runtime/config: Add VFIO config for IBM SEL

With #11076 merged, a VFIO configuration is needed in the runtime
when IBM SEL is involved (e.g., qemu-se or qemu-se-runtime-rs).

For the Go runtime, we already have a nightly test
(e.g., https://github.com/kata-containers/kata-containers/actions/runs/14964175872/job/42031097043)
in which this change has been applied.
For the Rust runtime, the feature has not yet been migrated.
Thus, this change serves as a placeholder and a reminder for future implementation.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>

src/runtime-rs/Makefile

@@ -282,6 +282,7 @@ ifneq (,$(QEMUCMD))
 
     SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE))
     SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE)
+    DEFVFIOMODE_SE = vfio
 
     CONFIGS += $(CONFIG_QEMU_SE)
 
@@ -489,6 +490,7 @@ USER_VARS += DEFSTATICRESOURCEMGMT_CLH
 USER_VARS += DEFSTATICRESOURCEMGMT_QEMU
 USER_VARS += DEFBINDMOUNTS
 USER_VARS += DEFVFIOMODE
+USER_VARS += DEFVFIOMODE_SE
 USER_VARS += BUILDFLAGS
 USER_VARS += RUNTIMENAME
 USER_VARS += HYPERVISOR_DB

src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in

@@ -332,6 +332,18 @@ pflashes = []
 # Default is false
 #disable_image_nvdimm = true
 
+# Enable hot-plugging of VFIO devices to a bridge-port,
+# root-port or switch-port.
+# The default setting is "no-port"
+#hot_plug_vfio = "root-port"
+
+# In a confidential compute environment hot-plugging can compromise
+# security.
+# Enable cold-plugging of VFIO devices to a bridge-port,
+# root-port or switch-port.
+# The default setting is "no-port", which means disabled.
+cold_plug_vfio = "root-port"
+
 # VFIO devices are hotplugged on a bridge by default.
 # Enable hotplugging on root bus. This may be required for devices with
 # a large PCI bar, as this is a current limitation with hotplugging on
@@ -647,7 +659,7 @@ sandbox_bind_mounts=@DEFBINDMOUNTS@
 #    Using this mode requires specially built workloads that know how
 #    to locate the relevant device interfaces within the VM.
 #
-vfio_mode="@DEFVFIOMODE@"
+vfio_mode="@DEFVFIOMODE_SE@"
 
 # If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.

src/runtime/Makefile

@@ -417,6 +417,8 @@ ifneq (,$(QEMUCMD))
     SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE))
     SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE)
 
+    DEFVFIOMODE_SE = vfio
+
     CONFIGS += $(CONFIG_QEMU_SE)
 
     # qemu-specific options (all should be suffixed by "_QEMU")
@@ -745,6 +747,7 @@ USER_VARS += DEFBINDMOUNTS
 USER_VARS += DEFCREATECONTAINERTIMEOUT
 USER_VARS += DEFDANCONF
 USER_VARS += DEFVFIOMODE
+USER_VARS += DEFVFIOMODE_SE
 USER_VARS += BUILDFLAGS
 
 

src/runtime/config/configuration-qemu-se.toml.in

@@ -326,6 +326,18 @@ pflashes = []
 # Default is false
 #disable_image_nvdimm = true
 
+# Enable hot-plugging of VFIO devices to a bridge-port,
+# root-port or switch-port.
+# The default setting is "no-port"
+#hot_plug_vfio = "bridge-port"
+
+# In a confidential compute environment hot-plugging can compromise
+# security.
+# Enable cold-plugging of VFIO devices to a bridge-port,
+# root-port or switch-port.
+# The default setting is "no-port", which means disabled.
+cold_plug_vfio = "bridge-port"
+
 # VFIO devices are hotplugged on a bridge by default.
 # Enable hotplugging on root bus. This may be required for devices with
 # a large PCI bar, as this is a current limitation with hotplugging on
@@ -628,7 +640,7 @@ sandbox_bind_mounts=@DEFBINDMOUNTS@
 #    Using this mode requires specially built workloads that know how
 #    to locate the relevant device interfaces within the VM.
 #
-vfio_mode="@DEFVFIOMODE@"
+vfio_mode="@DEFVFIOMODE_SE@"
 
 # If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.