Merge pull request #13128 from nikolasgkou/fix/guest-protection-fallback

runtime-rs: don't fail VM start when guest protection detection errors
This commit is contained in:
Fabiano Fidêncio
2026-06-13 08:56:56 +02:00
committed by GitHub

View File

@@ -561,23 +561,14 @@ impl VirtSandbox {
hypervisor_config: &HypervisorConfig,
init_data: Option<String>,
) -> Result<Option<ProtectionDeviceConfig>> {
let available_protection = available_guest_protection()?;
// We need to cover the following case:
// - Required to run Kata containers in TEE environment
// E.g., available_guest_protection() returns Se, but confidential_guest is not set.
// Unless the configuration is skipped, the VM will fail to start
// due to lack of a secure boot image for IBM SEL
if available_protection != GuestProtection::NoProtection
&& !hypervisor_config.security_info.confidential_guest
{
info!(
sl!(),
"confidential_guest is not set while {:?} protection is detected, \
skipping protection device config",
available_protection
);
// No guest protection requested: skip host detection and run without
// a protection device (also avoids failing on hosts that advertise a
// protection they cannot use, e.g. SEV without SEV-SNP).
if !hypervisor_config.security_info.confidential_guest {
return Ok(None);
}
let available_protection = available_guest_protection()?;
info!(
sl!(),
"sandbox: available protection: {:?}", available_protection