runtime-rs: Enables block device and disable virtio-fs via capabilities

Kata runtime employs a CapabilityBits mechanism for VMM capability governance. Fundamentally, this mechanism utilizes predefined feature flags to manage the VMM's operational boundaries. To meet demands for storage performance and security, it's necessary to explicitly enable capability flags such as `BlockDeviceSupport` (basic block device support) and `BlockDeviceHotplugSupport` (block device hotplug) which ensures the VMM provides the expected caps. In CoCo scenarios, due to the potential risks of sensitive data leaks or side-channel attacks introduced by virtio-fs through shared file systems, the `FsSharingSupport` flag must be forcibly disabled. This disables the virtio-fs feature at the capability set level, blocking insecure data channels. Fixes #11341 Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-08-30 23:37:45 +00:00 · 2025-05-30 17:34:46 +08:00
parent 23340b6b5f
commit 2e9d27c500
1 changed files with 11 additions and 1 deletions
--- a/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
+++ b/src/runtime-rs/crates/hypervisor/src/qemu/inner.rs
@@ -379,7 +379,17 @@ impl QemuInner {

    pub(crate) async fn capabilities(&self) -> Result<Capabilities> {
        let mut caps = Capabilities::default();
-        caps.set(CapabilityBits::FsSharingSupport);
+
+        // Confidential Guest doesn't permit virtio-fs.
+        let flags = if self.hypervisor_config().security_info.confidential_guest {
+            CapabilityBits::BlockDeviceSupport | CapabilityBits::BlockDeviceHotplugSupport
+        } else {
+            CapabilityBits::BlockDeviceSupport
+                | CapabilityBits::BlockDeviceHotplugSupport
+                | CapabilityBits::FsSharingSupport
+        };
+        caps.set(flags);
+
        Ok(caps)
    }