diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs index 3c90002c59..94ee975f67 100644 --- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs +++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs @@ -561,23 +561,14 @@ impl VirtSandbox { hypervisor_config: &HypervisorConfig, init_data: Option, ) -> Result> { - let available_protection = available_guest_protection()?; - // We need to cover the following case: - // - Required to run Kata containers in TEE environment - // E.g., available_guest_protection() returns Se, but confidential_guest is not set. - // Unless the configuration is skipped, the VM will fail to start - // due to lack of a secure boot image for IBM SEL - if available_protection != GuestProtection::NoProtection - && !hypervisor_config.security_info.confidential_guest - { - info!( - sl!(), - "confidential_guest is not set while {:?} protection is detected, \ - skipping protection device config", - available_protection - ); + // No guest protection requested: skip host detection and run without + // a protection device (also avoids failing on hosts that advertise a + // protection they cannot use, e.g. SEV without SEV-SNP). + if !hypervisor_config.security_info.confidential_guest { return Ok(None); } + + let available_protection = available_guest_protection()?; info!( sl!(), "sandbox: available protection: {:?}", available_protection