Merge "Provide HW_CPU_X86_AMD_SEV trait when SEV is supported"

Author: Zuul

nova/tests/functional/libvirt/test_report_cpu_traits.py

@@ -13,14 +13,25 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import mock
+
+import os_traits as ost
+
 from nova import conf
+from nova import test
 from nova.tests.functional.libvirt import integrated_helpers
+from nova.tests.unit.virt.libvirt import fakelibvirt
+from nova.virt.libvirt.host import SEV_KERNEL_PARAM_FILE
 
 CONF = conf.CONF
 
 
-class LibvirtReportTraitsTests(
+class LibvirtReportTraitsTestBase(
         integrated_helpers.LibvirtProviderUsageBaseTestCase):
+    pass
+
+
+class LibvirtReportTraitsTests(LibvirtReportTraitsTestBase):
     def test_report_cpu_traits(self):
         self.assertEqual([], self._get_all_providers())
         self.start_compute()
@@ -46,3 +57,123 @@ def test_report_cpu_traits(self):
             [u'HW_CPU_X86_VMX', u'HW_CPU_X86_AESNI', u'CUSTOM_TRAITS']
         )
         self.assertItemsEqual(expected_traits, traits)
+
+
+class LibvirtReportNoSevTraitsTests(LibvirtReportTraitsTestBase):
+    STUB_INIT_HOST = False
+
+    @test.patch_exists(SEV_KERNEL_PARAM_FILE, False)
+    def setUp(self):
+        super(LibvirtReportNoSevTraitsTests, self).setUp()
+        self.start_compute()
+
+    def test_sev_trait_off_on(self):
+        """Test that the compute service reports the SEV trait in the list of
+        global traits, but doesn't immediately register it on the
+        compute host resource provider in the placement API, due to
+        the kvm-amd kernel module's sev parameter file being (mocked
+        as) absent.
+
+        Then test that if the SEV capability appears (again via
+        mocking), after a restart of the compute service, the trait
+        gets registered on the compute host.
+        """
+        self.assertFalse(self.compute.driver._host.supports_amd_sev)
+
+        sev_trait = ost.HW_CPU_X86_AMD_SEV
+
+        global_traits = self._get_all_traits()
+        self.assertIn(sev_trait, global_traits)
+
+        traits = self._get_provider_traits(self.host_uuid)
+        self.assertNotIn(sev_trait, traits)
+
+        # Now simulate the host gaining SEV functionality.  Here we
+        # simulate a kernel update or reconfiguration which causes the
+        # kvm-amd kernel module's "sev" parameter to become available
+        # and set to 1, however it could also happen via a libvirt
+        # upgrade, for instance.
+        sev_features = \
+            fakelibvirt.virConnect._domain_capability_features_with_SEV
+        with test.nested(
+                self.patch_exists(SEV_KERNEL_PARAM_FILE, True),
+                self.patch_open(SEV_KERNEL_PARAM_FILE, "1\n"),
+                mock.patch.object(fakelibvirt.virConnect,
+                                  '_domain_capability_features',
+                                  new=sev_features)
+        ) as (mock_exists, mock_open, mock_features):
+            # Retrigger the detection code.  In the real world this
+            # would be a restart of the compute service.
+            self.compute.driver._host._set_amd_sev_support()
+            self.assertTrue(self.compute.driver._host.supports_amd_sev)
+
+            mock_exists.assert_has_calls([mock.call(SEV_KERNEL_PARAM_FILE)])
+            mock_open.assert_has_calls([mock.call(SEV_KERNEL_PARAM_FILE)])
+
+            # However it won't disappear in the provider tree and get synced
+            # back to placement until we force a reinventory:
+            self.compute.manager.reset()
+            self._run_periodics()
+
+            traits = self._get_provider_traits(self.host_uuid)
+            self.assertIn(sev_trait, traits)
+
+            # Sanity check that we've still got the trait globally.
+            self.assertIn(sev_trait, self._get_all_traits())
+
+
+class LibvirtReportSevTraitsTests(LibvirtReportTraitsTestBase):
+    STUB_INIT_HOST = False
+
+    @test.patch_exists(SEV_KERNEL_PARAM_FILE, True)
+    @test.patch_open(SEV_KERNEL_PARAM_FILE, "1\n")
+    @mock.patch.object(
+        fakelibvirt.virConnect, '_domain_capability_features',
+        new=fakelibvirt.virConnect._domain_capability_features_with_SEV)
+    def setUp(self):
+        super(LibvirtReportSevTraitsTests, self).setUp()
+        self.start_compute()
+
+    def test_sev_trait_on_off(self):
+        """Test that the compute service reports the SEV trait in the list of
+        global traits, and immediately registers it on the compute
+        host resource provider in the placement API, due to the SEV
+        capability being (mocked as) present.
+
+        Then test that if the SEV capability disappears (again via
+        mocking), after a restart of the compute service, the trait
+        gets removed from the compute host.
+        """
+        self.assertTrue(self.compute.driver._host.supports_amd_sev)
+
+        sev_trait = ost.HW_CPU_X86_AMD_SEV
+
+        global_traits = self._get_all_traits()
+        self.assertIn(sev_trait, global_traits)
+
+        traits = self._get_provider_traits(self.host_uuid)
+        self.assertIn(sev_trait, traits)
+
+        # Now simulate the host losing SEV functionality.  Here we
+        # simulate a kernel downgrade or reconfiguration which causes
+        # the kvm-amd kernel module's "sev" parameter to become
+        # unavailable, however it could also happen via a libvirt
+        # downgrade, for instance.
+        with self.patch_exists(SEV_KERNEL_PARAM_FILE, False) as mock_exists:
+            # Retrigger the detection code.  In the real world this
+            # would be a restart of the compute service.
+            self.compute.driver._host._set_amd_sev_support()
+            self.assertFalse(self.compute.driver._host.supports_amd_sev)
+
+            mock_exists.assert_has_calls([mock.call(SEV_KERNEL_PARAM_FILE)])
+
+            # However it won't disappear in the provider tree and get synced
+            # back to placement until we force a reinventory:
+            self.compute.manager.reset()
+            self._run_periodics()
+
+            traits = self._get_provider_traits(self.host_uuid)
+            self.assertNotIn(sev_trait, traits)
+
+            # Sanity check that we've still got the trait globally.
+            self.assertIn(sev_trait, self._get_all_traits())

