Skip to content

Commit ad4d405

Browse files
committed
Further changes required for SEV SNP enablement
1 parent 56a0348 commit ad4d405

File tree

3 files changed

+24
-10
lines changed

3 files changed

+24
-10
lines changed

src/runtime/config/configuration-clh-snp.toml.in

+4-3
Original file line numberDiff line numberDiff line change
@@ -84,8 +84,8 @@ enable_annotations = @DEFENABLEANNOTATIONS@
8484
# List of valid annotations values for the hypervisor
8585
# Each member of the list is a path pattern as described by glob(3).
8686
# The default if not set is empty (all annotations rejected.)
87-
# Your distribution recommends: @CLHVALIDHYPERVISORPATHS@
88-
valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@
87+
# Your distribution recommends: @CLHSNPVALIDHYPERVISORPATHS@
88+
valid_hypervisor_paths = @CLHSNPVALIDHYPERVISORPATHS@
8989

9090
# Optional space-separated list of options to pass to the guest kernel.
9191
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
@@ -190,7 +190,8 @@ block_device_driver = "virtio-blk"
190190
#enable_hugepages = true
191191

192192
# Disable the 'seccomp' feature from Cloud Hypervisor, default false
193-
# disable_seccomp = true
193+
# TODO - to be re-enabled with next CH-SNP release. This is fixed but the fix is not yet released
194+
disable_seccomp = true
194195

195196
# This option changes the default hypervisor and kernel parameters
196197
# to enable debug output where available.

src/runtime/pkg/katautils/config.go

+1
Original file line numberDiff line numberDiff line change
@@ -1113,6 +1113,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
11131113
EnableAnnotations: h.EnableAnnotations,
11141114
DisableSeccomp: h.DisableSeccomp,
11151115
ConfidentialGuest: h.ConfidentialGuest,
1116+
SevSnpGuest: h.SevSnpGuest,
11161117
Rootless: h.Rootless,
11171118
DisableSeLinux: h.DisableSeLinux,
11181119
DisableGuestSeLinux: h.DisableGuestSeLinux,

src/runtime/virtcontainers/clh.go

+19-7
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ const (
7373
// Values based on:
7474
clhTimeout = 10
7575
clhAPITimeout = 1
76-
clhAPITimeoutConfidentialGuest = 40
76+
clhAPITimeoutConfidentialGuest = 60
7777
// Timeout for hot-plug - hotplug devices can take more time, than usual API calls
7878
// Use longer time timeout for it.
7979
clhHotPlugAPITimeout = 5
@@ -406,9 +406,21 @@ func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) {
406406
}
407407

408408
func (clh *cloudHypervisor) enableProtection() error {
409-
protection, err := availableGuestProtection()
410-
if err != nil {
411-
return err
409+
410+
protection := noneProtection
411+
412+
// SNP protection explicitly requested by config
413+
if clh.config.SevSnpGuest {
414+
clh.Logger().WithField("function", "enableProtection").Info("SEVSNPGUEST")
415+
protection = snpProtection
416+
} else {
417+
clh.Logger().WithField("function", "enableProtection").Info("NOSEVSNPGUEST")
418+
// protection method not explicitly requested, using available method
419+
availableProtection, err := availableGuestProtection()
420+
if err != nil {
421+
return err
422+
}
423+
protection = availableProtection
412424
}
413425

414426
switch protection {
@@ -431,6 +443,9 @@ func (clh *cloudHypervisor) enableProtection() error {
431443

432444
return nil
433445

446+
case sevProtection:
447+
return errors.New("SEV protection is not supported by Cloud Hypervisor")
448+
434449
case snpProtection:
435450
if clh.vmconfig.Platform == nil {
436451
clh.vmconfig.Platform = chclient.NewPlatformConfig()
@@ -441,9 +456,6 @@ func (clh *cloudHypervisor) enableProtection() error {
441456

442457
return nil
443458

444-
case sevProtection:
445-
return errors.New("SEV protection is not supported by Cloud Hypervisor")
446-
447459
default:
448460
return nil
449461
//return errors.New("This system doesn't support Confidential Computing (Guest Protection)")

0 commit comments

Comments
 (0)