Add a vmm test for TDX with Guest VSM, Credential Guard, and HVCI #1305
+214
−74
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I gotta say I did not expect this to just pass CI... |
|
Ok yeah this is not working yet. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a vmm test for TDX with Guest VSM, Credential Guard, and HVCI. As we don't currently have a way to execute commands in the guest, no verification that the guest sees these as enabled is performed yet.
This necessitated some refactoring around how we handle IMC, as we need to enable VSM in the guest's registry. Ideally we would have a way to dynamically construct registry hives for IMC during test execution. This would allow us to mix and match the pieces we need. Unfortunately, no cross-platform crate exists for doing this. Instead, this PR creates a second hive file with the VSM keys set, and switches between this hive and the pipette startup hive depending on what is asked for. Once we have the ability to run pipette in isolated guests this second hive file can be easily updated to include the pipette startup keys as well.
This PR also includes the bits necessary for running such a test on OpenVMM someday, however today attempting to do so will always fail, since we don't have proper isolation support.
Fixes #1310