mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-01 14:38:33 +00:00
Merge pull request #13128 from nikolasgkou/fix/guest-protection-fallback
runtime-rs: don't fail VM start when guest protection detection errors
This commit is contained in:
@@ -561,23 +561,14 @@ impl VirtSandbox {
|
||||
hypervisor_config: &HypervisorConfig,
|
||||
init_data: Option<String>,
|
||||
) -> Result<Option<ProtectionDeviceConfig>> {
|
||||
let available_protection = available_guest_protection()?;
|
||||
// We need to cover the following case:
|
||||
// - Required to run Kata containers in TEE environment
|
||||
// E.g., available_guest_protection() returns Se, but confidential_guest is not set.
|
||||
// Unless the configuration is skipped, the VM will fail to start
|
||||
// due to lack of a secure boot image for IBM SEL
|
||||
if available_protection != GuestProtection::NoProtection
|
||||
&& !hypervisor_config.security_info.confidential_guest
|
||||
{
|
||||
info!(
|
||||
sl!(),
|
||||
"confidential_guest is not set while {:?} protection is detected, \
|
||||
skipping protection device config",
|
||||
available_protection
|
||||
);
|
||||
// No guest protection requested: skip host detection and run without
|
||||
// a protection device (also avoids failing on hosts that advertise a
|
||||
// protection they cannot use, e.g. SEV without SEV-SNP).
|
||||
if !hypervisor_config.security_info.confidential_guest {
|
||||
return Ok(None);
|
||||
}
|
||||
|
||||
let available_protection = available_guest_protection()?;
|
||||
info!(
|
||||
sl!(),
|
||||
"sandbox: available protection: {:?}", available_protection
|
||||
|
||||
Reference in New Issue
Block a user