github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-25 10:43:15 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6522 from fidencio/topic/add-tdx-artefacts-from-2023ww01-to-main

Browse Source 
tdx: Add artefacts from the latest TDX tools release into main
This commit is contained in:
Fabiano Fidêncio
2023-04-11 20:43:02 +02:00
committed by GitHub
parent 50ce33b02d 69d7a959c8
commit 3b3656d96d
25 changed files with 1009 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/runtime/virtcontainers/hypervisor_linux_amd64.go
View File

@@ -8,15 +8,28 @@ package virtcontainers
import "os"
const (
tdxSysFirmwareDir = "/sys/firmware/tdx_seam/"
tdxSeamSysFirmwareDir = "/sys/firmware/tdx_seam/"
tdxCPUFlag = "tdx"
tdxSysFirmwareDir = "/sys/firmware/tdx/"
sevKvmParameterPath = "/sys/module/kvm_amd/parameters/sev"
snpKvmParameterPath = "/sys/module/kvm_amd/parameters/sev_snp"
)
// TDX is supported and properly loaded when the firmware directory (either tdx or tdx_seam) exists or `tdx` is part of the CPU flag
func checkTdxGuestProtection(flags map[string]bool) bool {
if d, err := os.Stat(tdxSysFirmwareDir); err == nil && d.IsDir() {
return true
}
if d, err := os.Stat(tdxSeamSysFirmwareDir); err == nil && d.IsDir() {
return true
}
return false
}
// Implementation of this function is architecture specific
func availableGuestProtection() (guestProtection, error) {
flags, err := CPUFlags(procCPUInfo)
@@ -24,10 +37,10 @@ func availableGuestProtection() (guestProtection, error) {
return noneProtection, err
}
// TDX is supported and properly loaded when the firmware directory exists or `tdx` is part of the CPU flags
if d, err := os.Stat(tdxSysFirmwareDir); (err == nil && d.IsDir()) || flags[tdxCPUFlag] {
if checkTdxGuestProtection(flags) {
return tdxProtection, nil
}
// SEV-SNP is supported and enabled when the kvm module `sev_snp` parameter is set to `Y`
// SEV-SNP support infers SEV (-ES) support
if _, err := os.Stat(snpKvmParameterPath); err == nil {

2
src/runtime/virtcontainers/qemu_amd64.go
View File

@@ -233,7 +233,7 @@ func (q *qemuAmd64) enableProtection() error {
if q.qemuMachine.Options != "" {
q.qemuMachine.Options += ","
}
q.qemuMachine.Options += "kvm-type=tdx,confidential-guest-support=tdx"
q.qemuMachine.Options += "confidential-guest-support=tdx"
logger.Info("Enabling TDX guest protection")
return nil
case sevProtection: