diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index 7c16064e1..fa307bbbb 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -747,6 +747,12 @@ func (conf *HypervisorConfig) ImageOrInitrdAssetPath() (string, types.AssetType, return initrd, types.InitrdAsset, nil } + // Even if neither image nor initrd are set, we still need to return + // if we are running a confidential guest on QemuCCWVirtio. (IBM Z Secure Execution) + if conf.ConfidentialGuest && conf.HypervisorMachineType == QemuCCWVirtio { + return "", types.SecureBootAsset, nil + } + return "", types.UnkownAsset, fmt.Errorf("one of image and initrd must be set") } diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index 57c529058..96b004533 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -422,9 +422,13 @@ func (q *qemu) buildDevices(ctx context.Context, kernelPath string) ([]govmmQemu if err != nil { return nil, nil, nil, err } - } else { + } else if assetType == types.InitrdAsset { // InitrdAsset, need to set kernel initrd path kernel.InitrdPath = assetPath + } else if assetType == types.SecureBootAsset { + // SecureBootAsset, no need to set image or initrd path + q.Logger().Info("For IBM Z Secure Execution, initrd path should not be set") + kernel.InitrdPath = "" } if q.config.IOMMU { diff --git a/src/runtime/virtcontainers/types/asset.go b/src/runtime/virtcontainers/types/asset.go index 6cad7dd33..8aae9785b 100644 --- a/src/runtime/virtcontainers/types/asset.go +++ b/src/runtime/virtcontainers/types/asset.go @@ -28,6 +28,10 @@ const ( // InitrdAsset is an initrd asset. InitrdAsset AssetType = "initrd" + // SecureBootAsset is a secure boot asset. + // (IBM Z Secure Execution only) + SecureBootAsset AssetType = "secure_boot" + // HypervisorAsset is an hypervisor asset. HypervisorAsset AssetType = "hypervisor"