From 80b8f592a0c4c643117638b89c908369445023b5 Mon Sep 17 00:00:00 2001 From: nikolasgkou Date: Fri, 29 May 2026 15:52:26 +0200 Subject: [PATCH] runtime-rs: skip guest protection detection for non-confidential guests prepare_protection_device_config() called available_guest_protection() unconditionally and propagated any error before the "confidential_guest is not set" case was handled. On AMD hosts where the kvm_amd `sev` module parameter is "Y" but the CPU does not expose the SEV-SNP CPUID bit (8000_001f EAX[4]) -- e.g. consumer Ryzen -- available_guest_protection() returns Err("SEV not supported"), which blocked every non-confidential VM from booting even though no protection was requested. When confidential_guest is not set there is no reason to probe the host, so return Ok(None) before calling available_guest_protection(). Detection (and any error it produces) now runs only when a confidential guest is actually requested. Signed-off-by: nikolasgkou --- .../runtimes/virt_container/src/sandbox.rs | 21 ++++++------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs index 3c90002c59..94ee975f67 100644 --- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs +++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs @@ -561,23 +561,14 @@ impl VirtSandbox { hypervisor_config: &HypervisorConfig, init_data: Option, ) -> Result> { - let available_protection = available_guest_protection()?; - // We need to cover the following case: - // - Required to run Kata containers in TEE environment - // E.g., available_guest_protection() returns Se, but confidential_guest is not set. - // Unless the configuration is skipped, the VM will fail to start - // due to lack of a secure boot image for IBM SEL - if available_protection != GuestProtection::NoProtection - && !hypervisor_config.security_info.confidential_guest - { - info!( - sl!(), - "confidential_guest is not set while {:?} protection is detected, \ - skipping protection device config", - available_protection - ); + // No guest protection requested: skip host detection and run without + // a protection device (also avoids failing on hosts that advertise a + // protection they cannot use, e.g. SEV without SEV-SNP). + if !hypervisor_config.security_info.confidential_guest { return Ok(None); } + + let available_protection = available_guest_protection()?; info!( sl!(), "sandbox: available protection: {:?}", available_protection