mirror of
https://github.com/aljazceru/kata-containers.git
synced 2026-01-31 12:14:27 +01:00
runtime: Add online-kbs to kernel params
In online-kbs attestation the guest is given the location of the keybroker server to connect after launch. This patch appends the IP:Port of the online-kbs to the kernel params of the guest. Patch also simplifies the kbs config into "mode" = offline/online, and updates SEV config variable names and default values Fixes: #5661 #5715 Signed-off-by: Jim Cadden <jcadden@ibm.com>
This commit is contained in:
Jim Cadden
@@ -96,10 +96,9 @@ const defaultDisableGuestSeLinux = true
|
||||
const defaultVfioMode = "guest-kernel"
|
||||
const defaultLegacySerial = false
|
||||
const defaultGuestPreAttestation = false
|
||||
const defaultGuestPreAttestationProxy string = ""
|
||||
const defaultGuestPreAttestationURI string = ""
|
||||
const defaultGuestPreAttestationMode string = ""
|
||||
const defaultGuestPreAttestationKeyset string = ""
|
||||
const defaultGuestPreAttestationSecretGuid string = ""
|
||||
const defaultGuestPreAttestationSecretType string = ""
|
||||
const defaultSEVCertChainPath string = ""
|
||||
const defaultSEVGuestPolicy uint32 = 0
|
||||
const defaultSNPGuestPolicy uint64 = 0x30000
|
||||
|
||||
@@ -101,10 +101,9 @@ type hypervisor struct {
|
||||
GuestHookPath string `toml:"guest_hook_path"`
|
||||
GuestMemoryDumpPath string `toml:"guest_memory_dump_path"`
|
||||
SeccompSandbox string `toml:"seccompsandbox"`
|
||||
GuestPreAttestationProxy string `toml:"guest_pre_attestation_proxy"`
|
||||
GuestPreAttestationURI string `toml:"guest_pre_attestation_kbs_uri"`
|
||||
GuestPreAttestationMode string `toml:"guest_pre_attestation_kbs_mode"`
|
||||
GuestPreAttestationKeyset string `toml:"guest_pre_attestation_keyset"`
|
||||
GuestPreAttestationSecretGuid string `toml:"guest_pre_attestation_secret_guid"`
|
||||
GuestPreAttestationSecretType string `toml:"guest_pre_attestation_secret_type"`
|
||||
SEVCertChainPath string `toml:"sev_cert_chain"`
|
||||
BlockDeviceAIO string `toml:"block_device_aio"`
|
||||
RemoteHypervisorSocket string `toml:"remote_hypervisor_socket"`
|
||||
@@ -815,81 +814,80 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
|
||||
txRateLimiterMaxRate := h.getTxRateLimiterCfg()
|
||||
|
||||
return vc.HypervisorConfig{
|
||||
HypervisorPath: hypervisor,
|
||||
HypervisorPathList: h.HypervisorPathList,
|
||||
KernelPath: kernel,
|
||||
InitrdPath: initrd,
|
||||
ImagePath: image,
|
||||
FirmwarePath: firmware,
|
||||
FirmwareVolumePath: firmwareVolume,
|
||||
PFlash: pflashes,
|
||||
MachineAccelerators: machineAccelerators,
|
||||
CPUFeatures: cpuFeatures,
|
||||
KernelParams: vc.DeserializeParams(strings.Fields(kernelParams)),
