feat: add SEV-SNP und SEV-ES tests

Signed-off-by: Christian Walter <christian.walter@9elements.com>

Author: walterchris

cmd/core/amd-suite/TESTPLAN.md

@@ -18,10 +18,12 @@ Id | Group | Test | Implemented | Reference | Notes
 24 | SME | Verify SME Functionality | :white_check_mark: | - | Check if Memory Pages are marked for encryption
 25 | SME | TSME Support | :white_check_mark: | - | Test checks CPUID.0x8000001F[EAX].bit[13]
 26 | SME | TSME Enabled | :white_check_mark: | - | Test checks MSR 0xC0010010[18]
-30 | SEV | SEV Support | :x: | - | Test checks `0x8000001f`
-31 | SEV | SEV Enabled | :x: | - | Test checks `MSR_AMD64_SEV`
+30 | SEV | SEV Support | :white_check_mark: | - | Test checks `0x8000001f`
+31 | SEV | SEV Enabled | :white_check_mark: | - | Test checks `MSR_AMD64_SEV`
 32 | SEV | SEV Firmware Version Validation | :x: | - | Verify the SEV Firmware Version
 33 | SEV | SEV Guest Configuration Validation | :x: | - | Verify the Guest Configuration for a VM
+34 | SEV | SEV-ES Support | :white_check_mark: | - | Test checks CPUID.0x8000001F[EAX].bit[3]
+35 | SEV | SEV-ES Enabled | :white_check_mark: | - | Test checks MSR 0xC0010131[1]
 40 | SEV-SNP| SEV-SNP Support | :white_check_mark: | - | -
 41 | SEV-SNP| SEV-SNP Enabled | :x: | - | -
 42 | SEV-SNP| SEV-SNP Debug Registers disabled | :x: | - | CPU Debug Registers can be enabled / disabled through `SEV_FEATURES`

pkg/test/amd_tests.go

@@ -48,6 +48,25 @@ const (
 )
 
 var (
+	testSEVESupport = Test{
+		Name:                 "SEV-ES Support",
+		Required:             true,
+		function:             SEVESupport,
+		Status:               Implemented,
+		SpecificationChapter: "",
+		SpecificiationTitle:  "AMD Secure Encrypted Virtualization - Encrypted State",
+		dependencies:         []*Test{&testAMDFamilyModel},
+	}
+
+	testSEVESEnabled = Test{
+		Name:                 "SEV-ES Enabled",
+		Required:             true,
+		function:             SEVESEnabled,
+		Status:               Implemented,
+		SpecificationChapter: "",
+		SpecificiationTitle:  "AMD Secure Encrypted Virtualization - Encrypted State",
+		dependencies:         []*Test{&testAMDFamilyModel},
+	}
 	testAMDFamilyModel = Test{
 		Name:                 "Detect AMD Family and Model",
 		Required:             true,
@@ -397,12 +416,16 @@ var (
 	TestsAMDSEV = []*Test{
 		&testSEVSupport,
 		&testSEVEnabled,
+		&testSEVESupport,
+		&testSEVESEnabled,
 		&testSEVFirmwareVersion,
 		&testSEVGuestConfig,
 	}
 	TestsAMDSEVSNP = []*Test{
 		&testSEVSNPSupport,
 		&testSEVSNPEnabled,
+		&testSEVESupport,
+		&testSEVESEnabled,
 		&testSEVSNPDebugRegisters,
 		&testSEVSNPSideChannelProtection,
 		&testSEVSNPFirmwareVersion,
@@ -540,16 +563,43 @@ func SMEFunctionality(hw hwapi.LowLevelHardwareInterfaces, p *PreSet) (bool, err
 
 // SEV Tests
 
-// SEVSupport checks if SEV is supported
+// SEVSupport checks if SEV is supported by checking CPUID[0x8000001f].EAX[1]
 func SEVSupport(hw hwapi.LowLevelHardwareInterfaces, p *PreSet) (bool, error, error) {
-	log.Info("SEV Support check is not implemented")
+	eax, _, _, _ := hw.CPUID(CPUID_SEV_SNP, 0)
+	if eax&(1<<1) == 0 {
+		return false, fmt.Errorf("SEV is not supported on this CPU (CPUID.0x8000001F[EAX].bit[1] = 0)"), nil
+	}
+	log.Debugf("SEV is supported (CPUID.0x8000001F[EAX].bit[1] = 1)")
 	return true, nil, nil
 }
 
