Merge pull request #11640 from rafsal-rahim/bm-initdata-s390x

Feat | Implement initdata for bare-metal/qemu for s390x

src/runtime/virtcontainers/qemu.go

@@ -397,23 +397,6 @@ func (q *qemu) createQmpSocket() ([]govmmQemu.QMPSocket, error) {
 	return sockets, nil
 }
 
-func (q *qemu) buildInitdataDevice(devices []govmmQemu.Device, InitdataImage string) []govmmQemu.Device {
-	device := govmmQemu.BlockDevice{
-		Driver:    govmmQemu.VirtioBlock,
-		Transport: govmmQemu.TransportPCI,
-		ID:        "initdata",
-		File:      InitdataImage,
-		SCSI:      false,
-		WCE:       false,
-		AIO:       govmmQemu.Threads,
-		Interface: "none",
-		Format:    "raw",
-	}
-
-	devices = append(devices, device)
-	return devices
-}
-
 func (q *qemu) buildDevices(ctx context.Context, kernelPath string) ([]govmmQemu.Device, *govmmQemu.IOThread, *govmmQemu.Kernel, error) {
 	var devices []govmmQemu.Device
 
@@ -763,7 +746,7 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
 	}
 
 	if len(hypervisorConfig.Initdata) > 0 {
-		devices = q.buildInitdataDevice(devices, hypervisorConfig.InitdataImage)
+		devices = q.arch.buildInitdataDevice(ctx, devices, hypervisorConfig.InitdataImage)
 	}
 
 	// some devices configuration may also change kernel params, make sure this is called afterwards

src/runtime/virtcontainers/qemu_arch_base.go

@@ -176,6 +176,9 @@ type qemuArch interface {
 
 	// Query QMP to find the PCI slot of a device, given its QOM path or ID
 	qomGetSlot(qomPath string, qmpCh *qmpChannel) (types.PciSlot, error)
+
+	// buildInitdataDevice creates an initdata device for the given architecture.
+	buildInitdataDevice(ctx context.Context, devices []govmmQemu.Device, initdataImage string) []govmmQemu.Device
 }
 
 type qemuArchBase struct {
@@ -949,6 +952,24 @@ func (q *qemuArchBase) qomGetSlot(qomPath string, qmpCh *qmpChannel) (types.PciS
 	return types.PciSlotFromInt(slotNum)
 }
 
+// build initdata device
+func (q *qemuArchBase) buildInitdataDevice(ctx context.Context, devices []govmmQemu.Device, initdataImage string) []govmmQemu.Device {
+	device := govmmQemu.BlockDevice{
+		Driver:    govmmQemu.VirtioBlock,
+		Transport: govmmQemu.TransportPCI,
+		ID:        "initdata",
+		File:      initdataImage,
+		SCSI:      false,
+		WCE:       false,
+		AIO:       govmmQemu.Threads,
+		Interface: "none",
+		Format:    "raw",
+	}
+
+	devices = append(devices, device)
+	return devices
+}
+
 // Query QMP to find a device's PCI path given its QOM path or ID
 func (q *qemuArchBase) qomGetPciPath(qemuID string, qmpCh *qmpChannel) (types.PciPath, error) {
 

src/runtime/virtcontainers/qemu_arm64.go

@@ -154,6 +154,11 @@ func (q *qemuArm64) enableProtection() error {
 	return nil
 }
 
+func (q *qemuArm64) buildInitdataDevice(ctx context.Context, devices []govmmQemu.Device, initdataImage string) []govmmQemu.Device {
+	hvLogger.Warnf("buildInitdataDevice not implemented for arm64; ignoring initdata image: %s", initdataImage)
+	return devices
+}
+
 func (q *qemuArm64) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, initdataDigest []byte) ([]govmmQemu.Device, string, error) {
 	err := q.enableProtection()
 	if err != nil {

src/runtime/virtcontainers/qemu_ppc64le.go

@@ -8,6 +8,7 @@
 package virtcontainers
 
 import (
+	"context"
 	"fmt"
 	"time"
 
