From 5a95b669ecb6f462243ed0732f49fe48843c3723 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Barb=C3=A1chano?= Date: Mon, 21 Aug 2023 11:04:01 +0200 Subject: [PATCH] test: add a test to check for nested virtualization MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Check that nested virtualization is disabled in all our CPU templates. Other tests already check for CPU features explicitly, but this test just checks that virtualization is not available to the guest, however the means. Signed-off-by: Pablo Barbáchano --- tests/conftest.py | 12 ++++++ tests/integration_tests/security/test_nv.py | 48 +++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 tests/integration_tests/security/test_nv.py diff --git a/tests/conftest.py b/tests/conftest.py index 7a33048ff043..f283ae7e9588 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -293,6 +293,18 @@ def custom_cpu_template(request, record_property): return request.param +@pytest.fixture( + params=list(static_cpu_templates_params()) + list(custom_cpu_templates_params()) +) +def cpu_template_any(request, record_property): + """This fixture combines static and custom CPU templates""" + if "name" in request.param: + record_property("custom_cpu_template", request.param["name"]) + else: + record_property("static_cpu_template", request.param) + return request.param + + @pytest.fixture(params=["Sync", "Async"]) def io_engine(request): """All supported io_engines""" diff --git a/tests/integration_tests/security/test_nv.py b/tests/integration_tests/security/test_nv.py new file mode 100644 index 000000000000..ce848c6a789d --- /dev/null +++ b/tests/integration_tests/security/test_nv.py @@ -0,0 +1,48 @@ +# Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +"""Tests ensuring nested virtualization is not present when using CPU templates. + +We have tests that ensure CPU templates provide a consistent set of features in +the guest: + +- file:../functional/test_cpu_features.py +- file:../functional/test_feat_parity.py +- Commit: 681e781f999e3390b6d46422a3c7b1a7e36e1b24 + +These already include the absence of VMX/SVM in the guest. + +This test is a safety-net to make the test explicit and catch cases where we +start providing the feature by mistake. +""" + +import pytest + + +@pytest.fixture +def uvm_with_cpu_template( + microvm_factory, guest_kernel, rootfs_ubuntu_22, cpu_template_any +): + """A microvm fixture parametrized with all possible templates""" + vm = microvm_factory.build(guest_kernel, rootfs_ubuntu_22) + vm.spawn() + cpu_template = None + if isinstance(cpu_template_any, str): + cpu_template = cpu_template_any + vm.basic_config(cpu_template=cpu_template) + if cpu_template is None: + vm.api.cpu_config.put(**cpu_template_any["template"]) + vm.add_net_iface() + vm.start() + yield vm + + +def test_no_nv_when_using_cpu_templates(uvm_with_cpu_template): + """ + Double-check that guests using CPU templates don't have Nested Virtualization + enabled. + """ + + vm = uvm_with_cpu_template + rc, _, _ = vm.ssh.run("[ ! -e /dev/kvm ]") + assert rc == 0, "/dev/kvm exists"