runtime: Adds annotations for SEV/kbs controls at the pod level

Note: only for online-kbs configuration Fixes #5782 Signed-off-by: Jim Cadden <jcadden@ibm.com>
2026-01-15 20:34:19 +01:00 · 2022-11-30 12:03:35 -05:00
parent 4eb88d6a74
commit 4510aeaa91
5 changed files with 60 additions and 5 deletions
--- a/src/runtime/pkg/oci/utils.go
+++ b/src/runtime/pkg/oci/utils.go
@@ -456,6 +456,10 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 		return err
 	}

+	if err := addConfidentialComputingOverrides(ocispec, config); err != nil {
+		return err
+	}
+
 	if value, ok := ocispec.Annotations[vcAnnotations.MachineType]; ok {
 		if value != "" {
 			config.HypervisorConfig.HypervisorMachineType = value
@@ -912,6 +916,29 @@ func addAgentConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig) error
 	return nil
 }

+func addConfidentialComputingOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig) error {
+
+	if err := newAnnotationConfiguration(ocispec, vcAnnotations.GuestPreAttestation).setBool(func(guestPreAttestation bool) {
+		sbConfig.HypervisorConfig.GuestPreAttestation = guestPreAttestation
+	}); err != nil {
+		return err
+	}
+
+	if value, ok := ocispec.Annotations[vcAnnotations.GuestPreAttestationURI]; ok {
+		if value != "" {
+			sbConfig.HypervisorConfig.GuestPreAttestationURI = value
+		}
+	}
+
+	if err := newAnnotationConfiguration(ocispec, vcAnnotations.SEVGuestPolicy).setUint(func(sevGuestPolicy uint64) {
+		sbConfig.HypervisorConfig.SEVGuestPolicy = uint32(sevGuestPolicy)
+	}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // SandboxConfig converts an OCI compatible runtime configuration file
 // to a virtcontainers sandbox configuration structure.
 func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid string, detach, systemdCgroup bool) (vc.SandboxConfig, error) {