diff --git a/tests/conftest.py b/tests/conftest.py index 7a33048ff043..f283ae7e9588 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -293,6 +293,18 @@ def custom_cpu_template(request, record_property): return request.param +@pytest.fixture( + params=list(static_cpu_templates_params()) + list(custom_cpu_templates_params()) +) +def cpu_template_any(request, record_property): + """This fixture combines static and custom CPU templates""" + if "name" in request.param: + record_property("custom_cpu_template", request.param["name"]) + else: + record_property("static_cpu_template", request.param) + return request.param + + @pytest.fixture(params=["Sync", "Async"]) def io_engine(request): """All supported io_engines""" diff --git a/tests/integration_tests/security/test_nv.py b/tests/integration_tests/security/test_nv.py new file mode 100644 index 000000000000..ce848c6a789d --- /dev/null +++ b/tests/integration_tests/security/test_nv.py @@ -0,0 +1,48 @@ +# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +"""Tests ensuring nested virtualization is not present when using CPU templates. + +We have tests that ensure CPU templates provide a consistent set of features in +the guest: + +- file:../functional/test_cpu_features.py +- file:../functional/test_feat_parity.py +- Commit: 681e781f999e3390b6d46422a3c7b1a7e36e1b24 + +These already include the absence of VMX/SVM in the guest. + +This test is a safety-net to make the test explicit and catch cases where we +start providing the feature by mistake. +""" + +import pytest + + +@pytest.fixture +def uvm_with_cpu_template( + microvm_factory, guest_kernel, rootfs_ubuntu_22, cpu_template_any +): + """A microvm fixture parametrized with all possible templates""" + vm = microvm_factory.build(guest_kernel, rootfs_ubuntu_22) + vm.spawn() + cpu_template = None + if isinstance(cpu_template_any, str): + cpu_template = cpu_template_any + vm.basic_config(cpu_template=cpu_template) + if cpu_template is None: + vm.api.cpu_config.put(**cpu_template_any["template"]) + vm.add_net_iface() + vm.start() + yield vm + + +def test_no_nv_when_using_cpu_templates(uvm_with_cpu_template): + """ + Double-check that guests using CPU templates don't have Nested Virtualization + enabled. + """ + + vm = uvm_with_cpu_template + rc, _, _ = vm.ssh.run("[ ! -e /dev/kvm ]") + assert rc == 0, "/dev/kvm exists"