Add test to check the pre-calculated launch measurement #392
Conversation
stefano-garzarella
force-pushed
the
test-launch-measurement
branch
from
6306c51
to
79b4ae6
Compare
|
Just taking a look at this. At the moment I'm getting a test failure due to an incorrect measurement - probably due to my environment. |
stefano-garzarella
force-pushed
the
test-launch-measurement
branch
from
79b4ae6
to
a9469ea
Compare
|
Pushed by mistake (I had to test the code on the SEV-SNP machine) and there is something wrong with the serial port locks by moving them to |
|
Strage, if I rebase on previous commit (126400b) it works, but on current main (fa92efc), the test are not executed and the output is just the Stage2: This happen only with the last patch of this PR applied. Any idea? |
|
On current main, this PR works only if I revert commit 683ce95 and 79c18d6 , but I'm not sure if they are related. Without reverting them, SVSM is not starting and all the tests are not executed. |
|
Interesting, when I run in-SVSM tests on your branch I get the following: The output is very similar in release mode. |
|
@00xc just to be sure, commit a9469ea ? Now that you mention I tried to run the in-SVSM tests in release mode, and it worked (all tests passed included the new one), while in debug I still have #392 (comment) |
|
BTW the mismatch could be related to the host kernel, (e.g. |
|
Yep.
It works for me in both modes. However, I noticed that we do the following when booting with IGVM: Line 77 in fa92efc The important part being Note that using qemu's fw_cfg instead uses port 0x3f8 (COM1). |
|
I just did And now it's working also here, but now I'm not sure if we have some hidden issue. |
ehm, why we are setting
Without this PR, in Should I use COM4? |
|
Oh wait, |
Yes, that's what I meant :) |
Yes, please try using a different port for tests. |
Okay, I'll do. About the test failure in your env, can you check this:
|
stefano-garzarella
force-pushed
the
test-launch-measurement
branch
from
a9469ea
to
db4b8d5
Compare
|
v3:
v2:
|
There is no such parameter in the cmdline. I'm not sure which host version we have, as it is an internal machine on which I did not install the kernel. |
|
Apologies for the delay in joining this thread - I was away.
I've just checked on that same machine - the 6.8.1-1-coco kernel has DEBUG_SWAP disabled which should match the IGVM file that is generated but I also see a mismatch in the attestation report. I can confirm however that your latest branch works on my SEV-SNP system for both debug and release builds and the attestation measurement matches. |
stefano-garzarella
force-pushed
the
test-launch-measurement
branch
from
db4b8d5
to
071f1ad
Compare
|
v4:
|
|
I am also running in a measurement mismatch error, |
|
This works for me. Tested on EPYC Milan. I'm using the latest KVM and QEMU patches mentioned in the docs. |
|
@stefano-garzarella Can you please downgrade a measurement mismatch from a fatal error to a warning? With that the PR is ready to merge and we can move on fixing the causes of the mismatches. |
Provide a method to obtain the measurement from the SNP attestation report. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
The first test calling the svsm_test_io() function will initialize the serial port (COM4) and use it exclusively, since it will be protected by LockGuard. This serial port can be used in tests running in SVSM to communicate with the host. The protocol is simple, guest writes 1 byte identifying the request (IORequest), subsequent in/out depends on each request. Next commit will extend scripts/test-in-svsm.sh to handle the requests in the host side. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
stefano-garzarella
force-pushed
the
test-launch-measurement
branch
from
071f1ad
to
d0e38d4
Compare
|
v5:
|
What kernel is running your host?
@joergroedel done ;-) |
It is similar to the assert_eq!() macro, but instead of panicking, it prints a warning message with the same format. This new macro is useful for those tests that might fail and need to be fixed. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
In QEMU the order of the `-serial` parameters defines the I/O port to be used (COM*), so let's add variables to keep track of them and set them with `null` backend when not used to preserve the order regardless of the script parameters. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Use a serial port (COM4) with QEMU when we run unit tests in SVSM. This way we can use it to communicate with tests running in the guest. The serial port is connected to 2 pipes used for IN and OUT. Pipes are created in a temporary folder and destroyed when testing is completed. The guest sends a request (1 byte) and the host responds according to the type of the request. See the next commit for an example. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Ask the host for the pre-calculated launch measurement, and ask for a VMPL0 attestation report and compare them. This way we can avoid regressions in our tools for calculating the expected launch measurement. Since we still have some cases where the precalculated value does not match, for now we just issue a warning until we fix the problem. `scripts/test-in-svsm.sh` is now using `bin/igvmmeasure`, so let's add `$(IGVMMEASUREBIN)` dependency to `test-in-svsm` target in the Makefile. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
stefano-garzarella
force-pushed
the
test-launch-measurement
branch
from
d0e38d4
to
980e346
Compare
This PR introduces a test to check that the launch measurement pre-calculated by
igvmmeasureis the same as that returned by the VMPL0 attestation report at runtime.To support that, this PR also adds a serial port (COM3) to allow the host to communicate with the test running in the VM. This could be used in the future for other tests as well.
Tested locally with: