test: add a test to check for nested virtualization

Check that nested virtualization is disabled in all our CPU templates. Other tests already check for CPU features explicitly, but this test just checks that virtualization is not available to the guest, however the means. Signed-off-by: Pablo Barbáchano <[email protected]>
firecracker-microvm · Jan 24, 2024 · 5a95b66 · 5a95b66
1 parent 82d9ab1
commit 5a95b66
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 0 deletions.
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -293,6 +293,18 @@ def custom_cpu_template(request, record_property):
     return request.param
 
 
+@pytest.fixture(
+    params=list(static_cpu_templates_params()) + list(custom_cpu_templates_params())
+)
+def cpu_template_any(request, record_property):
+    """This fixture combines static and custom CPU templates"""
+    if "name" in request.param:
+        record_property("custom_cpu_template", request.param["name"])
+    else:
+        record_property("static_cpu_template", request.param)
+    return request.param
+
+
 @pytest.fixture(params=["Sync", "Async"])
 def io_engine(request):
     """All supported io_engines"""

diff --git a/tests/integration_tests/security/test_nv.py b/tests/integration_tests/security/test_nv.py
@@ -0,0 +1,48 @@
+# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+"""Tests ensuring nested virtualization is not present when using CPU templates.
+
+We have tests that ensure CPU templates provide a consistent set of features in
+the guest:
+
+- file:../functional/test_cpu_features.py
+- file:../functional/test_feat_parity.py
+- Commit: 681e781f999e3390b6d46422a3c7b1a7e36e1b24
+
+These already include the absence of VMX/SVM in the guest.
+
+This test is a safety-net to make the test explicit and catch cases where we
+start providing the feature by mistake.
+"""
+
+import pytest
+
+
+@pytest.fixture
+def uvm_with_cpu_template(
+    microvm_factory, guest_kernel, rootfs_ubuntu_22, cpu_template_any
+):
+    """A microvm fixture parametrized with all possible templates"""
+    vm = microvm_factory.build(guest_kernel, rootfs_ubuntu_22)
+    vm.spawn()
+    cpu_template = None
+    if isinstance(cpu_template_any, str):
+        cpu_template = cpu_template_any
+    vm.basic_config(cpu_template=cpu_template)
+    if cpu_template is None:
+        vm.api.cpu_config.put(**cpu_template_any["template"])
+    vm.add_net_iface()
+    vm.start()
+    yield vm
+
+
+def test_no_nv_when_using_cpu_templates(uvm_with_cpu_template):
+    """
+    Double-check that guests using CPU templates don't have Nested Virtualization
+    enabled.
+    """
+
+    vm = uvm_with_cpu_template
+    rc, _, _ = vm.ssh.run("[ ! -e /dev/kvm ]")
+    assert rc == 0, "/dev/kvm exists"