forked from qemu/qemu
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tests/functional/aarch64: add tests for FEAT_RME
This boot an OP-TEE environment, and launch a nested guest VM inside it using the Realms feature. We do it for virt and sbsa-ref platforms. Signed-off-by: Pierrick Bouvier <[email protected]> ----- v2: - move test to its own file - add sbsa test - check output of `cca-workload-attestation report` Signed-off-by: Pierrick Bouvier <[email protected]>
- Loading branch information
1 parent
7844769
commit ca63923
Showing
3 changed files
with
198 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
#!/usr/bin/env python3 | ||
# | ||
# Functional test that boots a Realms environment on sbsa-ref machine and a | ||
# nested guest VM using it. | ||
# | ||
# Copyright (c) 2024 Linaro Ltd. | ||
# | ||
# Author: Pierrick Bouvier <[email protected]> | ||
# | ||
# SPDX-License-Identifier: GPL-2.0-or-later | ||
|
||
import time | ||
import os | ||
import logging | ||
|
||
from qemu_test import QemuSystemTest, Asset | ||
from qemu_test import exec_command, wait_for_console_pattern | ||
from qemu_test import exec_command_and_wait_for_pattern | ||
from qemu_test.utils import archive_extract | ||
|
||
|
||
class Aarch64RMESbsaRefMachine(QemuSystemTest): | ||
def wait_for_console_pattern(self, success_message, vm=None): | ||
wait_for_console_pattern(self, success_message, | ||
failure_message='Kernel panic - not syncing', | ||
vm=vm) | ||
|
||
# Stack is built with OP-TEE build environment from those instructions: | ||
# https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29051027459/ | ||
# https://github.com/pbo-linaro/qemu-rme-stack | ||
ASSET_RME_STACK_SBSA = Asset( | ||
('https://fileserver.linaro.org/s/pBCeJktME2T5ikj/' | ||
'download/rme-stack-op-tee-4.2.0-cca-v3-sbsa.tar.gz'), | ||
'67542c80e5cfa84494f757bbee80b3535946c74666b8b82681f8eceb0e91d4ef') | ||
|
||
# This tests the FEAT_RME cpu implementation, by booting a VM supporting it, | ||
# and launching a nested VM using it. | ||
def test_aarch64_rme_sbsaref(self): | ||
stack_path_tar_gz = self.ASSET_RME_STACK_SBSA.fetch() | ||
archive_extract(stack_path_tar_gz, self.workdir) | ||
|
||
self.set_machine('sbsa-ref') | ||
self.vm.set_console() | ||
self.require_accelerator('tcg') | ||
|
||
rme_stack = os.path.join(self.workdir, | ||
'rme-stack-op-tee-4.2.0-cca-v3-sbsa') | ||
pflash0 = os.path.join(rme_stack, 'images', 'SBSA_FLASH0.fd') | ||
pflash1 = os.path.join(rme_stack, 'images', 'SBSA_FLASH1.fd') | ||
virtual = os.path.join(rme_stack, 'images', 'disks', 'virtual') | ||
drive = os.path.join(rme_stack, 'out-br', 'images', 'rootfs.ext4') | ||
|
||
self.vm.add_args('-accel', 'tcg') | ||
self.vm.add_args('-cpu', 'max,x-rme=on') | ||
self.vm.add_args('-m', '2G') | ||
self.vm.add_args('-M', 'sbsa-ref') | ||
self.vm.add_args('-drive', f'file={pflash0},format=raw,if=pflash') | ||
self.vm.add_args('-drive', f'file={pflash1},format=raw,if=pflash') | ||
self.vm.add_args('-drive', f'file=fat:rw:{virtual},format=raw') | ||
self.vm.add_args('-drive', f'format=raw,if=none,file={drive},id=hd0') | ||
self.vm.add_args('-device', 'virtio-blk-pci,drive=hd0') | ||
self.vm.add_args('-device', 'virtio-9p-pci,fsdev=shr0,mount_tag=shr0') | ||
self.vm.add_args('-fsdev', f'local,security_model=none,path={rme_stack},id=shr0') | ||
self.vm.add_args('-device', 'virtio-net-pci,netdev=net0') | ||
self.vm.add_args('-netdev', 'user,id=net0') | ||
|
||
self.vm.launch() | ||
# Wait for host VM boot to complete. | ||
self.wait_for_console_pattern('Welcome to Buildroot') | ||
exec_command_and_wait_for_pattern(self, 'root', '#') | ||
|
||
# We now boot the (nested) guest VM | ||
exec_command(self, | ||
'qemu-system-aarch64 -M virt,gic-version=3 ' | ||
'-cpu host -enable-kvm -m 512M ' | ||
'-M confidential-guest-support=rme0 ' | ||
'-object rme-guest,id=rme0,measurement-algo=sha256 ' | ||
'-device virtio-net-pci,netdev=net0,romfile= ' | ||
'-netdev user,id=net0 ' | ||
'-kernel /mnt/out/bin/Image ' | ||
'-initrd /mnt/out-br/images/rootfs.cpio ' | ||
'-serial stdio') | ||
# Detect Realm activation during (nested) guest boot. | ||
self.wait_for_console_pattern('SMC_RMI_REALM_ACTIVATE') | ||
# Wait for (nested) guest boot to complete. | ||
self.wait_for_console_pattern('Welcome to Buildroot') | ||
exec_command_and_wait_for_pattern(self, 'root', '#') | ||
|
||
# query (nested) guest cca report | ||
exec_command(self, 'cca-workload-attestation report') | ||
