Add a derived keys test#242
Conversation
See the last paragraph for more on ordering the new keys test. See README.md in modules/test/guest/key-derivation for more about the derived keys test, in general. Old TCB components (eg, PSP FW, microcode) can cause some guest tests to fail. In general, I don't think this should be the case, but if the TCB components are very old, then maybe it makes sense. By putting the derived keys test first, this test's contributions to the certificates should be present regardless of how old the TCB components are. Note that preserving the derived keys test contributions could also be achieved by using Wants= instead of Requires= for the services corresponding to the tests that fail due to the old TCB components.
There was a problem hiding this comment.
Pull request overview
Adds an SNP guest “derived keys” test module to the guest image and wires its results into the host-side reporting so derived-key behavior is exercised and summarized alongside existing attestation tests.
Changes:
- Introduce a new guest test module (
key-derivation) implemented as a Python script invoked by a systemd oneshot service. - Integrate the new service into the guest test stage ordering and into host-side log display / certificate summary generation.
- Ensure the guest image includes Python 3 to run the new test.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| modules/test/guest/test-done/mkosi.extra/usr/local/lib/systemd/system/test-done.service | Adds key-derivation.service as a dependency of the test barrier. |
| modules/test/guest/mkosi.conf | Includes the new key-derivation guest test module in the guest test build. |
| modules/test/guest/key-derivation/README.md | Documents the new derived-keys test module and how to run/interpret it. |
| modules/test/guest/key-derivation/mkosi.extra/usr/local/lib/systemd/system/key-derivation.service | Adds a systemd oneshot service to run the derived-keys test script. |
| modules/test/guest/key-derivation/mkosi.extra/usr/local/lib/scripts/snpguest_key_derivation.py | Implements key derivation tests (determinism, VMPL isolation, root key selection, parameter sensitivity). |
| modules/report/host/sev-certificate-generator/.../sev_certificate_version_3_0_0_0.py | Extends guest summary generation to include step-by-step key-derivation results and inferred status fallback. |
| modules/report/host/display-guest-logs/.../display-guest-logs.sh | Includes key-derivation.service in the host’s guest-log display output. |
| modules/build/guest/mkosi.conf | Adds python3 to the guest image package set to support the new test script. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if not derive_key(key_vmpl1_file, root_key="vcek", vmpl=1): | ||
| print(" Note: VMPL1 derivation failed (expected if not running at VMPL0)") | ||
| print("✓ PASS: N/A") | ||
| return True | ||
|
|
| def test_root_key_difference() -> bool: | ||
| """Test that different root keys (VCEK vs VMRK) produce different keys.""" | ||
| key_vck_file = KEY_DERIVATION_DIR / "vck_key.bin" |
| for step, status_code in key_derivation_data.items(): | ||
| key_derivation_data[step] = "passed" if int(status_code) == 0 else "failed" | ||
|
|
|
@markg-github I had added some certificate versioning logic in #241 (it still needs to get reviewed), but I think it might be good to discuss what we want to keep and how we'll merge both. For that one I was intending the next few tests to be under v3.0.0-1. Do you have some passing certificate examples you can link here? It should have a milestone assigned if it reaches some certificate level. I looked at your recent ones in your repository and they appear to have issues. One of the issues looked familiar, I had a fix for snpguest ok running too early sometimes. But not sure if the others were expected. Note that you'll need to create the milestone in your fork for it to be assigned if you haven't yet (c3.0.0-0, and later when we enable it, c3.0.0-1) |
The test invokes snpguest repeatedly, especially the key subcommand, to test the SEV-SNP derived keys feature. The test mostly verifies that the derived keys are different when they're supposed to be.
More complete testing could be achieved by including an ID block. Including an ID block is completely independent and I plan a PR for it soon.
I think AI did a decent job at maintaining "certificate consistency", but I'm not sure about the versioning.