Add function for secure capability verification

Introduces a function to verify Secure (SEV/SEV-ES/SNP/TDX)
capability enablement on the host as well as in a VM:
1. Validates host support for secure feature.
2. Queries SEV status via QMP and verifies policy.
3. Executes guest command to confirm secure guest enablement.

Signed-off-by: Srikanth Aithal <srikanth.aithal@amd.com>

Author: bssrikanth

virttest/utils_linux_modules.py

@@ -3,6 +3,7 @@
 """
 
 import logging
+import os
 
 from avocado.utils import linux_modules
 
@@ -111,3 +112,30 @@ def kconfig_is_not_set(config_name, session=None):
     return (
         check_kernel_config(config_name, session) is linux_modules.ModuleConfig.NOT_SET
     )
+
+
+def get_module_parameter(module_name, param_name, session=None):
+    """
+    Get the value of a specific kernel module parameter
+
+    :param module_name: Name of the kernel module (e.g., 'kvm_amd', 'kvm_intel')
+    :param param_name: Name of the parameter to check (e.g., 'sev', 'tdx')
+    :param session: Guest session, command is run on host if None
+    :return: Parameter value as string, or None if not found
+    :rtype: str or None
+    """
+    param_path = f"/sys/module/{module_name}/parameters/{param_name}"
+
+    try:
+        if session is None:
+            if os.path.exists(param_path):
+                with open(param_path, "r") as f:
+                    return f.read().strip()
+        else:
+            status, output = session.cmd_status_output(f"cat {param_path}")
+            if status == 0:
+                return output.strip()
+    except (IOError, OSError) as e:
+        LOG.debug("Failed to read module parameter %s: %s", param_path, e)
+
+    return None

virttest/utils_misc.py

@@ -86,6 +86,7 @@
     kernel_interface,
     logging_manager,
     utils_disk,
+    utils_linux_modules,
     utils_logfile,
     utils_selinux,
 )
@@ -4705,3 +4706,97 @@ def _md5(fd):
         if _md5(fd_a) == _md5(fd_b):
             return True
     return False
+
+
+def verify_secure_host(secure_guest_type, module_name, param_name, expected_values):
+    """
+    Verify if specific cvm feature is enabled on the host
+
+    :param secure_guest_type: Type of secure guest (e.g., 'sev', 'snp', 'tdx')
+    :param module_name: Name of the kernel module (e.g., 'kvm_amd', 'kvm_intel')
+    :param param_name: Name of the module parameter to check (e.g., 'sev', 'tdx')
+    :param expected_values: List of acceptable parameter values (e.g., ['Y', '1'])
+    """
+    LOG.info(f"Verifying cvm {secure_guest_type} capability enablement on host")
+
+    param_value = utils_linux_modules.get_module_parameter(module_name, param_name)
+
+    if param_value is None:
+        raise exceptions.TestCancel(
+            f"Host support for {secure_guest_type} capability: "
+            f"module parameter {module_name}/{param_name} not found."
+        )
+
+    if param_value not in expected_values:
+        raise exceptions.TestCancel(
+            f"Host support for {secure_guest_type} capability check failed: "
+            f"{module_name}/{param_name}={param_value}, expected one of {expected_values}"
+        )
+
+
+def verify_secure_guest(
+    session, vm, secure_guest_type, guest_check_cmd, expected_policy=None
+):
+    """
+    Verify if specific cvm feature is enabled inside the VM
+
+    :param session: session object to vm
+    :param vm: virtual machine object
+    :param secure_guest_type: Type of secure guest (e.g., 'sev', 'snp', 'tdx')
+    :param guest_check_cmd: Command to run in guest to verify CVM capability
+    :param expected_policy: Expected policy value (can be hex string or int), optional for AMD CVM
+    """
+    amd_cvm_secureguest = ["sev", "snp"]
+    if secure_guest_type in amd_cvm_secureguest:
+        try:
+            cvm_guest_info = vm.monitor.query_sev()
+            if not cvm_guest_info:
+                raise exceptions.TestFail("QMP query-sev returned empty response.")
+            LOG.info(f"QMP cvm info: {cvm_guest_info}")
+        except Exception as e:
+            raise exceptions.TestFail(f"QMP query-sev failed: {str(e)}")
+
+        if expected_policy is not None:
+            if isinstance(expected_policy, str):
+                policy_value = int(expected_policy, 0)
+            else:
+                policy_value = expected_policy
+
+            if secure_guest_type == "snp":
+                if "snp-policy" not in cvm_guest_info:
+                    raise exceptions.TestFail(
+                        "QMP snp-policy not found in query-sev response."
+                    )
+                actual_policy = cvm_guest_info["snp-policy"]
+            else:
+                if "policy" not in cvm_guest_info:
+                    raise exceptions.TestFail(
+                        "QMP policy not found in query-sev response."
+                    )
+                actual_policy = cvm_guest_info["policy"]
+
+            if actual_policy != policy_value:
+                raise exceptions.TestFail(
+                    f"QMP cvm policy mismatch: expected {policy_value}, "
+                    f"got {actual_policy}"
+                )
+
+        guest_state = cvm_guest_info.get("state")
+        if guest_state != "running":
+            raise exceptions.TestFail(
+                f"CVM state is {guest_state or 'missing'}, expected 'running'"
+            )
+
+    LOG.info(f"Verifying cvm {secure_guest_type} capability enablement in guest")
+    try:
+        return_code, output = session.cmd_status_output(guest_check_cmd, timeout=240)
+        if return_code != 0:
+            raise exceptions.TestFail(
+                f"Guest cvm {secure_guest_type} capability check failed with "
+                f"return code {return_code}: {output}"
+            )
+        LOG.info(f"Guest cvm {secure_guest_type} capability check output: {output}")
+    except Exception as e:
+        raise exceptions.TestFail(
+            f"Guest cvm {secure_guest_type} capability verify fail: {str(e)}"
+        )