|
||||
HypervisorMachineType: machineType,
|
||||
NumVCPUs: h.defaultVCPUs(),
|
||||
DefaultMaxVCPUs: h.defaultMaxVCPUs(),
|
||||
MemorySize: h.defaultMemSz(),
|
||||
MemSlots: h.defaultMemSlots(),
|
||||
MemOffset: h.defaultMemOffset(),
|
||||
DefaultMaxMemorySize: h.defaultMaxMemSz(),
|
||||
VirtioMem: h.VirtioMem,
|
||||
EntropySource: h.GetEntropySource(),
|
||||
EntropySourceList: h.EntropySourceList,
|
||||
DefaultBridges: h.defaultBridges(),
|
||||
DisableBlockDeviceUse: h.DisableBlockDeviceUse,
|
||||
SharedFS: sharedFS,
|
||||
VirtioFSDaemon: h.VirtioFSDaemon,
|
||||
VirtioFSDaemonList: h.VirtioFSDaemonList,
|
||||
VirtioFSCacheSize: h.VirtioFSCacheSize,
|
||||
VirtioFSCache: h.defaultVirtioFSCache(),
|
||||
VirtioFSQueueSize: h.VirtioFSQueueSize,
|
||||
VirtioFSExtraArgs: h.VirtioFSExtraArgs,
|
||||
MemPrealloc: h.MemPrealloc,
|
||||
HugePages: h.HugePages,
|
||||
IOMMU: h.IOMMU,
|
||||
IOMMUPlatform: h.getIOMMUPlatform(),
|
||||
FileBackedMemRootDir: h.FileBackedMemRootDir,
|
||||
FileBackedMemRootList: h.FileBackedMemRootList,
|
||||
Debug: h.Debug,
|
||||
DisableNestingChecks: h.DisableNestingChecks,
|
||||
BlockDeviceDriver: blockDriver,
|
||||
BlockDeviceAIO: blockAIO,
|
||||
BlockDeviceCacheSet: h.BlockDeviceCacheSet,
|
||||
BlockDeviceCacheDirect: h.BlockDeviceCacheDirect,
|
||||
BlockDeviceCacheNoflush: h.BlockDeviceCacheNoflush,
|
||||
EnableIOThreads: h.EnableIOThreads,
|
||||
Msize9p: h.msize9p(),
|
||||
DisableImageNvdimm: h.DisableImageNvdimm,
|
||||
HotplugVFIOOnRootBus: h.HotplugVFIOOnRootBus,
|
||||
PCIeRootPort: h.PCIeRootPort,
|
||||
DisableVhostNet: h.DisableVhostNet,
|
||||
EnableVhostUserStore: h.EnableVhostUserStore,
|
||||
VhostUserStorePath: h.vhostUserStorePath(),
|
||||
VhostUserStorePathList: h.VhostUserStorePathList,
|
||||
SeccompSandbox: h.SeccompSandbox,
|
||||
GuestHookPath: h.guestHookPath(),
|
||||
RxRateLimiterMaxRate: rxRateLimiterMaxRate,
|
||||
TxRateLimiterMaxRate: txRateLimiterMaxRate,
|
||||
EnableAnnotations: h.EnableAnnotations,
|
||||
GuestMemoryDumpPath: h.GuestMemoryDumpPath,
|
||||
GuestMemoryDumpPaging: h.GuestMemoryDumpPaging,
|
||||
ConfidentialGuest: h.ConfidentialGuest,
|
||||
SevSnpGuest: h.SevSnpGuest,
|
||||
GuestSwap: h.GuestSwap,
|
||||
Rootless: h.Rootless,
|
||||
LegacySerial: h.LegacySerial,
|
||||
DisableSeLinux: h.DisableSeLinux,
|
||||
GuestPreAttestation: h.GuestPreAttestation,
|
||||
GuestPreAttestationProxy: h.GuestPreAttestationProxy,
|
||||
GuestPreAttestationKeyset: h.GuestPreAttestationKeyset,
|
||||
GuestPreAttestationSecretGuid: h.GuestPreAttestationSecretGuid,
|
||||
GuestPreAttestationSecretType: h.GuestPreAttestationSecretType,
|
||||