@@ -156,6 +157,11 @@ func (q *qemuPPC64le) enableProtection() error {
 	}
 }
 
+func (q *qemuPPC64le) buildInitdataDevice(ctx context.Context, devices []govmmQemu.Device, initdataImage string) []govmmQemu.Device {
+	hvLogger.Warnf("buildInitdataDevice not implemented for PPC64le; ignoring initdata image: %s", initdataImage)
+	return devices
+}
+
 // append protection device
 func (q *qemuPPC64le) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, initdataDigest []byte) ([]govmmQemu.Device, string, error) {
 	switch q.protection {

src/runtime/virtcontainers/qemu_s390x.go

@@ -351,6 +351,7 @@ func (q *qemuS390x) appendProtectionDevice(devices []govmmQemu.Device, firmware,
 			govmmQemu.Object{
 				Type:           govmmQemu.SecExecGuest,
 				ID:             secExecID,
+				InitdataDigest: initdataDigest,
 			}), firmware, nil
 	case noneProtection:
 		return devices, firmware, nil
@@ -382,6 +383,42 @@ func (q *qemuS390x) appendVFIODevice(devices []govmmQemu.Device, vfioDev config.
 	return devices
 }
 
+func (q *qemuS390x) buildInitdataDevice(ctx context.Context, devices []govmmQemu.Device, initdataImage string) []govmmQemu.Device {
+
+	var transport govmmQemu.VirtioTransport
+	var devNo string
+
+	transport = govmmQemu.TransportCCW
+	id := "initdata"
+	addr, bridge, err := q.addDeviceToBridge(ctx, id, types.CCW)
+	if err != nil {
+		hvLogger.WithError(err).Error("Failed to allocate CCW address for initdata")
+		return nil
+	}
+	devNo, err = bridge.AddressFormatCCW(addr)
+	if err != nil {
+		hvLogger.WithError(err).Error("Failed to format CCW address for initdata")
+		return nil
+	}
+	hvLogger.WithField("devno", devNo).Info("Using dynamic CCW DevNo for initdata")
+
+	device := govmmQemu.BlockDevice{
+		Driver:    govmmQemu.VirtioBlock,
+		Transport: transport,
+		ID:        id,
+		File:      initdataImage,
+		SCSI:      false,
+		WCE:       false,
+		AIO:       govmmQemu.Threads,
+		Interface: "none",
+		Format:    "raw",
+		DevNo:     devNo,
+	}
+
+	devices = append(devices, device)
+	return devices
+}
+
 // Query QMP to find a device's PCI path given its QOM path or ID
 func (q *qemuS390x) qomGetPciPath(qemuID string, qmpCh *qmpChannel) (types.PciPath, error) {
 	hvLogger.Warnf("qomGetPciPath not implemented for s390x")

src/runtime/virtcontainers/qemu_s390x_test.go

@@ -144,7 +144,7 @@ func TestQemuS390xAppendProtectionDevice(t *testing.T) {
 	// Secure Execution protection
 	s390x.(*qemuS390x).protection = seProtection
 
-	devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", []byte(nil))
+	devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", []byte(""))
 	assert.NoError(err)
 	assert.Empty(bios)
 
@@ -152,6 +152,7 @@ func TestQemuS390xAppendProtectionDevice(t *testing.T) {
 		govmmQemu.Object{
 			Type:           govmmQemu.SecExecGuest,
 			ID:             secExecID,
+			InitdataDigest: []byte(""),
 		},
 	}
 	assert.Equal(expectedOut, devices)

tests/integration/kubernetes/k8s-initdata.bats

@@ -45,13 +45,16 @@ function setup_kbs_image_policy_for_initdata() {
     fi
 
     export CURRENT_ARCH=$(uname -m)
-    if [ "${CURRENT_ARCH}" != "x86_64" ]; then
+    case "${CURRENT_ARCH}" in
-        skip "Test skipped as only x86-64 supports, while current platform is ${CURRENT_ARCH}"
+        "x86_64"|"s390x")
-    fi
+            ;;
+        *)
+            skip "Test skipped as only x86-64 & s390x is supported, while current platform is ${CURRENT_ARCH}"
+            ;;
+    esac
 
-    # TODO: Enable for more archs
     case "$KATA_HYPERVISOR" in
-        "qemu-tdx"|"qemu-coco-dev"|"qemu-snp")
+        "qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se")
             ;;
         *)
             skip "Test not supported for ${KATA_HYPERVISOR}."