2017 Baseline Release Test Criteria
Indication about requirements that could be added to Release Test list for 7.0.0
Functional Tests
Platform Installation
- Installation with an optical disk drive
- Installation with a USB optical disk drive
- Installation with a USB flash drive
Platform Upgrade
- OTA upgrade
Guest installation
- Installation with an existing vhd
- Installation from a virtual iso
- Installation from an optical disk drive
- PXE installation
Guest OS with Tools
Windows 7 sp1 64-bit install and basic use
Windows 10 (1511) 64-bit install and basic use
Windows 10 (1607) 64-bit install and basic use
Windows 10 (1703) 64-bit install and basic use
Windows 7 to Windows 10 (1607) upgrade
Windows 7 to Windows 10 (1703) upgrade
Windows 10 (1511) to Windows 10 (1607) upgrade
Windows 10 (1607) to Windows 10 (1703) upgrade
RedHat Enterprise Linux 7 64-bit install and basic use
Windows basic use
- Burn a CD
Guest OS without Tools
Windows 7 64-bit install and basic use
Windows 10 64-bit install and basic use
PCI Passthrough
Passthrough of PCIe NIC to NDVM
Passthough of PCIe NIC to generic guest
Passthrough of USB controller to generic guest
Passthrough of PCIe audio controller to generic guest
Passthrough of supported NVidia graphics card to generic guest
Passthrough of supported AMD graphics card to generic guest
Virtual USB
Assignment of policy-allowed USB device to guest (e.g. smart card reader)
Intentional failure to assign policy-disallowed USB device to guest
Ejection of assigned USB device from guest (no longer present, accessible, addressable)
Re-assignment of ejected USB device to a guest
Add USB policy to disallow previously-assignable device, then attempt to assign
Add USB policy to automatically assign a specific USB device by {vendorID, productID, serial}
Assign friendly name to USB device, verify consistency across reboot and device hotplug
Devices:
Smart card reader
Mass storage device
Webcam
Audio headset
Touchscreen
Optical drive
Devices and Hardware
USB optical drive as assignable optical drive
SATA optical drive assignment
Unplug and re-plug monitor
Audio playback using speakers/headphones
SATA hard disk for base system
PCIe/NVMe hard disk for base system
Guest
Verify virtual USB quality (e.g. writing large data blocks to mass storage)
Verify audio playback quality
Verify audio recording quality
Run CPU stress tests
Run disk I/O stress tests
Run GPU stress test (3D VM only)
Validate virtual network throughput and packet loss
UIVM
Create VM
Start VM
Shutdown VM
Reboot VM
Destroy VM instance
Delete VM
Switch running VM focus
Shut down system
View NDVM network connection status {link state, Address information}
Connect NDVM to wireless network
Change input device sensitivity
Change wallpaper
{ Change VM settings }
ServiceVM
Notice
With nilfvm template removed, there is not currently an example/reference ServiceVM outside of the always present NDVM and UIVM. Testing of this may not be able to occur until a new example/reference ServiceVM can be made available.
- Create a Service VM
- Configure guest to utilize a ServiceVM
Security Tests
Hypervisor and Tools
Scrub guest RAM prior to launch
EPT mapping isolation
VT-d/AMD-Vi isolation
Separate stubdom instance per guest
Verify adding/removing V4V firewall rules (and ability to bind/use V4V sockets)
Verify VMs will not start if insufficient memory for the instance
Virtual Storage
Virtual disk encryption is truly AES-128/AES-256
Data changes in encrypted differential disk not reflected in unencrypted base disk
Cannot write to read-only virtual disk
Measured Launch
Seal the platform
TPM 1.2
TPM 2.0 using SHA-256
PCR Usage
Firmware
Verify sane PCRs (e.g. different values in [0], [1], [2])
Verify PCRs appropriately change per what they should measure (e.g. PCI devices, BIOS executable code)
TXT
PCRs 17, 18, and 19 populated
PCR value change triggers admin unlock/reseal
hardware/BIOS change
bootloader/kernel change
Xen hypervisor change
Dom0 initramfs change
Dom0 measured rootfs change
Media-based upgrade (cd/usb/pxe) requires admin reseal
OTA-based upgrade should forward seal
Hypervisor Access Control (XSM)
Default operational status is for XSM to be enforced
Dom0, UIVM, NDVM, stubdom, SyncVM instances each have appropriate XSM label
{ Need OpenXT-specific policy tests, success and intentional failure }
Dom0
SELinux in enforcing mode by default
{ Need OpenXT-specific Dom0 policy tests, success and intentional failure }
{For privileged commands, must be run as sysadm_r}
/config partition is encrypted with AES-256-XTS, using keys sealed to TPM
Rootfs (/) mounted read-only by default
Change Dom0 root password
Verify rpc-proxy rules for dbus-over-V4V (and ability to make calls/receive signals)
UIVM
Policy to enable/disable UIVM->Dom0 sshv4v
Policy to enable/disable end-user VM creation
Policy to enable/disable end-user VM deletion
Policy to show/hide Settings tab
Policy to show/hide Services tab
Policy to enable/disable changing VM settings
Devices and Hardware
Relay of keyboard input only to in-focus guest
Relay of mouse input only to in-focus guest
Keyboard and mouse focus not split among different guests
Guest
Verify cannot write to read-only dom-store
Verify cannot read no-access dom-store
Verify can only record optical media if policy allows
Verify can only see allowed and assigned USB devices
VM sleep (S3) and resume
VM hibernate (S4) and resume
Verify can only record audio if policy allows
Verify can only playback audio if policy allows
Verify control-platform-power-state (e.g. VM shutdown shuts system down)
Verify start-on-boot