windows_update_perf: support VBS

[xiagao]

Create a test case about windows updatete performance, and complete the first scenario of vbs support.
ID: 3338

Summary by CodeRabbit

• New Features

  • Added a Windows virtualization performance test validating Secure Boot, Device Guard/VBS readiness, nested virtualization, Hyper‑V/IOMMU behavior, and WSL2 setup with a RHEL distribution.

• Tests

  • Introduced configurable IOMMU variants (enabled/disabled) including an Intel‑only path with advanced virtio/IOMMU settings.
  • Automated setup, reboots, verification steps, and improved logging for clearer failure reporting.

[coderabbitai]

Walkthrough

Adds a new Windows-oriented QEMU performance test: a test configuration file qemu/tests/cfg/win_virtio_perf_test.cfg and a Python test module qemu/tests/win_virtio_perf_test.py. The config defines a win_virtio_perf_test job constrained to q35/OVMF, configures runtime controls, nested virtualization markers, Device Guard (DG) readiness tooling paths/commands, VBS/secure-boot checks, WSL2 and RHEL-in-WSL setup, and two IOMMU variants (no_iommu, iommu_enable). The Python module implements run(test, params, env) with helpers to set PowerShell execution policy, check secure boot/VBS, copy and run the DG Readiness Tool, install/configure WSL2 and a RHEL WSL distro, orchestrate reboots/sessions, and perform cleanup and failure handling.

Changes

Cohort / File(s)	Summary of Changes
QEMU test configuration qemu/tests/cfg/win_virtio_perf_test.cfg	New Windows performance test config: defines win_virtio_perf_test job restricted to q35 + OVMF, excludes certain guest OSes (RHEL/Windows 10/11), sets runtime controls (login timeout, image cloning, CPU model), marks nested virtualization support (HostCpuVendor.intel/amd), supplies DG Readiness Tool paths and PowerShell command sequences, includes secure-boot/VBS checks, and defines WSL2 setup steps and two IOMMU variants (no_iommu, iommu_enable with Intel-only IOMMU and virtio device IOMMU options).
Windows virtio perf test module qemu/tests/win_virtio_perf_test.py	New test module adding run(test, params, env). Implements flow to prepare VM, open guest sessions, enforce PowerShell execution policy, verify Secure Boot, copy and execute DG Readiness Tool, query VBS status and reboot if needed, install/enable WSL2 and a RHEL WSL distro and validate it, toggle Device Guard settings, and ensure proper shutdown and session cleanup. Contains multiple helper functions and explicit logging and failure paths.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Tester as Avocado/Test Runner
  participant QEMU as QEMU VM
  participant Guest as Windows Guest
  participant PS as PowerShell/Tools
  participant WSL as WSL2/RHEL Distro

  Tester->>QEMU: Boot VM (params: CPU/IOMMU/nesting)
  QEMU->>Guest: Start guest OS
  Tester->>Guest: Open session
  Note over Guest,PS: Set execution policy, prepare paths
  Tester->>PS: Check Secure Boot / VBS readiness
  Tester->>Guest: Copy DG Readiness Tool
  Tester->>PS: Run DG commands (dg_command)
  alt VBS enabled/required
    Tester->>QEMU: Reboot VM (sync)
    QEMU->>Guest: Guest up
    Tester->>Guest: Reconnect session
  end
  Tester->>PS: Enable WSL + VM Platform, set default v2
  Tester->>WSL: Install RHEL distro
  Note right of WSL: Validate distro availability
  Tester-->>QEMU: Optional VBS disable and reboot
  Tester->>Guest: Final checks and cleanup
  Tester-->>Tester: Report result (pass/fail)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Potential focus areas:

• PowerShell command sequences and escaping in the config and Python copy/execute paths.
• Robustness of session handling and reboot/reconnect logic in run.
• DG Readiness Tool output parsing and expected-string checks.
• IOMMU variant parameters and device option correctness (Intel-only constraints).

Poem

I tapped my paws on the hypervisor’s door,
Spun up a VM—then a warren of more.
Device Guard nodded, WSL2 cheered,
RHEL hopped in, exactly as geared.
With IOMMU trails and VBS bright,
This bun benchmarks through the night. 🐇⚙️

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title 'windows_update_perf: support VBS' is partially related to the changeset but does not accurately reflect the main change. The changes add a new Windows performance test configuration and implementation focused on Device Guard/VBS validation, not Windows update performance.	Revise the title to better reflect the actual changes, such as 'Add Windows Device Guard/VBS validation test' or 'Add win_virtio_perf_test for VBS support' to accurately describe the test configuration and implementation being added.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a65f937 and 7bde06f.

📒 Files selected for processing (2)

• qemu/tests/cfg/win_virtio_perf_test.cfg (1 hunks)
• qemu/tests/win_virtio_perf_test.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• qemu/tests/cfg/win_virtio_perf_test.cfg

🧰 Additional context used

🧬 Code graph analysis (1)

qemu/tests/win_virtio_perf_test.py (1)

provider/storage_benchmark.py (1)

• session (83-90)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

qemu/tests/cfg/win_virtio_perf_test.cfg (1)

21-23: Keep the ExecutionPolicy relaxation scoped to the session

Set-ExecutionPolicy without -Scope defaults to LocalMachine, permanently dropping the host’s PowerShell policy to Unrestricted. That weakens security for subsequent scenarios on the same worker. Please either scope it to the current process (-Scope Process -ExecutionPolicy Bypass) or restore the original policy once the readiness script finishes so the machine isn’t left wide open.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 870c1ea and a65f937.

📒 Files selected for processing (2)

• qemu/tests/cfg/win_virtio_perf_test.cfg (1 hunks)
• qemu/tests/win_virtio_perf_test.py (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

qemu/tests/win_virtio_perf_test.py (1)

qemu/deps/win_driver_install/win_driver_install.py (1)

• cmd_output (12-28)

[coderabbitai]

⚠️ Potential issue

Fix PowerShell policy helper to use the active session

After the WSL reboot we create new_session, but set_powershell_execute_policy() still dereferences the old session captured from the outer scope. That handle is already invalid once the guest reboots, so the execution-policy command either fails outright or silently never updates the new session, breaking the rest of the workflow. Pass the live session object into the helper so that every call (including the one right after the reboot) runs against the correct connection.

@@
-    def set_powershell_execute_policy():
-        """
-        Set PowerShell execution policy using the provided session.
-        It is used when creating a new session.
-
-        :param cmd: The PowerShell command to set execution policy.
-        """
+    def set_powershell_execute_policy(current_session):
+        """
+        Set PowerShell execution policy on the given session.
+        """
@@
-        status, output = session.cmd_status_output(executionPolicy_command)
+        status, output = current_session.cmd_status_output(executionPolicy_command)
@@
-        set_powershell_execute_policy()
+        set_powershell_execute_policy(session)
@@
-            set_powershell_execute_policy()
+            set_powershell_execute_policy(session)
@@
-        set_powershell_execute_policy()
+        set_powershell_execute_policy(new_session)

Also applies to: 111-114, 174-183

🤖 Prompt for AI Agents

In qemu/tests/win_virtio_perf_test.py around lines 24-35 (also apply same change
at 111-114 and 174-183), the helper set_powershell_execute_policy() closes over
the old session variable so after WSL reboot it uses a stale/invalid session;
change the helper signature to accept a session parameter and use that passed-in
session for session.cmd_status_output(executionPolicy_command) (and update all
callers to pass the current/live session, including immediately after creating
new_session) so the execution policy runs against the active connection.