/checks/checks.go +++ b/tests/framework/checks/checks.go @@ -66,10 +66,10 @@ func HasFeature(feature string) bool { return false } -func IsSEVCapable(node *v1.Node) bool { +func IsSEVCapable(node *v1.Node, sevLabel string) bool { gomega.Expect(node).ToNot(gomega.BeNil()) for label, _ := range node.Labels { - if label == v12.SEVLabel { + if label == sevLabel { return true } } diff --git a/tests/framework/checks/skips.go b/tests/framework/checks/skips.go index 2847df78fa4c..7706d55144b3 100644 --- a/tests/framework/checks/skips.go +++ b/tests/framework/checks/skips.go @@ -16,6 +16,7 @@ import ( "github.com/onsi/ginkgo/v2" + kubev1 "kubevirt.io/api/core/v1" "kubevirt.io/client-go/kubecli" virtconfig "kubevirt.io/kubevirt/pkg/virt-config" @@ -118,13 +119,26 @@ func SkipTestIfNotSEVCapable() { nodes := libnode.GetAllSchedulableNodes(virtClient) for _, node := range nodes.Items { - if IsSEVCapable(&node) { + if IsSEVCapable(&node, kubev1.SEVLabel) { return } } ginkgo.Skip("no node capable of running SEV workloads detected", 1) } +func SkipTestIfNotSEVESCapable() { + virtClient, err := kubecli.GetKubevirtClient() + util.PanicOnError(err) + nodes := libnode.GetAllSchedulableNodes(virtClient) + + for _, node := range nodes.Items { + if IsSEVCapable(&node, kubev1.SEVESLabel) { + return + } + } + ginkgo.Skip("no node capable of running SEV-ES workloads detected", 1) +} + func SkipIfNonRoot(feature string) { if HasFeature(virtconfig.NonRoot) { ginkgo.Skip(fmt.Sprintf("NonRoot implementation doesn't support %s", feature)) diff --git a/tests/launchsecurity/sev.go b/tests/launchsecurity/sev.go index aefcaf1faa55..b4d6d0675754 100644 --- a/tests/launchsecurity/sev.go +++ b/tests/launchsecurity/sev.go @@ -88,24 +88,33 @@ var _ = Describe("[sig-compute]AMD Secure Encrypted Virtualization (SEV)", decor checks.SkipTestIfNotSEVCapable() }) - It("should start a SEV VM", func() { - const secureBoot = false - vmi := libvmi.NewFedora(libvmi.WithUefi(secureBoot), libvmi.WithSEV()) - vmi = tests.RunVMIAndExpectLaunch(vmi, 240) - - By("Expecting the VirtualMachineInstance console") - Expect(console.LoginToFedora(vmi)).To(Succeed()) - - By("Verifying that SEV is enabled in the guest") - err := console.SafeExpectBatch(vmi, []expect.Batcher{ - &expect.BSnd{S: "\n"}, - &expect.BExp{R: console.PromptExpression}, - &expect.BSnd{S: "dmesg | grep --color=never SEV\n"}, - &expect.BExp{R: "AMD Memory Encryption Features active: SEV"}, - &expect.BSnd{S: "\n"}, - &expect.BExp{R: console.PromptExpression}, - }, 30) - Expect(err).ToNot(HaveOccurred()) - }) + DescribeTable("should start a SEV or SEV-ES VM", + func(withES bool, sevstr string) { + if withES { + checks.SkipTestIfNotSEVESCapable() + } + const secureBoot = false + vmi := libvmi.NewFedora(libvmi.WithUefi(secureBoot), libvmi.WithSEV(withES)) + vmi = tests.RunVMIAndExpectLaunch(vmi, 240) + + By("Expecting the VirtualMachineInstance console") + Expect(console.LoginToFedora(vmi)).To(Succeed()) + + By("Verifying that SEV is enabled in the guest") + err := console.SafeExpectBatch(vmi, []expect.Batcher{ + &expect.BSnd{S: "\n"}, + &expect.BExp{R: console.PromptExpression}, + &expect.BSnd{S: "dmesg | grep --color=never SEV\n"}, + &expect.BExp{R: "AMD Memory Encryption Features active: " + sevstr}, + &expect.BSnd{S: "\n"}, + &expect.BExp{R: console.PromptExpression}, + }, 30) + Expect(err).ToNot(HaveOccurred()) + }, + // SEV-ES disabled, SEV enabled + Entry("It should launch with base SEV features enabled", false, "SEV"), + // SEV-ES enabled + Entry("It should launch with SEV-ES features enabled", true, "SEV SEV-ES"), + ) }) }) diff --git a/tests/libvmi/vmi.go b/tests/libvmi/vmi.go index 554c3ad3c24c..57b75de07209 100644 --- a/tests/libvmi/vmi.go +++ b/tests/libvmi/vmi.go @@ -169,12 +169,15 @@ func WithUefi(secureBoot bool) Option { } // WithSEV adds `launchSecurity` with `sev`. -func WithSEV() Option { +func WithSEV(isESEnabled bool) Option { return func(vmi *v1.VirtualMachineInstance) { - if vmi.Spec.Domain.LaunchSecurity == nil { - vmi.Spec.Domain.LaunchSecurity = &v1.LaunchSecurity{} + vmi.Spec.Domain.LaunchSecurity = &v1.LaunchSecurity{ + SEV: &v1.SEV{ + Policy: &v1.SEVPolicy{ + EncryptedState: &isESEnabled, + }, + }, } - vmi.Spec.Domain.LaunchSecurity.SEV = &v1.SEV{} } }