SEVGuestPolicy: h.SEVGuestPolicy,
|
||||
SNPGuestPolicy: h.getSnpGuestPolicy(),
|
||||
SEVCertChainPath: h.SEVCertChainPath,
|
||||
DisableGuestSeLinux: h.DisableGuestSeLinux,
|
||||
RootfsType: rootfsType,
|
||||
HypervisorPath: hypervisor,
|
||||
HypervisorPathList: h.HypervisorPathList,
|
||||
KernelPath: kernel,
|
||||
InitrdPath: initrd,
|
||||
ImagePath: image,
|
||||
FirmwarePath: firmware,
|
||||
FirmwareVolumePath: firmwareVolume,
|
||||
PFlash: pflashes,
|
||||
MachineAccelerators: machineAccelerators,
|
||||
CPUFeatures: cpuFeatures,
|
||||
KernelParams: vc.DeserializeParams(strings.Fields(kernelParams)),
|
||||
HypervisorMachineType: machineType,
|
||||
NumVCPUs: h.defaultVCPUs(),
|
||||
DefaultMaxVCPUs: h.defaultMaxVCPUs(),
|
||||
MemorySize: h.defaultMemSz(),
|
||||
MemSlots: h.defaultMemSlots(),
|
||||
MemOffset: h.defaultMemOffset(),
|
||||
DefaultMaxMemorySize: h.defaultMaxMemSz(),
|
||||
VirtioMem: h.VirtioMem,
|
||||
EntropySource: h.GetEntropySource(),
|
||||
EntropySourceList: h.EntropySourceList,
|
||||
DefaultBridges: h.defaultBridges(),
|
||||
DisableBlockDeviceUse: h.DisableBlockDeviceUse,
|
||||
SharedFS: sharedFS,
|
||||
VirtioFSDaemon: h.VirtioFSDaemon,
|
||||
VirtioFSDaemonList: h.VirtioFSDaemonList,
|
||||
VirtioFSCacheSize: h.VirtioFSCacheSize,
|
||||
VirtioFSCache: h.defaultVirtioFSCache(),
|
||||
VirtioFSQueueSize: h.VirtioFSQueueSize,
|
||||
VirtioFSExtraArgs: h.VirtioFSExtraArgs,
|
||||
MemPrealloc: h.MemPrealloc,
|
||||
HugePages: h.HugePages,
|
||||
IOMMU: h.IOMMU,
|
||||
IOMMUPlatform: h.getIOMMUPlatform(),
|
||||
FileBackedMemRootDir: h.FileBackedMemRootDir,
|
||||
FileBackedMemRootList: h.FileBackedMemRootList,
|
||||
Debug: h.Debug,
|
||||
DisableNestingChecks: h.DisableNestingChecks,
|
||||
BlockDeviceDriver: blockDriver,
|
||||
BlockDeviceAIO: blockAIO,
|
||||
BlockDeviceCacheSet: h.BlockDeviceCacheSet,
|
||||
BlockDeviceCacheDirect: h.BlockDeviceCacheDirect,
|
||||
BlockDeviceCacheNoflush: h.BlockDeviceCacheNoflush,
|
||||
EnableIOThreads: h.EnableIOThreads,
|
||||
Msize9p: h.msize9p(),
|
||||
DisableImageNvdimm: h.DisableImageNvdimm,
|
||||
HotplugVFIOOnRootBus: h.HotplugVFIOOnRootBus,
|
||||
PCIeRootPort: h.PCIeRootPort,
|
||||
DisableVhostNet: h.DisableVhostNet,
|
||||
EnableVhostUserStore: h.EnableVhostUserStore,
|
||||
VhostUserStorePath: h.vhostUserStorePath(),
|
||||
VhostUserStorePathList: h.VhostUserStorePathList,
|
||||
SeccompSandbox: h.SeccompSandbox,
|
||||
GuestHookPath: h.guestHookPath(),
|
||||
RxRateLimiterMaxRate: rxRateLimiterMaxRate,
|
||||
TxRateLimiterMaxRate: txRateLimiterMaxRate,
|
||||
EnableAnnotations: h.EnableAnnotations,
|
||||
GuestMemoryDumpPath: h.GuestMemoryDumpPath,
|
||||
