From 133528a63cfdf8b8ca2c50cb897c7523d75db990 Mon Sep 17 00:00:00 2001
From: Pavel Mores <pmores@redhat.com>
Date: Thu, 30 Jan 2025 13:57:29 +0100
Subject: [PATCH] runtime-rs: remove snp_certs_path support

SNP certs were apparently obsoleted by AMD.

Signed-off-by: Pavel Mores <pmores@redhat.com>
---
 .../kata-types/src/config/hypervisor/mod.rs   |  4 ----
 .../src/device/driver/protection_device.rs    |  1 -
 .../hypervisor/src/qemu/cmdline_generator.rs  | 20 ++-----------------
 .../crates/hypervisor/src/qemu/inner.rs       |  1 -
 .../runtimes/virt_container/src/sandbox.rs    |  8 --------
 5 files changed, 2 insertions(+), 32 deletions(-)

diff --git a/src/libs/kata-types/src/config/hypervisor/mod.rs b/src/libs/kata-types/src/config/hypervisor/mod.rs
index e4f0006b22..288481575f 100644
--- a/src/libs/kata-types/src/config/hypervisor/mod.rs
+++ b/src/libs/kata-types/src/config/hypervisor/mod.rs
@@ -829,10 +829,6 @@ pub struct SecurityInfo {
     #[serde(default)]
     pub sev_snp_guest: bool,
 
-    /// Path to SNP certificates
-    #[serde(default)]
-    pub snp_certs_path: String,
-
     /// Path to OCI hook binaries in the *guest rootfs*.
     ///
     /// This does not affect host-side hooks which must instead be added to the OCI spec passed to
diff --git a/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs b/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs
index d183cf477c..33fa82c38b 100644
--- a/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs
+++ b/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs
@@ -21,7 +21,6 @@ pub struct SevSnpConfig {
     pub is_snp: bool,
     pub cbitpos: u32,
     pub firmware: String,
-    pub certs_path: String,
 }
 
 #[derive(Debug, Clone)]
diff --git a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
index 1f3747f5d8..985d1ce876 100644
--- a/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/cmdline_generator.rs
@@ -1785,7 +1785,6 @@ struct ObjectSevSnpGuest {
     kernel_hashes: bool,
 
     is_snp: bool,
-    certs_path: String,
 }
 
 impl ObjectSevSnpGuest {
@@ -1796,14 +1795,8 @@ impl ObjectSevSnpGuest {
             reduced_phys_bits: 1,
             kernel_hashes: true,
             is_snp,
-            certs_path: "".to_owned(),
         }
     }
-
-    fn set_certs_path(&mut self, certs_path: &str) -> &mut Self {
-        self.certs_path = certs_path.to_owned();
-        self
-    }
 }
 
 #[async_trait]
@@ -1826,9 +1819,6 @@ impl ToQemuParams for ObjectSevSnpGuest {
                 "kernel-hashes={}",
                 if self.kernel_hashes { "on" } else { "off" }
             ));
-            if !self.certs_path.is_empty() {
-                params.push(format!("certs-path={}", self.certs_path));
-            }
         }
         Ok(vec!["-object".to_owned(), params.join(",")])
     }
@@ -2189,14 +2179,8 @@ impl<'a> QemuCmdLine<'a> {
             .set_nvdimm(false);
     }
 
-    pub fn add_sev_snp_protection_device(
-        &mut self,
-        cbitpos: u32,
-        firmware: &str,
-        certs_path: &str,
-    ) {
-        let mut sev_snp_object = ObjectSevSnpGuest::new(true, cbitpos);
-        sev_snp_object.set_certs_path(certs_path);
+    pub fn add_sev_snp_protection_device(&mut self, cbitpos: u32, firmware: &str) {
+        let sev_snp_object = ObjectSevSnpGuest::new(true, cbitpos);
         self.devices.push(Box::new(sev_snp_object));
 
         self.devices.push(Box::new(Bios::new(firmware.to_owned())));
diff --git a/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs b/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
index 511b79d86f..8a861bdf2b 100644
--- a/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
@@ -132,7 +132,6 @@ impl QemuInner {
                             cmdline.add_sev_snp_protection_device(
                                 sev_snp_cfg.cbitpos,
                                 &sev_snp_cfg.firmware,
-                                &sev_snp_cfg.certs_path,
                             )
                         } else {
                             cmdline.add_sev_protection_device(
diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
index 08d6ed2a86..ee32d45adf 100644
--- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
@@ -343,7 +343,6 @@ impl VirtSandbox {
                     is_snp: false,
                     cbitpos: details.cbitpos,
                     firmware: hypervisor_config.boot_info.firmware.clone(),
-                    certs_path: "".to_owned(),
                 })))
             }
             GuestProtection::Snp(details) => {
@@ -359,17 +358,10 @@ impl VirtSandbox {
                     info!(sl!(), "reverting to SEV even though SEV-SNP is available as requested by 'sev_snp_guest'");
                 }
 
-                let certs_path = if is_snp {
-                    hypervisor_config.security_info.snp_certs_path.clone()
-                } else {
-                    "".to_owned()
-                };
-
                 Ok(Some(ProtectionDeviceConfig::SevSnp(SevSnpConfig {
                     is_snp,
                     cbitpos: details.cbitpos,
                     firmware: hypervisor_config.boot_info.firmware.clone(),
-                    certs_path,
                 })))
             }
             GuestProtection::Se => {