diff --git a/src/runtime-rs/Makefile b/src/runtime-rs/Makefile index d20c7148c..896d99fd8 100644 --- a/src/runtime-rs/Makefile +++ b/src/runtime-rs/Makefile @@ -282,6 +282,7 @@ ifneq (,$(QEMUCMD)) SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE)) SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE) + DEFVFIOMODE_SE = vfio CONFIGS += $(CONFIG_QEMU_SE) @@ -489,6 +490,7 @@ USER_VARS += DEFSTATICRESOURCEMGMT_CLH USER_VARS += DEFSTATICRESOURCEMGMT_QEMU USER_VARS += DEFBINDMOUNTS USER_VARS += DEFVFIOMODE +USER_VARS += DEFVFIOMODE_SE USER_VARS += BUILDFLAGS USER_VARS += RUNTIMENAME USER_VARS += HYPERVISOR_DB diff --git a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in index 00e3cffe4..03bde8578 100644 --- a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in @@ -332,6 +332,18 @@ pflashes = [] # Default is false #disable_image_nvdimm = true +# Enable hot-plugging of VFIO devices to a bridge-port, +# root-port or switch-port. +# The default setting is "no-port" +#hot_plug_vfio = "root-port" + +# In a confidential compute environment hot-plugging can compromise +# security. +# Enable cold-plugging of VFIO devices to a bridge-port, +# root-port or switch-port. +# The default setting is "no-port", which means disabled. +cold_plug_vfio = "root-port" + # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on @@ -647,7 +659,7 @@ sandbox_bind_mounts=@DEFBINDMOUNTS@ # Using this mode requires specially built workloads that know how # to locate the relevant device interfaces within the VM. # -vfio_mode="@DEFVFIOMODE@" +vfio_mode="@DEFVFIOMODE_SE@" # If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 71c3e3ad7..a80a2a9e6 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -417,6 +417,8 @@ ifneq (,$(QEMUCMD)) SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE)) SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE) + DEFVFIOMODE_SE = vfio + CONFIGS += $(CONFIG_QEMU_SE) # qemu-specific options (all should be suffixed by "_QEMU") @@ -745,6 +747,7 @@ USER_VARS += DEFBINDMOUNTS USER_VARS += DEFCREATECONTAINERTIMEOUT USER_VARS += DEFDANCONF USER_VARS += DEFVFIOMODE +USER_VARS += DEFVFIOMODE_SE USER_VARS += BUILDFLAGS diff --git a/src/runtime/config/configuration-qemu-se.toml.in b/src/runtime/config/configuration-qemu-se.toml.in index d9ffa819b..207f03a53 100644 --- a/src/runtime/config/configuration-qemu-se.toml.in +++ b/src/runtime/config/configuration-qemu-se.toml.in @@ -326,6 +326,18 @@ pflashes = [] # Default is false #disable_image_nvdimm = true +# Enable hot-plugging of VFIO devices to a bridge-port, +# root-port or switch-port. +# The default setting is "no-port" +#hot_plug_vfio = "bridge-port" + +# In a confidential compute environment hot-plugging can compromise +# security. +# Enable cold-plugging of VFIO devices to a bridge-port, +# root-port or switch-port. +# The default setting is "no-port", which means disabled. +cold_plug_vfio = "bridge-port" + # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on @@ -628,7 +640,7 @@ sandbox_bind_mounts=@DEFBINDMOUNTS@ # Using this mode requires specially built workloads that know how # to locate the relevant device interfaces within the VM. # -vfio_mode="@DEFVFIOMODE@" +vfio_mode="@DEFVFIOMODE_SE@" # If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.