nova/tests/unit/virt/libvirt/test_driver.py

@@ -42,6 +42,7 @@
 from os_brick import exception as brick_exception
 from os_brick.initiator import connector
 import os_resource_classes as orc
+import os_traits as ot
 import os_vif
 from oslo_concurrency import lockutils
 from oslo_concurrency import processutils
@@ -18617,7 +18618,8 @@ def _get_inventory(self):
             },
         }
 
-    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_cpu_traits',
+    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver.'
+                '_get_cpu_feature_traits',
                 new=mock.Mock(return_value=cpu_traits))
     @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_gpu_inventories')
     @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_local_gb_info',
@@ -18751,7 +18753,8 @@ def test_update_provider_tree_with_cpu_traits(self):
         self.assertEqual(set(['HW_CPU_X86_AVX512F', 'HW_CPU_X86_BMI']),
                          self.pt.data(self.cn_rp['uuid']).traits)
 
-    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_cpu_traits',
+    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver.'
+                '_get_cpu_feature_traits',
                 new=mock.Mock(return_value=cpu_traits))
     @mock.patch('nova.virt.libvirt.driver.LibvirtDriver.'
                 '_get_mediated_device_information')
@@ -18883,7 +18886,8 @@ def test_update_provider_tree_for_vgpu_reshape(
         self.assertEqual(original_allocations[uuids.consumer2],
                          allocations[uuids.consumer2])
 
-    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_cpu_traits',
+    @mock.patch('nova.virt.libvirt.driver.LibvirtDriver.'
+                '_get_cpu_feature_traits',
                 new=mock.Mock(return_value=cpu_traits))
     @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_gpu_inventories')
     @mock.patch('nova.virt.libvirt.driver.LibvirtDriver._get_local_gb_info',
@@ -21678,6 +21682,10 @@ def test_recreate_mediated_device_on_init_host(
 
         # Fake the fact that mdev1 is existing but mdev2 not
         def _exists(path):
+            # Keep the AMD SEV support check happy
+            if path == '/sys/module/kvm_amd/parameters/sev':
+                return False
+
             # Just verify what we ask
             self.assertIn('/sys/bus/mdev/devices/', path)
             return True if uuids.mdev1 in path else False
@@ -21750,13 +21758,21 @@ def test_detach_mediated_devices_raises_exc(self):
         self.assertRaises(test.TestingException,
                           self._test_detach_mediated_devices, exc)
 
