test: add functional tests for booting secret free VMs

roypat · roypat · commit 604e3d7236f9 · 2025-04-25T14:19:55.000+01:00
Add a test that we can boot VMs and initrds with secret freedom
enabled.

Signed-off-by: Patrick Roy &lt;roypat@amazon.co.uk&gt;
diff --git a/tests/integration_tests/functional/test_secret_freedom.py b/tests/integration_tests/functional/test_secret_freedom.py
@@ -0,0 +1,80 @@
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+"""Test secret-freedom related functionality."""
+
+import pytest
+
+from framework import defs
+from framework.microvm import Serial
+from framework.properties import global_props
+from integration_tests.performance.test_initrd import INITRD_FILESYSTEM
+
+pytestmark = [
+    pytest.mark.skipif(
+        global_props.host_linux_version_metrics != "next",
+        reason="Secret Freedom is only supported on the in-dev upstream kernels for now",
+    ),
+    pytest.mark.skipif(
+        global_props.instance == "m6g.metal",
+        reason="Secret Freedom currently only works on ARM hardware conforming to at least ARMv8.4 as absense of ARM64_HAS_STAGE2_FWB causes kernel panics because of dcache flushing during stage2 page table entry installation",
+    ),
+]
+
+
+def test_secret_free_boot(microvm_factory, guest_kernel, rootfs):
+    """Tests that a VM can boot if all virtio devices are bound to a swiotlb region, and
+    that this swiotlb region is actually discovered by the guest."""
+    vm = microvm_factory.build(guest_kernel, rootfs)
+    vm.spawn()
+    vm.memory_monitor = None
+    vm.basic_config(
+        memory_config={"secret_free": True},
+    )
+    vm.add_net_iface()
+    vm.start()
+
+
+def test_secret_free_initrd(microvm_factory, guest_kernel):
+    """
+    Test that we can boot a secret hidden initrd (e.g. a VM with no I/O devices)
+    """
+    fs = defs.ARTIFACT_DIR / "initramfs.cpio"
+    uvm = microvm_factory.build(guest_kernel)
+    uvm.initrd_file = fs
+    uvm.help.enable_console()
+    uvm.spawn()
+    uvm.memory_monitor = None
+
+    uvm.basic_config(
+        add_root_device=False,
+        vcpu_count=1,
+        boot_args="console=ttyS0 reboot=k panic=1 pci=off",
+        use_initrd=True,
+        memory_config={"secret_free": True},
+    )
+
+    uvm.start()
+    serial = Serial(uvm)
+    serial.open()
+    serial.rx(token="# ")
+    serial.tx("mount |grep rootfs")
+    serial.rx(token=f"rootfs on / type {INITRD_FILESYSTEM}")
+
+
+def test_secret_free_snapshot_creation(microvm_factory, guest_kernel, rootfs):
+    """Test that snapshot creation works for secret hidden VMs"""
+    vm = microvm_factory.build(guest_kernel, rootfs)
+    vm.spawn()
+    vm.memory_monitor = None
+    vm.basic_config(
+        memory_config={"secret_free": True},
+    )
+    vm.add_net_iface()
+    vm.start()
+
+    snapshot = vm.snapshot_full()
+
+    # After restoration, the VM will not be secret hidden anymore, as that's not supported yet.
+    # But we can at least test that in principle, the snapshot creation worked.
+    vm = microvm_factory.build_from_snapshot(snapshot)
+    vm.ssh.check_output("true")
diff --git a/tests/integration_tests/performance/test_block_ab.py b/tests/integration_tests/performance/test_block_ab.py
@@ -169,13 +169,22 @@ def test_block_performance(
     """
     Execute block device emulation benchmarking scenarios.
     """
-    if memory_config is not None and "6.1" not in guest_kernel_acpi.name:
+    if (
+        memory_config is not None
+        and memory_config["initial_swiotlb_size"] != 0
+        and "6.1" not in guest_kernel_acpi.name
+    ):
         pytest.skip("swiotlb only supported on aarch64/6.1")
 
