Run functional tests in CI (#102)

wojciechozga · lgaeher · web-flow · commit 9322cae89823 · 2025-05-28T18:36:25.000+02:00
* add a functional test that retrieves secret via local attestation
* optimize tests for the limited resources available in CI
* add a functional test that runs a confidential VM with multiple vCPUs

---------

Signed-off-by: Wojciech Ozga &lt;woz@zurich.ibm.com&gt;
Co-authored-by: Lennard Gäher &lt;l.gaeher@posteo.de&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,4 +1,4 @@
-name: ACE Build
+name: Functional tests
 
 on:
   push:
@@ -10,7 +10,7 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         submodules: 'true'
     - name: install build dependencies
@@ -32,14 +32,18 @@ jobs:
     - name: install rust nightly
       run: rustup component add rustfmt
     - name: build riscv toolchain
-      run: ACE_DIR=$(pwd)/build/ MAKEFLAGS="--silent -j4" make devtools
+      run: ACE_DIR=$(pwd)/build/ make --silent -j8 devtools
     - name: build emulator
-      run: ACE_DIR=$(pwd)/build/ MAKEFLAGS="--silent -j4" make emulator
+      run: ACE_DIR=$(pwd)/build/ make --silent -j8 emulator
     - name: build tools
-      run: ACE_DIR=$(pwd)/build/ MAKEFLAGS="--silent -j4" make tools
+      run: ACE_DIR=$(pwd)/build/ make --silent -j8 tools
     - name: build hypervisor
-      run: ACE_DIR=$(pwd)/build/ MAKEFLAGS="--silent -j4" make hypervisor
+      run: ACE_DIR=$(pwd)/build/ make --silent -j8 hypervisor
     - name: build firmware
-      run: ACE_DIR=$(pwd)/build/ MAKEFLAGS="--silent -j4" make firmware
-    - name: build confidential_vms
-      run: ACE_DIR=$(pwd)/build/ MAKEFLAGS="--silent -j4" make confidential_vms
+      run: ACE_DIR=$(pwd)/build/ make --silent -j8 firmware
+    - name: build confidential vms
+      run: ACE_DIR=$(pwd)/build/ make --silent -j8 confidential_vms
+    - name: rebuild all to include changes to cvm disk
+      run: ACE_DIR=$(pwd)/build/ make --silent -j8
+    - name: run tests on confidential vms
+      run: ACE_DIR=$(pwd)/build/ PATH=$PATH:$(pwd)/build/tools ace test
diff --git a/confidential-vms/linux_vm/hypervisor_rootfs/run_linux_vm_qemu.sh b/confidential-vms/linux_vm/hypervisor_rootfs/run_linux_vm_qemu.sh
@@ -3,16 +3,11 @@
 # SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
 # SPDX-License-Identifier: Apache-2.0
 
-QEMU_CMD=qemu-system-riscv64
-KERNEL=/root/linux_vm/Image
-DRIVE=/root/linux_vm/rootfs.ext2
-INITRAMFS=/root/linux_vm/rootfs.cpio
-TAP=/root/linux_vm/cove_tap_qemu
-
 HOST_PORT="$((3000 + RANDOM % 3000))"
 INTERACTIVE="-nographic"
 SMP=2
 MEMORY=1G
+ID=""
 
 for i in "$@"; do
   case $i in
@@ -34,6 +29,10 @@ for i in "$@"; do
       MEMORY="${i#*=}"
       shift
       ;;
+    -i=*|--id=*)
+      ID="${i#*=}"
+      shift
+      ;;
     --daemonize*)
       INTERACTIVE="-daemonize"
       shift
@@ -47,8 +46,19 @@ for i in "$@"; do
   esac
 done
 
+if [ ! -f "/root/linux_vm${ID}" ]; then
+  cp -rf /root/linux_vm /root/linux_vm${ID}
+fi
+
+QEMU_CMD=qemu-system-riscv64
+KERNEL=/root/linux_vm${ID}/Image
+DRIVE=/root/linux_vm${ID}/rootfs.ext2
+INITRAMFS=/root/linux_vm${ID}/rootfs.cpio
+TAP=/root/linux_vm${ID}/cove_tap_qemu
+
 echo "SSH port: ${HOST_PORT}"
 echo "Number of cores assigned to the guest: ${SMP}"
+echo "${INTERACTIVE}"
 