GuestMemoryDumpPaging: h.GuestMemoryDumpPaging,
|
||||
ConfidentialGuest: h.ConfidentialGuest,
|
||||
SevSnpGuest: h.SevSnpGuest,
|
||||
GuestSwap: h.GuestSwap,
|
||||
Rootless: h.Rootless,
|
||||
LegacySerial: h.LegacySerial,
|
||||
DisableSeLinux: h.DisableSeLinux,
|
||||
GuestPreAttestation: h.GuestPreAttestation,
|
||||
GuestPreAttestationURI: h.GuestPreAttestationURI,
|
||||
GuestPreAttestationMode: h.GuestPreAttestationMode,
|
||||
GuestPreAttestationKeyset: h.GuestPreAttestationKeyset,
|
||||
SEVGuestPolicy: h.SEVGuestPolicy,
|
||||
SNPGuestPolicy: h.getSnpGuestPolicy(),
|
||||
SEVCertChainPath: h.SEVCertChainPath,
|
||||
DisableGuestSeLinux: h.DisableGuestSeLinux,
|
||||
RootfsType: rootfsType,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -1276,63 +1274,62 @@ func updateRuntimeConfig(configPath string, tomlConf tomlConfig, config *oci.Run
|
||||
|
||||
func GetDefaultHypervisorConfig() vc.HypervisorConfig {
|
||||
return vc.HypervisorConfig{
|
||||
HypervisorPath: defaultHypervisorPath,
|
||||
JailerPath: defaultJailerPath,
|
||||
KernelPath: defaultKernelPath,
|
||||
ImagePath: defaultImagePath,
|
||||
InitrdPath: defaultInitrdPath,
|
||||
FirmwarePath: defaultFirmwarePath,
|
||||
FirmwareVolumePath: defaultFirmwareVolumePath,
|
||||
MachineAccelerators: defaultMachineAccelerators,
|
||||
CPUFeatures: defaultCPUFeatures,
|
||||
HypervisorMachineType: defaultMachineType,
|
||||
NumVCPUs: defaultVCPUCount,
|
||||
DefaultMaxVCPUs: defaultMaxVCPUCount,
|
||||
MemorySize: defaultMemSize,
|
||||
MemOffset: defaultMemOffset,
|
||||
VirtioMem: defaultVirtioMem,
|
||||
DisableBlockDeviceUse: defaultDisableBlockDeviceUse,
|
||||
DefaultBridges: defaultBridgesCount,
|
||||
MemPrealloc: defaultEnableMemPrealloc,
|
||||
HugePages: defaultEnableHugePages,
|
||||
IOMMU: defaultEnableIOMMU,
|
||||
IOMMUPlatform: defaultEnableIOMMUPlatform,
|
||||
FileBackedMemRootDir: defaultFileBackedMemRootDir,
|
||||
Debug: defaultEnableDebug,
|
||||
DisableNestingChecks: defaultDisableNestingChecks,
|
||||
BlockDeviceDriver: defaultBlockDeviceDriver,
|
||||
BlockDeviceAIO: defaultBlockDeviceAIO,
|
||||
BlockDeviceCacheSet: defaultBlockDeviceCacheSet,
|
||||
BlockDeviceCacheDirect: defaultBlockDeviceCacheDirect,
|
||||
BlockDeviceCacheNoflush: defaultBlockDeviceCacheNoflush,
|
||||
EnableIOThreads: defaultEnableIOThreads,
|
||||
Msize9p: defaultMsize9p,
|
||||
HotplugVFIOOnRootBus: defaultHotplugVFIOOnRootBus,
|
||||
PCIeRootPort: defaultPCIeRootPort,
|
||||
GuestHookPath: defaultGuestHookPath,
|
||||
VhostUserStorePath: defaultVhostUserStorePath,
|
||||
VirtioFSCache: defaultVirtioFSCacheMode,
|
||||
DisableImageNvdimm: defaultDisableImageNvdimm,
|
||||
