runtime-rs: Enable initdata spec for IBM SEL

Add support for the `InitData` resource config on IBM SEL, so that a corresponding block device is created and the initdata is passed to the guest through this device. Note that we skip passing the initdata hash via QEMU’s object, since the hypervisor does not yet support this mechanism for IBM SEL. It will be introduced separately once QEMU adds the feature. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-08-22 01:43:04 +00:00 · 2025-08-18 12:47:09 +02:00 · 2025-08-18 12:47:09 +02:00 · 2ec70bc8e2
commit 2ec70bc8e2
parent 014ab2fce6
2 changed files with 11 additions and 1 deletions
--- a/src/libs/kata-types/src/initdata.rs
+++ b/src/libs/kata-types/src/initdata.rs
@ -3,12 +3,12 @@
 // SPDX-License-Identifier: Apache-2.0
 //

+use crate::sl;
 use anyhow::{anyhow, Context, Result};
 use flate2::read::GzDecoder;
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256, Sha384, Sha512};
 use std::{collections::HashMap, io::Read};
-use crate::sl;

 /// Currently, initdata only supports version 0.1.0.
 const INITDATA_VERSION: &str = "0.1.0";
@ -24,6 +24,8 @@ pub enum ProtectedPlatform {
    Snp,
    /// Cca platform for ARM CCA
    Cca,
+    /// Se platform for IBM SEL
+    Se,
    /// Default with no protection
    #[default]
    NoProtection,
@ -155,6 +157,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
        ProtectedPlatform::Tdx => 48,
        ProtectedPlatform::Snp => 32,
        ProtectedPlatform::Cca => 64,
+        ProtectedPlatform::Se => 256,
        ProtectedPlatform::NoProtection => digest.len(),
    };

@ -432,6 +435,12 @@ key = "value"
        assert_eq!(cca_result.len(), 64);
        assert_eq!(&cca_result[..32], &short_digest[..]);
        assert_eq!(&cca_result[32..], vec![0u8; 32]);
+
+        // Test SE platform (requires 256 bytes)
+        let long_digest = vec![0xAA; 256];
+        let se_result = adjust_digest(&long_digest, ProtectedPlatform::Se);
+        assert_eq!(se_result.len(), 256);
+        assert_eq!(&se_result[..256], &long_digest[..256]);
    }

    /// Test hypervisor initdata processing with compression
--- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
@ -452,6 +452,7 @@ impl VirtSandbox {
            GuestProtection::Snp(_details) => {
                calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)?
            }
+            GuestProtection::Se => calculate_initdata_digest(&initdata, ProtectedPlatform::Se)?,
            // TODO: there's more `GuestProtection` types to be supported.
            _ => return Ok(None),
        };