Further changes required for SEV SNP enablement

Author: ms-mahuber

src/runtime/config/configuration-clh-snp.toml.in

@@ -84,8 +84,8 @@ enable_annotations = @DEFENABLEANNOTATIONS@
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
-# Your distribution recommends: @CLHVALIDHYPERVISORPATHS@
-valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@
+# Your distribution recommends: @CLHSNPVALIDHYPERVISORPATHS@
+valid_hypervisor_paths = @CLHSNPVALIDHYPERVISORPATHS@
 
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
@@ -190,7 +190,8 @@ block_device_driver = "virtio-blk"
 #enable_hugepages = true
 
 # Disable the 'seccomp' feature from Cloud Hypervisor, default false
-# disable_seccomp = true
+# TODO - to be re-enabled with next CH-SNP release. This is fixed but the fix is not yet released
+disable_seccomp = true
 
 # This option changes the default hypervisor and kernel parameters
 # to enable debug output where available.

src/runtime/pkg/katautils/config.go

@@ -1113,6 +1113,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		EnableAnnotations:              h.EnableAnnotations,
 		DisableSeccomp:                 h.DisableSeccomp,
 		ConfidentialGuest:              h.ConfidentialGuest,
+		SevSnpGuest:                    h.SevSnpGuest,
 		Rootless:                       h.Rootless,
 		DisableSeLinux:                 h.DisableSeLinux,
 		DisableGuestSeLinux:            h.DisableGuestSeLinux,

src/runtime/virtcontainers/clh.go

@@ -73,7 +73,7 @@ const (
 	// Values based on:
 	clhTimeout                     = 10
 	clhAPITimeout                  = 1
-	clhAPITimeoutConfidentialGuest = 40
+	clhAPITimeoutConfidentialGuest = 60
 	// Timeout for hot-plug - hotplug devices can take more time, than usual API calls
 	// Use longer time timeout for it.
 	clhHotPlugAPITimeout                   = 5
@@ -406,9 +406,21 @@ func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) {
 }
 
 func (clh *cloudHypervisor) enableProtection() error {
-	protection, err := availableGuestProtection()
-	if err != nil {
-		return err
+
+	protection := noneProtection
+
+	// SNP protection explicitly requested by config
+	if clh.config.SevSnpGuest {
+		clh.Logger().WithField("function", "enableProtection").Info("SEVSNPGUEST")
+		protection = snpProtection
+	} else {
+		clh.Logger().WithField("function", "enableProtection").Info("NOSEVSNPGUEST")
+		// protection method not explicitly requested, using available method
+		availableProtection, err := availableGuestProtection()
+		if err != nil {
+			return err
+		}
+		protection = availableProtection
 	}
 
 	switch protection {
@@ -431,6 +443,9 @@ func (clh *cloudHypervisor) enableProtection() error {
 
 		return nil
 
+	case sevProtection:
+		return errors.New("SEV protection is not supported by Cloud Hypervisor")
+
 	case snpProtection:
 		if clh.vmconfig.Platform == nil {
 			clh.vmconfig.Platform = chclient.NewPlatformConfig()
@@ -441,9 +456,6 @@ func (clh *cloudHypervisor) enableProtection() error {
 
 		return nil
 
-	case sevProtection:
-		return errors.New("SEV protection is not supported by Cloud Hypervisor")
-
 	default:
 		return nil
 		//return errors.New("This system doesn't support Confidential Computing (Guest Protection)")