-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added new SEV CI PR test for SNP host and guest on self-hosted runner
Performs SEV cargo tests on the SNP host and SNP guest Signed-off-by: Harika Nittala <[email protected]>
- Loading branch information
1 parent
d4ff5fa
commit 34ba405
Showing
1 changed file
with
150 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,150 @@ | ||
| name: SEV CI PR test | ||
|
|
||
| on: | ||
| pull_request_target: | ||
| types: | ||
| - reopened | ||
| - opened | ||
| - edited | ||
| - synchronize | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| snp_host_tests: | ||
| runs-on: self-hosted | ||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Verify if SNP is enabled on the host | ||
| run: | | ||
| verify_snp_host() { | ||
| if ! sudo dmesg | grep -i "SEV-SNP enabled" 2>&1 >/dev/null; then | ||
| echo -e "SEV-SNP not enabled on the host. Please follow these steps to enable:\n\ | ||
| $(echo "${AMDSEV_URL}" | sed 's|\.git$||g')/tree/${AMDSEV_DEFAULT_BRANCH}#prepare-host" | ||
| return 1 | ||
| fi | ||
| } | ||
| verify_snp_host | ||
| - name: SEV CI PR test on the host | ||
| run: | | ||
| echo "Event name = ${{ github.event_name }}" | ||
| # Give user access to /dev/sev to run cargo tests w/o permission issues | ||
| sudo usermod -a -G kvm $USER | ||
| sudo setfacl -m g:kvm:rw /dev/sev | ||
| # Fetch and checkout SEV PR on the host | ||
| rm -rf ~/sev | ||
| git clone https://github.com/virtee/sev.git | ||
| cd sev | ||
| # Checkout PR branch | ||
| if [ ${{ github.event_name }} == "pull_request_target" ]; then | ||
| git fetch origin pull/${{ github.event.pull_request.number }}/head:${{ github.head_ref }} | ||
| git switch ${{ github.head_ref }} | ||
| fi | ||
| # Install Rust on the host | ||
| source "${HOME}/.cargo/env" 2>/dev/null || true | ||
| if ! command -v rustc &> /dev/null; then | ||
| echo "Installing Rust..." | ||
| curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -sSf | sh -s -- -y | ||
| source "${HOME}/.cargo/env" 2>/dev/null | ||
| fi | ||
| # Cargo SEV PR test on the host | ||
| cargo test | ||
| snp_guest_tests: | ||
| runs-on: self-hosted | ||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Launch SNP enabled guest | ||
| run: | | ||
| rm -rf ~/snp.sh | ||
| wget https://raw.githubusercontent.com/LakshmiSaiHarika/sev-utils/Fedora-Latest-SNP-kernel-Upstream/tools/snp.sh | ||
| chmod +x snp.sh | ||
| # rm -rf ~/snp/launch | ||
| ./snp.sh launch-guest | ||
| - name: Verify SNP on the guest via MSR | ||
| run: | | ||
| ssh_guest_command() { | ||
| GUEST_SSH_KEY_PATH="${HOME}/snp/launch/snp-guest-key" | ||
| if [ ! -f "${GUEST_SSH_KEY_PATH}" ]; then | ||
| echo "SSH key not present, cannot verify guest SNP enabled." | ||
| exit 1 | ||
| fi | ||
| command="$1" | ||
| ssh -p 10022 -i "${GUEST_SSH_KEY_PATH}" -o "StrictHostKeyChecking no" -o "PasswordAuthentication=no" -o ConnectTimeout=1 amd@localhost "${command}" | ||
| } | ||
| verify_snp_guest_msr(){ | ||
| # Install guest rdmsr package dependencies to insert guest msr module | ||
| ssh_guest_command "sudo dnf install -y msr-tools > /dev/null 2>&1" > /dev/null 2>&1 | ||
| ssh_guest_command "sudo modprobe msr" > /dev/null 2>&1 | ||
| local guest_msr_read=$(ssh_guest_command "sudo rdmsr -p 0 0xc0010131") | ||
| guest_msr_read=$(echo "${guest_msr_read}" | tr -d '\r' | bc) | ||
| # Map all the sev features in a single associative array for all guest SEV features | ||
| declare -A actual_sev_snp_bit_status=( | ||
| [SEV]=$(( ( guest_msr_read >> 0) & 1)) | ||
| [SEV-ES]=$(( (guest_msr_read >> 1) & 1)) | ||
| [SNP]=$(( (guest_msr_read >> 2) & 1)) | ||
| ) | ||
| local sev_snp_error="" | ||
| for sev_snp_key in "${!actual_sev_snp_bit_status[@]}"; | ||
| do | ||
| if [[ ${actual_sev_snp_bit_status[$sev_snp_key]} != 1 ]]; then | ||
| # Capture the guest SEV/SNP bit value mismatch | ||
| sev_snp_error+=$(echo "$sev_snp_key feature is not active on the guest.\n"); | ||
| fi | ||
| done | ||
| if [[ ! -z "${sev_snp_error}" ]]; then | ||
| >&2 echo -e "ERROR: ${sev_snp_error}" | ||
| return 1 | ||
| fi | ||
| } | ||
| verify_snp_guest_msr | ||
| - name: SEV CI PR test on the guest | ||
| run: | | ||
| ssh_guest_command() { | ||
| # SSH guest commands | ||
| GUEST_SSH_KEY_PATH="${HOME}/snp/launch/snp-guest-key" | ||
| if [ ! -f "${GUEST_SSH_KEY_PATH}" ]; then | ||
| echo "SSH key not present, cannot verify guest SNP enabled." | ||
| exit 1 | ||
| fi | ||
| command="$1" | ||
| ssh -p 10022 -i "${GUEST_SSH_KEY_PATH}" -o "StrictHostKeyChecking no" -o "PasswordAuthentication=no" -o ConnectTimeout=1 amd@localhost "${command}" | ||
| } | ||
| # Install sev dependencies as a root user | ||
| ssh_guest_command "sudo su - <<EOF | ||
| curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -sSf | sh -s -- -y | ||
| source "${HOME}/.cargo/env" 2>/dev/null | ||
| sudo dnf install -y git gcc | ||
| EOF" | ||
| # Clean up and perform PR test on sev library as root user to fix OS permission denied issues | ||
| ssh_guest_command "sudo su - <<EOF | ||
| rm -rf ~/sev | ||
| git clone https://github.com/virtee/sev.git | ||
| cd ~/sev | ||
| # Checkout PR branch | ||
| if [ ${{ github.event_name }} == "pull_request_target" ]; then | ||
| git fetch origin pull/${{ github.event.pull_request.number }}/head:${{ github.head_ref }} | ||
| git switch ${{ github.head_ref }} | ||
| fi | ||
| cargo test | ||
| EOF" |