RxRateLimiterMaxRate: defaultRxRateLimiterMaxRate,
|
||||
TxRateLimiterMaxRate: defaultTxRateLimiterMaxRate,
|
||||
SGXEPCSize: defaultSGXEPCSize,
|
||||
ConfidentialGuest: defaultConfidentialGuest,
|
||||
SevSnpGuest: defaultSevSnpGuest,
|
||||
GuestSwap: defaultGuestSwap,
|
||||
Rootless: defaultRootlessHypervisor,
|
||||
DisableSeccomp: defaultDisableSeccomp,
|
||||
DisableGuestSeLinux: defaultDisableGuestSeLinux,
|
||||
LegacySerial: defaultLegacySerial,
|
||||
GuestPreAttestation: defaultGuestPreAttestation,
|
||||
GuestPreAttestationProxy: defaultGuestPreAttestationProxy,
|
||||
GuestPreAttestationKeyset: defaultGuestPreAttestationKeyset,
|
||||
GuestPreAttestationSecretGuid: defaultGuestPreAttestationSecretGuid,
|
||||
GuestPreAttestationSecretType: defaultGuestPreAttestationSecretType,
|
||||
SEVGuestPolicy: defaultSEVGuestPolicy,
|
||||
SNPGuestPolicy: defaultSNPGuestPolicy,
|
||||
SEVCertChainPath: defaultSEVCertChainPath,
|
||||
VhostUserDeviceReconnect: defaultVhostUserDeviceReconnect,
|
||||
RootfsType: defaultRootfsType,
|
||||
HypervisorPath: defaultHypervisorPath,
|
||||
JailerPath: defaultJailerPath,
|
||||
KernelPath: defaultKernelPath,
|
||||
ImagePath: defaultImagePath,
|
||||
InitrdPath: defaultInitrdPath,
|
||||
FirmwarePath: defaultFirmwarePath,
|
||||
FirmwareVolumePath: defaultFirmwareVolumePath,
|
||||
MachineAccelerators: defaultMachineAccelerators,
|
||||
CPUFeatures: defaultCPUFeatures,
|
||||
HypervisorMachineType: defaultMachineType,
|
||||
NumVCPUs: defaultVCPUCount,
|
||||
DefaultMaxVCPUs: defaultMaxVCPUCount,
|
||||
MemorySize: defaultMemSize,
|
||||
MemOffset: defaultMemOffset,
|
||||
VirtioMem: defaultVirtioMem,
|
||||
DisableBlockDeviceUse: defaultDisableBlockDeviceUse,
|
||||
DefaultBridges: defaultBridgesCount,
|
||||
MemPrealloc: defaultEnableMemPrealloc,
|
||||
HugePages: defaultEnableHugePages,
|
||||
IOMMU: defaultEnableIOMMU,
|
||||
IOMMUPlatform: defaultEnableIOMMUPlatform,
|
||||
FileBackedMemRootDir: defaultFileBackedMemRootDir,
|
||||
Debug: defaultEnableDebug,
|
||||
DisableNestingChecks: defaultDisableNestingChecks,
|
||||
BlockDeviceDriver: defaultBlockDeviceDriver,
|
||||
BlockDeviceAIO: defaultBlockDeviceAIO,
|
||||
BlockDeviceCacheSet: defaultBlockDeviceCacheSet,
|
||||
BlockDeviceCacheDirect: defaultBlockDeviceCacheDirect,
|
||||
BlockDeviceCacheNoflush: defaultBlockDeviceCacheNoflush,
|
||||
EnableIOThreads: defaultEnableIOThreads,
|
||||
Msize9p: defaultMsize9p,
|
||||
HotplugVFIOOnRootBus: defaultHotplugVFIOOnRootBus,
|
||||
PCIeRootPort: defaultPCIeRootPort,
|
||||
GuestHookPath: defaultGuestHookPath,
|
||||
VhostUserStorePath: defaultVhostUserStorePath,
|
||||
VirtioFSCache: defaultVirtioFSCacheMode,
|
