|
| 1 | +# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved. |
| 2 | +# SPDX-License-Identifier: Apache-2.0 |
| 3 | +"""Test secret-freedom related functionality.""" |
| 4 | + |
| 5 | +import pytest |
| 6 | + |
| 7 | +from framework import defs |
| 8 | +from framework.microvm import Serial |
| 9 | +from framework.properties import global_props |
| 10 | +from integration_tests.performance.test_initrd import INITRD_FILESYSTEM |
| 11 | + |
| 12 | +pytestmark = [ |
| 13 | + pytest.mark.skipif( |
| 14 | + global_props.host_linux_version_metrics != "next", |
| 15 | + reason="Secret Freedom is only supported on the in-dev upstream kernels for now", |
| 16 | + ), |
| 17 | + pytest.mark.skipif( |
| 18 | + global_props.instance == "m6g.metal", |
| 19 | + reason="Secret Freedom currently only works on ARM hardware conforming to at least ARMv8.4 as absense of ARM64_HAS_STAGE2_FWB causes kernel panics because of dcache flushing during stage2 page table entry installation", |
| 20 | + ), |
| 21 | +] |
| 22 | + |
| 23 | + |
| 24 | +def test_secret_free_boot(microvm_factory, guest_kernel, rootfs): |
| 25 | + """Tests that a VM can boot if all virtio devices are bound to a swiotlb region, and |
| 26 | + that this swiotlb region is actually discovered by the guest.""" |
| 27 | + vm = microvm_factory.build(guest_kernel, rootfs) |
| 28 | + vm.spawn() |
| 29 | + vm.memory_monitor = None |
| 30 | + vm.basic_config(secret_free=True) |
| 31 | + vm.add_net_iface() |
| 32 | + vm.start() |
| 33 | + |
| 34 | + |
| 35 | +def test_secret_free_initrd(microvm_factory, guest_kernel): |
| 36 | + """ |
| 37 | + Test that we can boot a secret hidden initrd (e.g. a VM with no I/O devices) |
| 38 | + """ |
| 39 | + fs = defs.ARTIFACT_DIR / "initramfs.cpio" |
| 40 | + uvm = microvm_factory.build(guest_kernel) |
| 41 | + uvm.initrd_file = fs |
| 42 | + uvm.help.enable_console() |
| 43 | + uvm.spawn() |
| 44 | + uvm.memory_monitor = None |
| 45 | + |
| 46 | + uvm.basic_config( |
| 47 | + add_root_device=False, |
| 48 | + vcpu_count=1, |
| 49 | + boot_args="console=ttyS0 reboot=k panic=1 pci=off", |
| 50 | + use_initrd=True, |
| 51 | + secret_free=True, |
| 52 | + ) |
| 53 | + |
| 54 | + uvm.start() |
| 55 | + serial = Serial(uvm) |
| 56 | + serial.open() |
| 57 | + serial.rx(token="# ") |
| 58 | + serial.tx("mount |grep rootfs") |
| 59 | + serial.rx(token=f"rootfs on / type {INITRD_FILESYSTEM}") |
| 60 | + |
| 61 | + |
| 62 | +def test_secret_free_snapshot_creation(microvm_factory, guest_kernel, rootfs): |
| 63 | + """Test that snapshot creation works for secret hidden VMs""" |
| 64 | + vm = microvm_factory.build(guest_kernel, rootfs) |
| 65 | + vm.spawn() |
| 66 | + vm.memory_monitor = None |
| 67 | + vm.basic_config(secret_free=True) |
| 68 | + vm.add_net_iface() |
| 69 | + vm.start() |
| 70 | + |
| 71 | + snapshot = vm.snapshot_full() |
| 72 | + |
| 73 | + # After restoration, the VM will not be secret hidden anymore, as that's not supported yet. |
| 74 | + # But we can at least test that in principle, the snapshot creation worked. |
| 75 | + vm = microvm_factory.build_from_snapshot(snapshot) |
| 76 | + vm.ssh.check_output("true") |
0 commit comments