 ${QEMU_CMD} ${DEBUG_OPTIONS} \
     ${INTERACTIVE} \
@@ -61,5 +71,4 @@ ${QEMU_CMD} ${DEBUG_OPTIONS} \
     -device virtio-blk-pci,drive=hd0,iommu_platform=on,disable-legacy=on,disable-modern=off \
     -drive if=none,format=raw,file=${DRIVE},id=hd0 \
     -device virtio-net-pci,netdev=net0,iommu_platform=on,disable-legacy=on,disable-modern=off \
-    -netdev user,id=net0,net=192.168.100.1/24,dhcpstart=192.168.100.128,hostfwd=tcp::${HOST_PORT}-:22 \
-    -nographic
+    -netdev user,id=net0,net=192.168.100.1/24,dhcpstart=192.168.100.128,hostfwd=tcp::${HOST_PORT}-:22
diff --git a/confidential-vms/linux_vm/hypervisor_rootfs/run_linux_vm_qemu2.sh b/confidential-vms/linux_vm/hypervisor_rootfs/run_linux_vm_qemu2.sh
diff --git a/confidential-vms/linux_vm/overlay/root/this_is_confidential_vm_filesystem b/confidential-vms/linux_vm/overlay/root/this_is_confidential_vm_filesystem
@@ -1 +1 @@
-hello from confidential VM's filesystem
+hello from confidential VM filesystem
diff --git a/confidential-vms/linux_vm/overlay/this_is_confidential_vm_filesystem b/confidential-vms/linux_vm/overlay/this_is_confidential_vm_filesystem
@@ -1 +1 @@
-hello from confidential VM's filesystem
+hello from confidential VM filesystem
diff --git a/hypervisor/configurations/qemu_riscv64_virt_defconfig b/hypervisor/configurations/qemu_riscv64_virt_defconfig
@@ -56,6 +56,8 @@ BR2_GLOBAL_PATCH_DIR=""
 
 # Packages
 BR2_PACKAGE_DROPBEAR=y
+BR2_PACKAGE_OPENSSH_CLIENT=y
+BR2_PACKAGE_SSHPASS=y
 
 # Qemu
 BR2_PACKAGE_QEMU=y
diff --git a/hypervisor/rootfs/common.sh b/hypervisor/rootfs/common.sh
@@ -2,28 +2,21 @@
 # SPDX-FileCopyrightText: 2023 IBM Corporation
 # SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
 # SPDX-License-Identifier: Apache-2.0
-
-function run_confidential_vm() {
-    fallocate -l 128M hdd.dsk
-
-    KERNEL_IMAGE=$1
-    NUMBER_OF_CORES=$2
-    MEMORY_SIZE=$3
-    DRIVE="hdd.dsk"
-
-    qemu-system-riscv64 -machine virt -cpu rv64 -smp $NUMBER_OF_CORES -m $MEMORY_SIZE \
-        --enable-kvm \
-        -global virtio-mmio.force-legacy=false \
-        -append "console=ttyS0 ro root=/dev/vda swiotlb=mmnn,force nosplash debug promote_to_tvm" \
-        -device virtio-blk-pci,drive=hd0,iommu_platform=on,disable-legacy=on,disable-modern=off \
-        -drive if=none,format=raw,file=${DRIVE},id=hd0 \
-        -nographic -bios none \
-        -kernel $KERNEL_IMAGE &
-}
+export TVM_TEST_PASSWD="passwd"
+export SSH_CMD="sshpass -p ${TVM_TEST_PASSWD} ssh -y -q"
 
 function kill_confidential_vm() {
     PID="$(pidof qemu-system-riscv64)"
     kill -9 $PID
     wait $PID 2>/dev/null
 }
 
+function wait_for_ssh () {
+    for i in $(seq 1 30); do
+        if [ "$( $SSH_CMD -p$3 $1@$2 'whoami' )" == "root" ]; then
+            break
+        fi
+        echo "Waiting for the TVM's SSH ..."
+        sleep 1
+    done
+}
diff --git a/hypervisor/rootfs/selftest.sh b/hypervisor/rootfs/selftest.sh
@@ -5,15 +5,17 @@
 