||||
DisableImageNvdimm: defaultDisableImageNvdimm,
|
||||
RxRateLimiterMaxRate: defaultRxRateLimiterMaxRate,
|
||||
TxRateLimiterMaxRate: defaultTxRateLimiterMaxRate,
|
||||
SGXEPCSize: defaultSGXEPCSize,
|
||||
ConfidentialGuest: defaultConfidentialGuest,
|
||||
SevSnpGuest: defaultSevSnpGuest,
|
||||
GuestSwap: defaultGuestSwap,
|
||||
Rootless: defaultRootlessHypervisor,
|
||||
DisableSeccomp: defaultDisableSeccomp,
|
||||
DisableGuestSeLinux: defaultDisableGuestSeLinux,
|
||||
LegacySerial: defaultLegacySerial,
|
||||
GuestPreAttestation: defaultGuestPreAttestation,
|
||||
GuestPreAttestationURI: defaultGuestPreAttestationURI,
|
||||
GuestPreAttestationMode: defaultGuestPreAttestationMode,
|
||||
GuestPreAttestationKeyset: defaultGuestPreAttestationKeyset,
|
||||
SEVGuestPolicy: defaultSEVGuestPolicy,
|
||||
SNPGuestPolicy: defaultSNPGuestPolicy,
|
||||
SEVCertChainPath: defaultSEVCertChainPath,
|
||||
VhostUserDeviceReconnect: defaultVhostUserDeviceReconnect,
|
||||
RootfsType: defaultRootfsType,
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
33
src/runtime/pkg/sev/kbs/kbs.go
Normal file
33
src/runtime/pkg/sev/kbs/kbs.go
Normal file
@@ -0,0 +1,33 @@
|
||||
// Copyright contributors to AMD SEV/-ES in Go
|
||||
//
|
||||
// SPDX-License-Identifier: Apache-2.0
|
||||
//
|
||||
|
||||
// Package kbs can be used interact with simple-kbs, the key broker
|
||||
// server for SEV and SEV-ES pre-attestation
|
||||
|
||||
package kbs
|
||||
|
||||
const (
|
||||
Offline = "offline"
|
||||
OfflineSecretType = "bundle"
|
||||
OfflineSecretGuid = "e6f5a162-d67f-4750-a67c-5d065f2a9910"
|
||||
Online = "online"
|
||||
OnlineBootParam = "online_sev_kbc"
|
||||
OnlineSecretType = "connection"
|
||||
OnlineSecretGuid = "1ee27366-0c87-43a6-af48-28543eaf7cb0"
|
||||
)
|
||||
|
||||
type GuestPreAttestationConfig struct {
|
||||
Proxy string
|
||||
Keyset string
|
||||
LaunchId string
|
||||
KernelPath string
|
||||
InitrdPath string
|
||||
FwPath string
|
||||
KernelParameters string
|
||||
CertChainPath string
|
||||
SecretType string
|
||||
SecretGuid string
|
||||
Policy uint32
|
||||
}
|
||||
@@ -15,20 +15,6 @@ import (
|
||||
"os"
|
||||
)
|
||||
|
||||
type GuestPreAttestationConfig struct {
|
||||
Proxy string
|
||||
Keyset string
|
||||
LaunchId string
|
||||
KernelPath string
|
||||
InitrdPath string
|
||||
FwPath string
|
||||
KernelParameters string
|
||||
CertChainPath string
|
||||
KeyBrokerSecretType string
|
||||
KeyBrokerSecretGuid string
|
||||
Policy uint32
|
||||
}
|
||||
|
||||
type guidLE [16]byte
|
||||
|
||||
// The following definitions must be identical to those in QEMU target/i386/sev.c
|
||||
|
||||
Reference in New Issue
Block a user