+    @mock.patch.object(libvirt_driver.LibvirtDriver, '_get_cpu_feature_traits',
+                       new=mock.Mock(return_value=None))
+    def test_cpu_traits_sev_no_feature_traits(self):
+        for support in (False, True):
+            self.drvr._host._supports_amd_sev = support
+            self.assertEqual({ot.HW_CPU_X86_AMD_SEV: support},
+                             self.drvr._get_cpu_traits())
+
     def test_cpu_traits_with_passthrough_mode(self):
         """Test getting CPU traits when cpu_mmode is 'host-passthrough', traits
         are calculated from fakelibvirt's baseline CPU features.
         """
         self.flags(cpu_mode='host-passthrough', group='libvirt')
         self.assertTraitsEqual(['HW_CPU_X86_AESNI', 'HW_CPU_X86_VMX'],
-                               self.drvr._get_cpu_traits())
+                               self.drvr._get_cpu_feature_traits())
 
     @mock.patch('nova.virt.libvirt.host.libvirt.Connection.baselineCPU')
     def test_cpu_traits_with_mode_none(self, mock_baseline):
@@ -21767,7 +21783,7 @@ def test_cpu_traits_with_mode_none(self, mock_baseline):
         mock_baseline.return_value = _fake_qemu64_cpu_feature
         self.assertTraitsEqual(['HW_CPU_X86_SSE', 'HW_CPU_X86_SVM',
                                 'HW_CPU_X86_MMX', 'HW_CPU_X86_SSE2'],
-                               self.drvr._get_cpu_traits())
+                               self.drvr._get_cpu_feature_traits())
 
         mock_baseline.assert_called_with([u'''<cpu>
   <arch>x86_64</arch>
@@ -21803,7 +21819,7 @@ def test_cpu_traits_with_mode_custom(self, mock_baseline):
                 'HW_CPU_X86_SSE2',
                 'HW_CPU_X86_SSE',
                 'HW_CPU_X86_MMX'
-            ], self.drvr._get_cpu_traits()
+            ], self.drvr._get_cpu_feature_traits()
         )
         mock_baseline.assert_called_with([u'''<cpu>
   <arch>x86_64</arch>
@@ -21822,7 +21838,7 @@ def test_cpu_traits_with_no_baseline_support(self, mock_baseline):
             'this function is not supported by the connection driver',
             error_code=fakelibvirt.VIR_ERR_NO_SUPPORT)
         mock_baseline.side_effect = not_supported_exc
-        self.assertTraitsEqual([], self.drvr._get_cpu_traits())
+        self.assertTraitsEqual([], self.drvr._get_cpu_feature_traits())
 
     @mock.patch('nova.virt.libvirt.host.libvirt.Connection.getCapabilities')
     @mock.patch('nova.virt.libvirt.host.libvirt.Connection.baselineCPU')
@@ -21865,7 +21881,7 @@ def mocked_baseline(cpu_xml, *args):
                 raise missing_model_exc
         mock_baseline.side_effect = mocked_baseline
 
-        self.assertTraitsEqual([], self.drvr._get_cpu_traits())
+        self.assertTraitsEqual([], self.drvr._get_cpu_feature_traits())
 
     def test_cpu_traits_with_invalid_virt_type(self):
         """Test getting CPU traits when using a virt_type that doesn't support
@@ -21876,7 +21892,7 @@ def test_cpu_traits_with_invalid_virt_type(self):
                    virt_type='lxc',
                    group='libvirt'
                    )
-        self.assertRaises(exception.Invalid, self.drvr._get_cpu_traits)
+        self.assertRaises(exception.Invalid, self.drvr._get_cpu_feature_traits)
 
     @mock.patch('nova.virt.libvirt.host.libvirt.Connection.getCapabilities')
     @mock.patch('nova.virt.libvirt.utils.cpu_features_to_traits')
@@ -21902,7 +21918,7 @@ def test_cpu_traits_with_mode_passthrough_and_extra_flags(
                 </host>
             </capabilities>
             """
-        self.drvr._get_cpu_traits()
+        self.drvr._get_cpu_feature_traits()
         self.assertItemsEqual(['pcid', 'erms'], mock_to_traits.call_args[0][0])
 
     @mock.patch('nova.virt.libvirt.host.libvirt.Connection.baselineCPU')
@@ -21924,7 +21940,7 @@ def test_cpu_traits_with_mode_custom_and_extra_flags(self, mock_to_traits,
                 <feature policy='require' name='pcid'/>
             </cpu>
             """
-        self.drvr._get_cpu_traits()
+        self.drvr._get_cpu_feature_traits()
         mock_baseline.assert_called_with([u'''<cpu>
   <arch>x86_64</arch>
   <model>IvyBridge</model>
@@ -21952,7 +21968,7 @@ def test_cpu_traits_with_mode_not_set_and_extra_flags(self, mock_to_traits,
                 <feature policy='require' name='erms'/>
             </cpu>
             """
-        self.drvr._get_cpu_traits()
+        self.drvr._get_cpu_feature_traits()
         self.assertItemsEqual(['pcid', 'erms'], mock_to_traits.call_args[0][0])
 
     def test_cpu_traits_with_mode_none_and_invalid_virt_type(self):
@@ -21962,7 +21978,7 @@ def test_cpu_traits_with_mode_none_and_invalid_virt_type(self):
         self.flags(cpu_mode='none',
                    virt_type='lxc',
                    group='libvirt')
-        self.assertIsNone(self.drvr._get_cpu_traits())
+        self.assertIsNone(self.drvr._get_cpu_feature_traits())
 
