snp.sh: Added guest MSR check to verify SNP bit status

Added MSR 0xC0010010 check to validate if guest SEV, SEV-ES and SNP are enabled by reading SEV, SEV-ES and SNP bits from MSR 0xC0010010 instruction set Bit #0 corresponds to the SEV bit status Bit amd#1 corresponds to SEV-ES bit status Bit amd#2 corresponds to SNP bit status Signed-off-by: Harika Nittala <[email protected]>
LakshmiSaiHarika · Jan 24, 2025 · b45c727 · b45c727
1 parent da8d8fe
commit b45c727
Showing 1 changed file with 51 additions and 0 deletions.
diff --git a/tools/snp.sh b/tools/snp.sh
@@ -1154,6 +1154,55 @@ setup_guest_attestation() {
   echo "true" > "${guest_setup_file}"
 }
 
+install_guest_rdmsr_dependencies() {
+  wait_and_retry_command "ssh_guest_command "uname -r""
+
+  # Retrieve guest linux distribution
+  local guest_linux_distro=$(ssh_guest_command "lsb_release -is")
+  guest_linux_distro=$(echo "${guest_linux_distro}" | tr -d '\r')
+  guest_linux_distro="${guest_linux_distro,,}"
+
+  case ${guest_linux_distro} in
+    ubuntu)
+      ssh_guest_command "sudo DEBIAN_FRONTEND=noninteractive sudo apt install -y msr-tools > /dev/null 2>&1" > /dev/null 2>&1
+      ;;
+    *)
+      >&2 echo -e "ERROR is: ${guest_linux_distro}"
+      return 1
+      ;;
+  esac
+}
+
+verify_guest_snp_bit_status() {
+  if [ ! -f "${GUEST_SSH_KEY_PATH}" ]; then
+    >&2 echo -e "Guest SSH key not present [${GUEST_SSH_KEY_PATH}], so cannot verify guest SNP enabled"
+    return 1
+  fi
+
+  # Install guest rdmsr package dependencies & insert guest msr module
+  install_guest_rdmsr_dependencies
+  ssh_guest_command "sudo modprobe msr" > /dev/null 2>&1
+
+  # Read the guest (MSR_AMD64_SEV) value
+  local guest_msr_read=$(ssh_guest_command "sudo rdmsr -p 0 0xc0010131")
+  guest_msr_read=$(echo "${guest_msr_read}" | tr -d '\r' | bc)
+
+  # Map all the sev features in a single associative array for all guest SEV features
+  declare -A security_bit_values=(
+    [SEV]=$(( ( ${guest_msr_read} >> 0) & 1))
+    [SEV-ES]=$(( (${guest_msr_read} >> 1) & 1))
+    [SNP]=$(( (${guest_msr_read} >> 2) & 1))
+  )
+
+  local feature_error=$(verify_all_security_bits "${security_bit_values[@]}")
+
+  if [[ -n "${feature_error}" ]]; then
+    >&2 echo -e "ERROR: SEV/SEV-ES/SNP is not active in the guest"
+    >&2 echo -e "${feature_error}"
+    return 1
+  fi
+}
+
 # Pass a function and a register to collect its value
 get_cpuid() {
   local function=$1
@@ -1450,6 +1499,7 @@ main() {
       install_dependencies
 
       setup_and_launch_guest
+      verify_guest_snp_bit_status
       wait_and_retry_command verify_snp_guest
 
       echo -e "Guest SSH port forwarded to host port: ${HOST_SSH_PORT}"
@@ -1461,6 +1511,7 @@ main() {
       install_rust
       install_sev_snp_measure
       install_dependencies
+      verify_guest_snp_bit_status
       wait_and_retry_command verify_snp_guest
       setup_guest_attestation
       attest_guest