| // Copyright 2020 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| package security |
| |
| import ( |
| "context" |
| "path/filepath" |
| "strings" |
| "time" |
| |
| "chromiumos/tast/ctxutil" |
| "chromiumos/tast/local/crostini" |
| "chromiumos/tast/testing" |
| ) |
| |
| func init() { |
| testing.AddTest(&testing.Test{ |
| Func: CPUVulnerabilitiesCrostini, |
| LacrosStatus: testing.LacrosVariantUnknown, |
| Desc: "Confirm CPU vulnerabilities are mitigated in the guest kernel", |
| Contacts: []string{ |
| "swboyd@chromium.org", // Tast port author |
| "cros-containers-dev@google.com", |
| "chromeos-security@google.com", |
| }, |
| Attr: []string{"group:mainline", "informational"}, |
| Vars: []string{"keepState", "ui.gaiaPoolDefault"}, |
| SoftwareDeps: []string{"chrome", "vm_host", "cpu_vuln_sysfs", "no_qemu"}, |
| Params: []testing.Param{ |
| // Parameters generated by cpu_vulnerabilities_test.go. DO NOT EDIT. |
| { |
| Name: "buster_stable", |
| ExtraData: []string{crostini.GetContainerMetadataArtifact("buster", false), crostini.GetContainerRootfsArtifact("buster", false)}, |
| ExtraSoftwareDeps: []string{"dlc"}, |
| ExtraHardwareDeps: crostini.CrostiniStable, |
| Pre: crostini.StartedByDlcBuster(), |
| Timeout: 7 * time.Minute, |
| }, { |
| Name: "buster_unstable", |
| ExtraAttr: []string{"informational"}, |
| ExtraData: []string{crostini.GetContainerMetadataArtifact("buster", false), crostini.GetContainerRootfsArtifact("buster", false)}, |
| ExtraSoftwareDeps: []string{"dlc"}, |
| ExtraHardwareDeps: crostini.CrostiniUnstable, |
| Pre: crostini.StartedByDlcBuster(), |
| Timeout: 7 * time.Minute, |
| }, { |
| Name: "bullseye_stable", |
| ExtraData: []string{crostini.GetContainerMetadataArtifact("bullseye", false), crostini.GetContainerRootfsArtifact("bullseye", false)}, |
| ExtraSoftwareDeps: []string{"dlc"}, |
| ExtraHardwareDeps: crostini.CrostiniStable, |
| Pre: crostini.StartedByDlcBullseye(), |
| Timeout: 7 * time.Minute, |
| }, { |
| Name: "bullseye_unstable", |
| ExtraAttr: []string{"informational"}, |
| ExtraData: []string{crostini.GetContainerMetadataArtifact("bullseye", false), crostini.GetContainerRootfsArtifact("bullseye", false)}, |
| ExtraSoftwareDeps: []string{"dlc"}, |
| ExtraHardwareDeps: crostini.CrostiniUnstable, |
| Pre: crostini.StartedByDlcBullseye(), |
| Timeout: 7 * time.Minute, |
| }, |
| }, |
| }) |
| } |
| |
| func CPUVulnerabilitiesCrostini(ctx context.Context, s *testing.State) { |
| pre := s.PreValue().(crostini.PreData) |
| cont := pre.Container |
| defer crostini.RunCrostiniPostTest(ctx, pre) |
| |
| // Use a shortened context for test operations to reserve time for cleanup. |
| ctx, cancel := ctxutil.Shorten(ctx, 5*time.Second) |
| defer cancel() |
| |
| vulnDir := "/sys/devices/system/cpu/vulnerabilities/" |
| fileList, err := cont.GetFileList(ctx, vulnDir) |
| if err != nil { |
| s.Fatal("Failed to list vulnerability files: ", err) |
| } |
| for _, f := range fileList { |
| contents, err := cont.ReadFile(ctx, filepath.Join(vulnDir, f)) |
| if err != nil { |
| s.Fatal("Can't read vulnerability file: ", err) |
| } |
| contents = strings.TrimSpace(contents) |
| s.Logf("%s: %s", f, contents) |
| if strings.EqualFold(contents, "vulnerable") { |
| s.Errorf("File %q has CPU vulnerabilities", f) |
| } |
| } |
| } |
