github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-22 01:43:04 +00:00
Code Issues Projects Releases Wiki Activity

runtime-rs: Enable initdata spec for IBM SEL

Browse Source 
Add support for the `InitData` resource config on IBM SEL,
so that a corresponding block device is created and the
initdata is passed to the guest through this device.

Note that we skip passing the initdata hash via QEMU’s
object, since the hypervisor does not yet support this
mechanism for IBM SEL. It will be introduced separately
once QEMU adds the feature.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
Hyounggyu Choi 2025-08-18 12:47:09 +02:00
parent 014ab2fce6
commit 2ec70bc8e2
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/libs/kata-types/src/initdata.rs
View File

@ -3,12 +3,12 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// //
use crate::sl;
use anyhow::{anyhow, Context, Result}; use anyhow::{anyhow, Context, Result};
use flate2::read::GzDecoder; use flate2::read::GzDecoder;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256, Sha384, Sha512}; use sha2::{Digest, Sha256, Sha384, Sha512};
use std::{collections::HashMap, io::Read}; use std::{collections::HashMap, io::Read};
use crate::sl;
/// Currently, initdata only supports version 0.1.0. /// Currently, initdata only supports version 0.1.0.
const INITDATA_VERSION: &str = "0.1.0"; const INITDATA_VERSION: &str = "0.1.0";
@ -24,6 +24,8 @@ pub enum ProtectedPlatform {
Snp, Snp,
/// Cca platform for ARM CCA /// Cca platform for ARM CCA
Cca, Cca,
/// Se platform for IBM SEL
Se,
/// Default with no protection /// Default with no protection
#[default] #[default]
NoProtection, NoProtection,
@ -155,6 +157,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
ProtectedPlatform::Tdx => 48, ProtectedPlatform::Tdx => 48,
ProtectedPlatform::Snp => 32, ProtectedPlatform::Snp => 32,
ProtectedPlatform::Cca => 64, ProtectedPlatform::Cca => 64,
ProtectedPlatform::Se => 256,
ProtectedPlatform::NoProtection => digest.len(), ProtectedPlatform::NoProtection => digest.len(),
}; };
@ -432,6 +435,12 @@ key = "value"
assert_eq!(cca_result.len(), 64); assert_eq!(cca_result.len(), 64);
assert_eq!(&cca_result[..32], &short_digest[..]); assert_eq!(&cca_result[..32], &short_digest[..]);
assert_eq!(&cca_result[32..], vec![0u8; 32]); assert_eq!(&cca_result[32..], vec![0u8; 32]);
// Test SE platform (requires 256 bytes)
let long_digest = vec![0xAA; 256];
let se_result = adjust_digest(&long_digest, ProtectedPlatform::Se);
assert_eq!(se_result.len(), 256);
assert_eq!(&se_result[..256], &long_digest[..256]);
} }
/// Test hypervisor initdata processing with compression /// Test hypervisor initdata processing with compression

1
src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
View File

@ -452,6 +452,7 @@ impl VirtSandbox {
GuestProtection::Snp(_details) => { GuestProtection::Snp(_details) => {
calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)? calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)?
} }
GuestProtection::Se => calculate_initdata_digest(&initdata, ProtectedPlatform::Se)?,
// TODO: there's more `GuestProtection` types to be supported. // TODO: there's more `GuestProtection` types to be supported.
_ => return Ok(None), _ => return Ok(None),
}; };