diff --git a/docs/how-to/how-to-set-sandbox-config-kata.md b/docs/how-to/how-to-set-sandbox-config-kata.md index b8ac511cd4..1c55f97fc9 100644 --- a/docs/how-to/how-to-set-sandbox-config-kata.md +++ b/docs/how-to/how-to-set-sandbox-config-kata.md @@ -94,6 +94,16 @@ There are several kinds of Kata configurations and they are listed below. | `io.katacontainers.config.hypervisor.enable_guest_swap` | `boolean` | enable swap in the guest | | `io.katacontainers.config.hypervisor.use_legacy_serial` | `boolean` | uses legacy serial device for guest's console (QEMU) | +## Confidential Computing Options +| Key | Value Type | Comments | +|-------| ----- | ----- | +| `io.katacontainers.config.pre_attestation.enabled"` | `bool` | +determines if SEV/-ES attestation is enabled | +| `io.katacontainers.config.pre_attestation.uri"` | `string` | +specify the location of the attestation server | +| `io.katacontainers.config.sev.policy"` | `uint32` | +specify the SEV guest policy | + ## Container Options | Key | Value Type | Comments | |-------| ----- | ----- | diff --git a/src/runtime/pkg/oci/utils.go b/src/runtime/pkg/oci/utils.go index 437995f39b..61197f37aa 100644 --- a/src/runtime/pkg/oci/utils.go +++ b/src/runtime/pkg/oci/utils.go @@ -456,6 +456,10 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig, return err } + if err := addConfidentialComputingOverrides(ocispec, config); err != nil { + return err + } + if value, ok := ocispec.Annotations[vcAnnotations.MachineType]; ok { if value != "" { config.HypervisorConfig.HypervisorMachineType = value @@ -912,6 +916,29 @@ func addAgentConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig) error return nil } +func addConfidentialComputingOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig) error { + + if err := newAnnotationConfiguration(ocispec, vcAnnotations.GuestPreAttestation).setBool(func(guestPreAttestation bool) { + sbConfig.HypervisorConfig.GuestPreAttestation = guestPreAttestation + }); err != nil { + return err + } + + if value, ok := ocispec.Annotations[vcAnnotations.GuestPreAttestationURI]; ok { + if value != "" { + sbConfig.HypervisorConfig.GuestPreAttestationURI = value + } + } + + if err := newAnnotationConfiguration(ocispec, vcAnnotations.SEVGuestPolicy).setUint(func(sevGuestPolicy uint64) { + sbConfig.HypervisorConfig.SEVGuestPolicy = uint32(sevGuestPolicy) + }); err != nil { + return err + } + + return nil +} + // SandboxConfig converts an OCI compatible runtime configuration file // to a virtcontainers sandbox configuration structure. func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid string, detach, systemdCgroup bool) (vc.SandboxConfig, error) { diff --git a/src/runtime/virtcontainers/pkg/annotations/annotations.go b/src/runtime/virtcontainers/pkg/annotations/annotations.go index 3584ccd70a..a8bd4c1b20 100644 --- a/src/runtime/virtcontainers/pkg/annotations/annotations.go +++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go @@ -6,10 +6,12 @@ package annotations const ( - kataAnnotationsPrefix = "io.katacontainers." - kataConfAnnotationsPrefix = kataAnnotationsPrefix + "config." - kataAnnotHypervisorPrefix = kataConfAnnotationsPrefix + "hypervisor." - kataAnnotContainerPrefix = kataAnnotationsPrefix + "container." + kataAnnotationsPrefix = "io.katacontainers." + kataConfAnnotationsPrefix = kataAnnotationsPrefix + "config." + kataAnnotHypervisorPrefix = kataConfAnnotationsPrefix + "hypervisor." + kataAnnotPreAttestationPrefix = kataConfAnnotationsPrefix + "pre_attestation." + kataAnnotSevPrefix = kataConfAnnotationsPrefix + "sev." + kataAnnotContainerPrefix = kataAnnotationsPrefix + "container." // // OCI @@ -24,6 +26,21 @@ const ( SandboxConfigPathKey = kataAnnotationsPrefix + "config_path" ) +// Annotations related to Confidential Containers (CoCo) +const ( + // + // Assets + // + // GuestPreAttestation toggled pre_attestation functionality on/off + GuestPreAttestation = kataAnnotPreAttestationPrefix + "enabled" + + // GuestPreAttestationURI set the remote URL for online-kbs + GuestPreAttestationURI = kataAnnotPreAttestationPrefix + "uri" + + // SEVGuestPolicy set the AMD SEV guest policy + SEVGuestPolicy = kataAnnotSevPrefix + "policy" +) + // Annotations related to Hypervisor configuration const ( // diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go index bb332d5e9c..d24953e61e 100644 --- a/src/runtime/virtcontainers/qemu_amd64.go +++ b/src/runtime/virtcontainers/qemu_amd64.go @@ -431,7 +431,7 @@ func getCPUSig(cpuModel string) sev.VCPUSig { return sev.NewVCPUSig(cpuid.DisplayFamily, cpuid.DisplayModel, cpuid.SteppingId) } -func calculateGuestLaunchDigest(config sev.GuestPreAttestationConfig, numVCPUs int, cpuModel string) ([sha256.Size]byte, error) { +func calculateGuestLaunchDigest(config sevKbs.GuestPreAttestationConfig, numVCPUs int, cpuModel string) ([sha256.Size]byte, error) { if config.Policy&sevPolicyBitSevEs != 0 { // SEV-ES guest return sev.CalculateSEVESLaunchDigest( diff --git a/src/runtime/virtcontainers/sandbox.go b/src/runtime/virtcontainers/sandbox.go index 176714282c..5177aee9a8 100644 --- a/src/runtime/virtcontainers/sandbox.go +++ b/src/runtime/virtcontainers/sandbox.go @@ -17,6 +17,7 @@ import ( "os" "os/exec" "path/filepath" + //"strconv" "sync" "syscall"