     @mock.patch('nova.virt.libvirt.host.libvirt.Connection.getCapabilities')
     @mock.patch('nova.virt.libvirt.host.libvirt.Connection.baselineCPU')
@@ -21989,7 +22005,7 @@ def test_cpu_traits_with_mode_none_on_power(self, mock_baseline, mock_cap):
            <vendor>IBM</vendor>
         </cpu>
         '''
-        self.drvr._get_cpu_traits()
+        self.drvr._get_cpu_feature_traits()
         mock_baseline.assert_called_with([u'''<cpu>
   <arch>ppc64le</arch>
   <model>POWER8</model>

nova/tests/unit/virt/libvirt/test_host.py

@@ -14,12 +14,15 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import os
+
 import eventlet
 from eventlet import greenthread
 import mock
 from oslo_utils.fixture import uuidsentinel as uuids
 from oslo_utils import uuidutils
 import six
+from six.moves import builtins
 import testtools
 
 
@@ -1163,3 +1166,61 @@ def test_is_cpu_control_policy_capable_ko(self):
     @mock.patch('six.moves.builtins.open', side_effect=IOError)
     def test_is_cpu_control_policy_capable_ioerror(self, mock_open):
         self.assertFalse(self.host.is_cpu_control_policy_capable())
+
+
+vc = fakelibvirt.virConnect
+
+
+class TestLibvirtSEV(test.NoDBTestCase):
+    """Libvirt host tests for AMD SEV support."""
+
+    def setUp(self):
+        super(TestLibvirtSEV, self).setUp()
+
+        self.useFixture(fakelibvirt.FakeLibvirtFixture())
+        self.host = host.Host("qemu:///system")
+
+
+class TestLibvirtSEVUnsupported(TestLibvirtSEV):
+    @mock.patch.object(os.path, 'exists', return_value=False)
+    def test_kernel_parameter_missing(self, fake_exists):
+        self.assertFalse(self.host._kernel_supports_amd_sev())
+        fake_exists.assert_called_once_with(
+            '/sys/module/kvm_amd/parameters/sev')
+
+    @mock.patch.object(os.path, 'exists', return_value=True)
+    @mock.patch.object(builtins, 'open', mock.mock_open(read_data="0\n"))
+    def test_kernel_parameter_zero(self, fake_exists):
+        self.assertFalse(self.host._kernel_supports_amd_sev())
+        fake_exists.assert_called_once_with(
+            '/sys/module/kvm_amd/parameters/sev')
+
+    @mock.patch.object(os.path, 'exists', return_value=True)
+    @mock.patch.object(builtins, 'open', mock.mock_open(read_data="1\n"))
+    def test_kernel_parameter_one(self, fake_exists):
+        self.assertTrue(self.host._kernel_supports_amd_sev())
+        fake_exists.assert_called_once_with(
+            '/sys/module/kvm_amd/parameters/sev')
+
+    @mock.patch.object(os.path, 'exists', return_value=True)
+    @mock.patch.object(builtins, 'open', mock.mock_open(read_data="1\n"))
+    def test_unsupported_without_feature(self, fake_exists):
+        self.assertFalse(self.host.supports_amd_sev)
+
+    @mock.patch.object(os.path, 'exists', return_value=True)
+    @mock.patch.object(builtins, 'open', mock.mock_open(read_data="1\n"))
+    @mock.patch.object(vc, '_domain_capability_features',
+        new=vc._domain_capability_features_with_SEV_unsupported)
+    def test_unsupported_with_feature(self, fake_exists):
+        self.assertFalse(self.host.supports_amd_sev)
+
+
+class TestLibvirtSEVSupported(TestLibvirtSEV):
+    """Libvirt driver tests for when AMD SEV support is present."""
+
+    @mock.patch.object(os.path, 'exists', return_value=True)
+    @mock.patch.object(builtins, 'open', mock.mock_open(read_data="1\n"))
+    @mock.patch.object(vc, '_domain_capability_features',
+                       new=vc._domain_capability_features_with_SEV)
+    def test_supported_with_feature(self, fake_exists):
+        self.assertTrue(self.host.supports_amd_sev)