runtime: Adds annotations for SEV/kbs controls at the pod level

Note: only for online-kbs configuration Fixes #5782 Signed-off-by: Jim Cadden <jcadden@ibm.com>
2025-08-28 20:41:04 +00:00 · 2022-11-30 12:03:35 -05:00 · 2022-11-30 12:03:35 -05:00 · 4510aeaa91
commit 4510aeaa91
parent 4eb88d6a74
5 changed files with 60 additions and 5 deletions
--- a/docs/how-to/how-to-set-sandbox-config-kata.md
+++ b/docs/how-to/how-to-set-sandbox-config-kata.md
@ -94,6 +94,16 @@ There are several kinds of Kata configurations and they are listed below.
 | `io.katacontainers.config.hypervisor.enable_guest_swap` | `boolean` | enable swap in the guest |
 | `io.katacontainers.config.hypervisor.use_legacy_serial` | `boolean` | uses legacy serial device for guest's console (QEMU) |

+## Confidential Computing Options
+| Key | Value Type | Comments |
+|-------| ----- | ----- |
+| `io.katacontainers.config.pre_attestation.enabled"` | `bool` |
+determines if SEV/-ES attestation is enabled |
+| `io.katacontainers.config.pre_attestation.uri"` | `string` |
+specify the location of the attestation server |
+| `io.katacontainers.config.sev.policy"` | `uint32` |
+specify the SEV guest policy |
+
 ## Container Options
 | Key | Value Type | Comments |
 |-------| ----- | ----- |
--- a/src/runtime/pkg/oci/utils.go
+++ b/src/runtime/pkg/oci/utils.go
@ -456,6 +456,10 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig,
 		return err
 	}

+	if err := addConfidentialComputingOverrides(ocispec, config); err != nil {
+		return err
+	}
+
 	if value, ok := ocispec.Annotations[vcAnnotations.MachineType]; ok {
 		if value != "" {
 			config.HypervisorConfig.HypervisorMachineType = value
@ -912,6 +916,29 @@ func addAgentConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig) error
 	return nil
 }

+func addConfidentialComputingOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig) error {
+
+	if err := newAnnotationConfiguration(ocispec, vcAnnotations.GuestPreAttestation).setBool(func(guestPreAttestation bool) {
+		sbConfig.HypervisorConfig.GuestPreAttestation = guestPreAttestation
+	}); err != nil {
+		return err
+	}
+
+	if value, ok := ocispec.Annotations[vcAnnotations.GuestPreAttestationURI]; ok {
+		if value != "" {
+			sbConfig.HypervisorConfig.GuestPreAttestationURI = value
+		}
+	}
+
+	if err := newAnnotationConfiguration(ocispec, vcAnnotations.SEVGuestPolicy).setUint(func(sevGuestPolicy uint64) {
+		sbConfig.HypervisorConfig.SEVGuestPolicy = uint32(sevGuestPolicy)
+	}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // SandboxConfig converts an OCI compatible runtime configuration file
 // to a virtcontainers sandbox configuration structure.
 func SandboxConfig(ocispec specs.Spec, runtime RuntimeConfig, bundlePath, cid string, detach, systemdCgroup bool) (vc.SandboxConfig, error) {
--- a/src/runtime/virtcontainers/pkg/annotations/annotations.go
+++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go
@ -9,6 +9,8 @@ const (
 	kataAnnotationsPrefix         = "io.katacontainers."
 	kataConfAnnotationsPrefix     = kataAnnotationsPrefix + "config."
 	kataAnnotHypervisorPrefix     = kataConfAnnotationsPrefix + "hypervisor."
+	kataAnnotPreAttestationPrefix = kataConfAnnotationsPrefix + "pre_attestation."
+	kataAnnotSevPrefix            = kataConfAnnotationsPrefix + "sev."
 	kataAnnotContainerPrefix      = kataAnnotationsPrefix + "container."

 	//
@ -24,6 +26,21 @@ const (
 	SandboxConfigPathKey = kataAnnotationsPrefix + "config_path"
 )

+// Annotations related to Confidential Containers (CoCo)
+const (
+	//
+	// Assets
+	//
+	// GuestPreAttestation toggled pre_attestation functionality on/off
+	GuestPreAttestation = kataAnnotPreAttestationPrefix + "enabled"
+
+	// GuestPreAttestationURI set the remote URL for online-kbs
+	GuestPreAttestationURI = kataAnnotPreAttestationPrefix + "uri"
+
+	// SEVGuestPolicy set the AMD SEV guest policy
+	SEVGuestPolicy = kataAnnotSevPrefix + "policy"
+)
+
 // Annotations related to Hypervisor configuration
 const (
 	//
--- a/src/runtime/virtcontainers/qemu_amd64.go
+++ b/src/runtime/virtcontainers/qemu_amd64.go
@ -431,7 +431,7 @@ func getCPUSig(cpuModel string) sev.VCPUSig {
 	return sev.NewVCPUSig(cpuid.DisplayFamily, cpuid.DisplayModel, cpuid.SteppingId)
 }

-func calculateGuestLaunchDigest(config sev.GuestPreAttestationConfig, numVCPUs int, cpuModel string) ([sha256.Size]byte, error) {
+func calculateGuestLaunchDigest(config sevKbs.GuestPreAttestationConfig, numVCPUs int, cpuModel string) ([sha256.Size]byte, error) {
 	if config.Policy&sevPolicyBitSevEs != 0 {
 		// SEV-ES guest
 		return sev.CalculateSEVESLaunchDigest(
--- a/src/runtime/virtcontainers/sandbox.go
+++ b/src/runtime/virtcontainers/sandbox.go
@ -17,6 +17,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	//"strconv"
 	"sync"
 	"syscall"