snp.sh: Add another guest snp check to verify if the guest SNP is active

This check reads the dedicated guest MSR(MSR_AMD64_SEV, MSR 0xc0010131) to determine if SNP is on and supported.

Signed-off-by: Harika Nittala <[email protected]>

tools/snp.sh

@@ -115,6 +115,7 @@ usage() {
   >&2 echo "    attest-guest          Use virtee/snpguest and sev-snp-measure to attest a SNP guest"
   >&2 echo "    stop-guests           Stop all SNP guests started by this script"
   >&2 echo "    check-host-snp-cpuid     Read the dedicated host MSR to determine if SNP is on and supported"
+  >&2 echo "    check-guest-snp-msr      Read the dedicated guest MSR to determine if SNP is on and supported"
   >&2 echo "  where OPTIONS are:"
   >&2 echo "    -n|--non-upm          Build AMDSEV non UPM kernel (sev-snp-devel)"
   >&2 echo "    -i|--image            Path to existing image file"
@@ -152,6 +153,9 @@ cleanup() {
       check-host-snp-cpuid)
         ;;
 
+      check-guest-snp-msr)
+        ;;
+
       *)
         >&2 echo -e "Unknown ERROR encountered"
       ;;
@@ -191,6 +195,35 @@ verify_platform_snp_bit_status() {
       )
   fi
 
+  if [ "$1" == "guest" ]; then
+    if [ ! -f "${GUEST_SSH_KEY_PATH}" ]; then
+      >&2 echo -e "Guest SSH key not present [${GUEST_SSH_KEY_PATH}], so cannot verify guest SNP enabled"
+      return 1
+    fi
+
+    # Install guest rdmsr package dependencies to insert & insert guest msr module
+    ssh_guest_command "sudo DEBIAN_FRONTEND=noninteractive sudo apt install -y msr-tools > /dev/null 2>&1" > /dev/null 2>&1
+    ssh_guest_command "sudo modprobe msr" > /dev/null 2>&1
+
+    # Read the guest (MSR_AMD64_SEV) value
+    local guest_msr_read
+    guest_msr_read=$(ssh_guest_command "sudo rdmsr -p 0 0xc0010131")
+    guest_msr_read=$(echo "${guest_msr_read}" | tr -d '\r' | bc)
+
+    # Map all the sev features in a single associative array for all guest SEV features
+    declare -A actual_sev_snp_bit_status=(
+      [SEV]=$((${guest_msr_read} & 1))
+      [SEV-ES]=$((${guest_msr_read} & 2))
+      [SNP]=$((${guest_msr_read} & 4))
+    )
+
+    declare -A expected_sev_snp_bit_value=(
+      [SEV]=1
+      [SEV-ES]=2
+      [SNP]=4
+    )
+  fi
+
   # Checks for the presence of all the security feature support in the platform
   local sev_snp_error
   sev_snp_error=""
@@ -203,6 +236,10 @@ verify_platform_snp_bit_status() {
           sev_snp_error+=$(echo "Swap of a processor that supports $sev_snp_key feature is required. \n");
           sev_snp_error+=$(echo "$sev_snp_key current bit value is: ${actual_sev_snp_bit_status[$sev_snp_key]} .\n")
         fi
+        # Capture the guest SEV/SNP bit value mismatch
+        if [ "$1" == "guest" ]; then
+          sev_snp_error+=$(echo "$sev_snp_key feature is not active on the guest.\n");
+        fi
       fi
   done
 
@@ -1222,6 +1259,11 @@ main() {
         shift
         ;;
 
+      check-guest-snp-msr)
+        COMMAND="check-guest-snp-msr"
+        shift
+        ;;
+
       -*|--*)
         >&2 echo -e "Unsupported Option: [${1}]\n"
         usage
@@ -1283,6 +1325,7 @@ main() {
 
       setup_and_launch_guest
       wait_and_retry_command verify_snp_guest
+      wait_and_retry_command verify_platform_snp_bit_status guest
 
       echo -e "Guest SSH port forwarded to host port: ${HOST_SSH_PORT}"
       echo -e "The guest is running in the background. Use the following command to access via SSH:"
@@ -1294,6 +1337,7 @@ main() {
       install_sev_snp_measure
       install_dependencies
       wait_and_retry_command verify_snp_guest
+      wait_and_retry_command verify_platform_snp_bit_status guest
       setup_guest_attestation
       attest_guest
       ;;
@@ -1306,6 +1350,10 @@ main() {
       verify_platform_snp_bit_status host
       ;;
 
+    check-guest-snp-msr)
+      verify_platform_snp_bit_status guest
+      ;;
+
     *)
       >&2 echo -e "Unsupported Command: [${1}]\n"
       usage