 # This script runs all tests in harness
 
-declare -a TESTS=("test_esm")
+declare -a TESTS=("test_attestation" "test_smp")
 
 for i in "${TESTS[@]}"; do
-    ./$i.sh 2>&1 > $i.log 
+    ./$i.sh 2>&1 > $i.log
     RESULT=$?
     if [ $RESULT -eq 0 ]; then
         echo "$i: success"
     else
         echo "$i: failed"
-        cat $i.log  
+        echo ""
+        echo "======= Logs: ======="
+        cat $i.log
     fi
-done
+done
diff --git a/hypervisor/rootfs/test_attestation.sh b/hypervisor/rootfs/test_attestation.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2025 IBM Corporation
+# SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
+# SPDX-License-Identifier: Apache-2.0
+. common.sh
+
+/root/run_linux_vm_qemu.sh -s=1 -m=256M --daemonize 2>&1 > tmp_run_vm.log &
+sleep 5
+
+TVM_USER="root"
+TVM_HOST="localhost"
+TVM_PORT="$(grep 'SSH port' tmp_run_vm.log | awk -F': ' '{ print $2 }' )"
+echo "TVM's SSH is listening on port: $TVM_PORT"
+
+wait_for_ssh $TVM_USER $TVM_HOST $TVM_PORT
+
+$SSH_CMD -p${TVM_PORT} ${TVM_USER}@${TVM_HOST} 'insmod /root/ace_module/ace.ko'
+$SSH_CMD -p${TVM_PORT} ${TVM_USER}@${TVM_HOST} 'dmesg | grep Secret' > tmp_dmesg.log
+
+ATTESTATION_RESULT="$(grep 'Secret=0xc0ffee' tmp_dmesg.log | wc -l)"
+
+kill_confidential_vm
+sleep 5
+
+if [[ "x$ATTESTATION_RESULT" == "x1" ]]; then
+    echo "Attestation test succeeded"
+    exit 0
+else
+    echo "Attestation test failed"
+    exit 1
+fi
diff --git a/hypervisor/rootfs/test_smp.sh b/hypervisor/rootfs/test_smp.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+# SPDX-FileCopyrightText: 2025 IBM Corporation
+# SPDX-FileContributor: Wojciech Ozga <woz@zurich.ibm.com>, IBM Research - Zurich
+# SPDX-License-Identifier: Apache-2.0
+. common.sh
+
+/root/run_linux_vm_qemu.sh -s=2 -m=256M --daemonize 2>&1 > tmp_run_smp.log &
+sleep 5
+
+TVM_USER="root"
+TVM_HOST="localhost"
+TVM_PORT="$(grep 'SSH port' tmp_run_smp.log | awk -F': ' '{ print $2 }' )"
+echo "TVM's SSH is listening on port: $TVM_PORT"
+
+wait_for_ssh $TVM_USER $TVM_HOST $TVM_PORT
+
+$SSH_CMD -p${TVM_PORT} ${TVM_USER}@${TVM_HOST} 'cat /root/this_is_confidential_vm_filesystem' > tmp_smp_dmesg.log
+RESULT="$(grep 'hello from confidential VM filesystem' tmp_smp_dmesg.log | wc -l)"
+
+kill_confidential_vm
+sleep 5
+
+if [[ "x$RESULT" == "x1" ]]; then
+    echo "SMP test succeeded"
+    exit 0
+else
+    echo "SMP test failed"
+    exit 1
+fi
diff --git a/security-monitor/Cargo.lock b/security-monitor/Cargo.lock
diff --git a/security-monitor/Cargo.toml b/security-monitor/Cargo.toml
@@ -25,7 +25,7 @@ pointers_utility = {path = "rust-crates/pointers_utility"}
 riscv-decode = "0.2"
 
 # The `spin` crate provides synchronization primitives (Mutexes etc) using spinlocks
-spin = {version="0.9", default-features = false, features = ["once", "rwlock", "spin_mutex"]}
+spin = {version="0.10", default-features = false, features = ["once", "rwlock", "spin_mutex"]}
 