+    if memory_config is not None and io_engine == "Async":
+        pytest.skip("userspace bounce buffers not supported with async block engine")
+
     vm = microvm_factory.build(guest_kernel_acpi, rootfs, monitor_memory=False)
     vm.spawn(log_level="Info", emit_metrics=True)
     vm.basic_config(
-        vcpu_count=vcpus, mem_size_mib=GUEST_MEM_MIB, memory_config=memory_config
+        vcpu_count=vcpus,
+        mem_size_mib=GUEST_MEM_MIB,
+        memory_config=memory_config,
     )
     vm.add_net_iface()
     # Add a secondary block device for benchmark tests.
diff --git a/tests/integration_tests/performance/test_boottime.py b/tests/integration_tests/performance/test_boottime.py
@@ -75,7 +75,11 @@ def test_boottime(
 ):
     """Test boot time with different guest configurations"""
 
-    if memory_config is not None and "6.1" not in guest_kernel_acpi.name:
+    if (
+        memory_config is not None
+        and memory_config["initial_swiotlb_size"] != 0
+        and "6.1" not in guest_kernel_acpi.name
+    ):
         pytest.skip("swiotlb only supported on aarch64/6.1")
 
     for _ in range(10):
diff --git a/tests/integration_tests/performance/test_network_ab.py b/tests/integration_tests/performance/test_network_ab.py
@@ -40,7 +40,11 @@ def network_microvm(request, microvm_factory, guest_kernel_acpi, rootfs, memory_
     """Creates a microvm with the networking setup used by the performance tests in this file.
     This fixture receives its vcpu count via indirect parameterization"""
 
-    if memory_config is not None and "6.1" not in guest_kernel_acpi.name:
+    if (
+        memory_config is not None
+        and memory_config["initial_swiotlb_size"] != 0
+        and "6.1" not in guest_kernel_acpi.name
+    ):
         pytest.skip("swiotlb only supported on aarch64/6.1")
 
     guest_mem_mib = 1024
@@ -49,7 +53,9 @@ def network_microvm(request, microvm_factory, guest_kernel_acpi, rootfs, memory_
     vm = microvm_factory.build(guest_kernel_acpi, rootfs, monitor_memory=False)
     vm.spawn(log_level="Info", emit_metrics=True)
     vm.basic_config(
-        vcpu_count=guest_vcpus, mem_size_mib=guest_mem_mib, memory_config=memory_config
+        vcpu_count=guest_vcpus,
+        mem_size_mib=guest_mem_mib,
+        memory_config=memory_config,
     )
     vm.add_net_iface()
     vm.start()
diff --git a/tests/integration_tests/performance/test_vsock_ab.py b/tests/integration_tests/performance/test_vsock_ab.py
@@ -91,14 +91,20 @@ def test_vsock_throughput(
     if mode == "bd" and vcpus < 2:
         pytest.skip("bidrectional test only done with at least 2 vcpus")
 
-    if memory_config is not None and "6.1" not in guest_kernel_acpi.name:
+    if (
+        memory_config is not None
+        and memory_config["initial_swiotlb_size"] != 0
+        and "6.1" not in guest_kernel_acpi.name
+    ):
         pytest.skip("swiotlb only supported on aarch64/6.1")
 
     mem_size_mib = 1024
     vm = microvm_factory.build(guest_kernel_acpi, rootfs, monitor_memory=False)
     vm.spawn(log_level="Info", emit_metrics=True)
     vm.basic_config(
-        vcpu_count=vcpus, mem_size_mib=mem_size_mib, memory_config=memory_config
+        vcpu_count=vcpus,
+        mem_size_mib=mem_size_mib,
+        memory_config=memory_config,
     )
     vm.add_net_iface()
     # Create a vsock device