-// SEVEnabled checks if SEV is enabled
+// SEVEnabled checks if SEV is enabled by reading MSR 0xC0010131[0]
 func SEVEnabled(hw hwapi.LowLevelHardwareInterfaces, p *PreSet) (bool, error, error) {
-	log.Info("SEV Enabled check is not implemented")
-	return true, nil, nil
+	const MSR_AMD64_SEV = 0xC0010131
+	const MSR_AMD64_SEV_ENABLED = uint64(1) << 0 // Bit 0: SEV Enable
+	vals := hw.ReadMSR(MSR_AMD64_SEV)
+	msrEnabled := false
+	if len(vals) > 0 {
+		val := vals[0]
+		if val&MSR_AMD64_SEV_ENABLED != 0 {
+			msrEnabled = true
+		}
+	}
+
+	// Also check /sys/module/kvm_amd/parameters/sev if present
+	sysfsEnabled := false
+	if data, err := os.ReadFile("/sys/module/kvm_amd/parameters/sev"); err == nil {
+		if strings.TrimSpace(string(data)) == "Y" {
+			sysfsEnabled = true
+		}
+	}
+
+	if msrEnabled || sysfsEnabled {
+		log.Debugf("SEV is enabled (MSR 0xC0010131[0] = %v, /sys/module/kvm_amd/parameters/sev = %v)", msrEnabled, sysfsEnabled)
+		return true, nil, nil
+	}
+
+	return false, fmt.Errorf("SEV is not enabled (MSR 0xC0010131[0] = %v, /sys/module/kvm_amd/parameters/sev = %v)", msrEnabled, sysfsEnabled), nil
 }
 
 // SEVFirmwareVersion validates SEV firmware version
@@ -834,3 +884,40 @@ func TSMEEnabled(hw hwapi.LowLevelHardwareInterfaces, p *PreSet) (bool, error, e
 	log.Debugf("TSME is enabled (MSR 0xC0010010[18] = 1)")
 	return true, nil, nil
 }
+
+// SEV-ES Tests
+func SEVESupport(hw hwapi.LowLevelHardwareInterfaces, p *PreSet) (bool, error, error) {
+	// Check CPUID
+	eax, _, _, _ := hw.CPUID(CPUID_SEV_SNP, 0)
+	cpuidSupported := eax&(1<<3) != 0
+
+	// Also check /sys/module/kvm_amd/parameters/sev_es if present
+	sysfsSupported := false
+	if data, err := os.ReadFile("/sys/module/kvm_amd/parameters/sev_es"); err == nil {
+		if strings.TrimSpace(string(data)) == "Y" {
+			sysfsSupported = true
+		}
+	}
+
+	if cpuidSupported || sysfsSupported {
+		log.Debugf("SEV-ES is supported (CPUID.0x8000001F[EAX].bit[3] = %v, /sys/module/kvm_amd/parameters/sev_es = %v)", cpuidSupported, sysfsSupported)
+		return true, nil, nil
+	}
+	return false, fmt.Errorf("SEV-ES is not supported (CPUID.0x8000001F[EAX].bit[3] = %v, /sys/module/kvm_amd/parameters/sev_es = %v)", cpuidSupported, sysfsSupported), nil
+}
+
+// SEVESEnabled checks if SEV-ES is enabled by reading MSR 0xC0010131[1]
+func SEVESEnabled(hw hwapi.LowLevelHardwareInterfaces, p *PreSet) (bool, error, error) {
+	const MSR_AMD64_SEV = 0xC0010131
+	const MSR_AMD64_SEV_ES_ENABLED = uint64(1) << 1 // Bit 1: SEV-ES Enable
+	vals := hw.ReadMSR(MSR_AMD64_SEV)
+	if len(vals) == 0 {
+		return false, fmt.Errorf("ReadMSR returned no values for SEV MSR"), nil
+	}
+	val := vals[0]
+	if val&MSR_AMD64_SEV_ES_ENABLED == 0 {
+		return false, fmt.Errorf("SEV-ES is not enabled (MSR 0xC0010131[1] = 0)"), nil
+	}
+	log.Debugf("SEV-ES is enabled (MSR 0xC0010131[1] = 1)")
+	return true, nil, nil
+}