self.wait_for_console_pattern('"cca-platform-hash-algo-id": "sha-256"') | ||
self.wait_for_console_pattern('"cca-realm-hash-algo-id": "sha-256"') | ||
self.wait_for_console_pattern('"cca-realm-public-key-hash-algo-id": "sha-256"') | ||
|
||
if __name__ == '__main__': | ||
QemuSystemTest.main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
#!/usr/bin/env python3 | ||
# | ||
# Functional test that boots a Realms environment on virt machine and a nested | ||
# guest VM using it. | ||
# | ||
# Copyright (c) 2024 Linaro Ltd. | ||
# | ||
# Author: Pierrick Bouvier <[email protected]> | ||
# | ||
# SPDX-License-Identifier: GPL-2.0-or-later | ||
|
||
import time | ||
import os | ||
import logging | ||
|
||
from qemu_test import QemuSystemTest, Asset | ||
from qemu_test import exec_command, wait_for_console_pattern | ||
from qemu_test import exec_command_and_wait_for_pattern | ||
from qemu_test.utils import archive_extract | ||
|
||
|
||
class Aarch64RMEVirtMachine(QemuSystemTest): | ||
def wait_for_console_pattern(self, success_message, vm=None): | ||
wait_for_console_pattern(self, success_message, | ||
failure_message='Kernel panic - not syncing', | ||
vm=vm) | ||
|
||
# Stack is built with OP-TEE build environment from those instructions: | ||
# https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29051027459/ | ||
# https://github.com/pbo-linaro/qemu-rme-stack | ||
ASSET_RME_STACK_VIRT = Asset( | ||
('https://fileserver.linaro.org/s/7dsXdtbDfBZbCTC/' | ||
'download/rme-stack-op-tee-4.2.0-cca-v3-qemu_v8.tar.gz'), | ||
'0b49f2652a7201d100365b8ccc6c317f1f8f2f4de6feed084080f52fe1b5fadc') | ||
|
||
# This tests the FEAT_RME cpu implementation, by booting a VM supporting it, | ||
# and launching a nested VM using it. | ||
def test_aarch64_rme_virt(self): | ||
stack_path_tar_gz = self.ASSET_RME_STACK_VIRT.fetch() | ||
archive_extract(stack_path_tar_gz, self.workdir) | ||
|
||
self.set_machine('virt') | ||
self.vm.set_console() | ||
self.require_accelerator('tcg') | ||
|
||
rme_stack = os.path.join(self.workdir, | ||
'rme-stack-op-tee-4.2.0-cca-v3-qemu_v8') | ||
kernel = os.path.join(rme_stack, 'out', 'bin', 'Image') | ||
bios = os.path.join(rme_stack, 'out', 'bin', 'flash.bin') | ||
drive = os.path.join(rme_stack, 'out-br', 'images', 'rootfs.ext4') | ||
|
||
self.vm.add_args('-accel', 'tcg') | ||
self.vm.add_args('-cpu', 'max,x-rme=on') | ||
self.vm.add_args('-m', '2G') | ||
self.vm.add_args('-M', 'virt,acpi=off,' | ||
'virtualization=on,' | ||
'secure=on,' | ||
'gic-version=3') | ||
self.vm.add_args('-bios', bios) | ||
self.vm.add_args('-kernel', kernel) | ||
self.vm.add_args('-drive', f'format=raw,if=none,file={drive},id=hd0') | ||
self.vm.add_args('-device', 'virtio-blk-pci,drive=hd0') | ||
self.vm.add_args('-device', 'virtio-9p-device,fsdev=shr0,mount_tag=shr0') | ||
self.vm.add_args('-fsdev', f'local,security_model=none,path={rme_stack},id=shr0') | ||
self.vm.add_args('-device', 'virtio-net-pci,netdev=net0') | ||
self.vm.add_args('-netdev', 'user,id=net0') | ||
self.vm.add_args('-append', 'root=/dev/vda') | ||
|
||
self.vm.launch() | ||
# Wait for host VM boot to complete. | ||
self.wait_for_console_pattern('Welcome to Buildroot') | ||
exec_command_and_wait_for_pattern(self, 'root', '#') | ||
|
||
# We now boot the (nested) guest VM | ||
exec_command(self, | ||
'qemu-system-aarch64 -M virt,gic-version=3 ' | ||
'-cpu host -enable-kvm -m 512M ' | ||
'-M confidential-guest-support=rme0 ' | ||
'-object rme-guest,id=rme0,measurement-algo=sha512 ' | ||
'-device virtio-net-pci,netdev=net0,romfile= ' | ||
'-netdev user,id=net0 ' | ||
'-kernel /mnt/out/bin/Image ' | ||
'-initrd /mnt/out-br/images/rootfs.cpio ' | ||
'-serial stdio') | ||
# Detect Realm activation during (nested) guest boot. | ||
self.wait_for_console_pattern('SMC_RMI_REALM_ACTIVATE') | ||
# Wait for (nested) guest boot to complete. | ||
self.wait_for_console_pattern('Welcome to Buildroot') | ||
exec_command_and_wait_for_pattern(self, 'root', '#') | ||
|
||
# query (nested) guest cca report | ||
exec_command(self, 'cca-workload-attestation report') | ||
self.wait_for_console_pattern('"cca-platform-hash-algo-id": "sha-256"') | ||
self.wait_for_console_pattern('"cca-realm-hash-algo-id": "sha-512"') | ||
self.wait_for_console_pattern('"cca-realm-public-key-hash-algo-id": "sha-256"') | ||
|
||
if __name__ == '__main__': | ||
QemuSystemTest.main() |