 # This crates provides functionality to parse TVM attestation payload (TAP).
 riscv_cove_tap = {path = "rust-crates/riscv_cove_tap", features = ["parser"]}
diff --git a/tools/ace_test.sh b/tools/ace_test.sh
@@ -21,37 +21,16 @@ echo "Hypervisor's SSH is listening on port: $HYPERVISOR_TEST_PORT"
 # wait until the VM is up and running
 wait_for_ssh ${HYPERVISOR_TEST_LOGIN} ${HYPERVISOR_TEST_HOSTNAME} ${HYPERVISOR_TEST_PORT}
 
-# test confidential memory protections
-QEMU_MEMORY_SIZE_MB=2048
-
-# Verify that the hypervisor has no access to the confidential memory
-MEMORY_ACCESS_EXEC="insmod ace-kernel-module/ace.ko"
-MEMORY_BASE_ADDRESS="$(hex2dec 80000000 10 16)"
-let MEMORY_SIZE=${QEMU_MEMORY_SIZE_MB}*1024*1024
-let NONSECURE_MEMORY_BASE_ADDRESS=${MEMORY_BASE_ADDRESS}+2048*1024 # after OpenSBI reserved memory
-let SECURE_MEMORY_BASE_ADDRESS=${MEMORY_BASE_ADDRESS}+${MEMORY_SIZE}/2
-let SECURE_MEMORY_END_ADDRESS=${SECURE_MEMORY_BASE_ADDRESS}+${MEMORY_SIZE}/2-1
-
-declare -A EXPECTED_MEMORY_ACCESS=([$NONSECURE_MEMORY_BASE_ADDRESS]=0 [$MEMORY_BASE_ADDRESS]=1 [$SECURE_MEMORY_BASE_ADDRESS]=1 [$SECURE_MEMORY_END_ADDRESS]=1)
-
-for i in "${!EXPECTED_MEMORY_ACCESS[@]}"; do
-    ADDRESS=$(hex2dec $i 16 10)
-    EXPECTED_RESULT=${EXPECTED_MEMORY_ACCESS[$i]}
-    RESULT=$(${SSH_CMD} -p${HYPERVISOR_TEST_PORT} ${HYPERVISOR_TEST_LOGIN}@${HYPERVISOR_TEST_HOSTNAME} ./test_secure_memory.sh 0x$ADDRESS 2>&1)
-    ACCESS_FAILED="$(echo $RESULT | grep 'Segmentation fault' | wc -l)"
-    if [ $ACCESS_FAILED -ne $EXPECTED_RESULT ]; then
-        echo "incorrect access rights to $ADDRESS: FAIL"
-    else
-        echo "correct access rights to $ADDRESS: succeess"
-    fi
-    kill_qemu ${HYPERVISOR_TEST_PORT}
-    ${ACE_DIR}/tools/ace_run_hypervisor.sh --daemonize > .run_tests.log
-    HYPERVISOR_TEST_PORT="$(grep 'SSH port' .run_tests.log | awk -F': ' '{ print $2 }' )"
-    wait_for_ssh ${HYPERVISOR_TEST_LOGIN} ${HYPERVISOR_TEST_HOSTNAME} ${HYPERVISOR_TEST_PORT}    
-done
-
 # execute tests remotely over ssh
-${SSH_CMD} -p${HYPERVISOR_TEST_PORT} ${HYPERVISOR_TEST_LOGIN}@${HYPERVISOR_TEST_HOSTNAME} './selftest.sh'
+${SSH_CMD} -p${HYPERVISOR_TEST_PORT} ${HYPERVISOR_TEST_LOGIN}@${HYPERVISOR_TEST_HOSTNAME} './selftest.sh' > ace_test_results
 
 # kill the VM
 kill_qemu ${HYPERVISOR_TEST_PORT}
+
+FAILED="$( grep ': failed' ace_test_results | wc -l)"
+cat ace_test_results
+
+if [[ $FAILED -gt 0 ]]; then
+    exit 1
+fi
+exit 0
diff --git a/tools/common.sh b/tools/common.sh
diff --git a/tools/cove_tap_tool/Cargo.lock b/tools/cove_tap_tool/Cargo.lock
diff --git a/tools/cove_tap_tool/Cargo.toml b/tools/cove_tap_tool/Cargo.toml

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-hello from confidential VM's filesystem`
	`1`	`+hello from confidential VM filesystem`