From 4fac1293bd09785f9e491adb13a3adf1167f1867 Mon Sep 17 00:00:00 2001
From: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Date: Mon, 12 May 2025 13:16:54 +0200
Subject: [PATCH] runtime/config: Add VFIO config for IBM SEL

With #11076 merged, a VFIO configuration is needed in the runtime
when IBM SEL is involved (e.g., qemu-se or qemu-se-runtime-rs).

For the Go runtime, we already have a nightly test
(e.g., https://github.com/kata-containers/kata-containers/actions/runs/14964175872/job/42031097043)
in which this change has been applied.
For the Rust runtime, the feature has not yet been migrated.
Thus, this change serves as a placeholder and a reminder for future implementation.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
---
 src/runtime-rs/Makefile                            |  2 ++
 .../configuration-qemu-se-runtime-rs.toml.in       | 14 +++++++++++++-
 src/runtime/Makefile                               |  3 +++
 src/runtime/config/configuration-qemu-se.toml.in   | 14 +++++++++++++-
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/src/runtime-rs/Makefile b/src/runtime-rs/Makefile
index d20c7148c..896d99fd8 100644
--- a/src/runtime-rs/Makefile
+++ b/src/runtime-rs/Makefile
@@ -282,6 +282,7 @@ ifneq (,$(QEMUCMD))
 
     SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE))
     SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE)
+    DEFVFIOMODE_SE = vfio
 
     CONFIGS += $(CONFIG_QEMU_SE)
 
@@ -489,6 +490,7 @@ USER_VARS += DEFSTATICRESOURCEMGMT_CLH
 USER_VARS += DEFSTATICRESOURCEMGMT_QEMU
 USER_VARS += DEFBINDMOUNTS
 USER_VARS += DEFVFIOMODE
+USER_VARS += DEFVFIOMODE_SE
 USER_VARS += BUILDFLAGS
 USER_VARS += RUNTIMENAME
 USER_VARS += HYPERVISOR_DB
diff --git a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in
index 00e3cffe4..03bde8578 100644
--- a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in
+++ b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in
@@ -332,6 +332,18 @@ pflashes = []
 # Default is false
 #disable_image_nvdimm = true
 
+# Enable hot-plugging of VFIO devices to a bridge-port,
+# root-port or switch-port.
+# The default setting is "no-port"
+#hot_plug_vfio = "root-port"
+
+# In a confidential compute environment hot-plugging can compromise
+# security.
+# Enable cold-plugging of VFIO devices to a bridge-port,
+# root-port or switch-port.
+# The default setting is "no-port", which means disabled.
+cold_plug_vfio = "root-port"
+
 # VFIO devices are hotplugged on a bridge by default.
 # Enable hotplugging on root bus. This may be required for devices with
 # a large PCI bar, as this is a current limitation with hotplugging on
@@ -647,7 +659,7 @@ sandbox_bind_mounts=@DEFBINDMOUNTS@
 #    Using this mode requires specially built workloads that know how
 #    to locate the relevant device interfaces within the VM.
 #
-vfio_mode="@DEFVFIOMODE@"
+vfio_mode="@DEFVFIOMODE_SE@"
 
 # If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.
diff --git a/src/runtime/Makefile b/src/runtime/Makefile
index 71c3e3ad7..a80a2a9e6 100644
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -417,6 +417,8 @@ ifneq (,$(QEMUCMD))
     SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE))
     SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE)
 
+    DEFVFIOMODE_SE = vfio
+
     CONFIGS += $(CONFIG_QEMU_SE)
 
     # qemu-specific options (all should be suffixed by "_QEMU")
@@ -745,6 +747,7 @@ USER_VARS += DEFBINDMOUNTS
 USER_VARS += DEFCREATECONTAINERTIMEOUT
 USER_VARS += DEFDANCONF
 USER_VARS += DEFVFIOMODE
+USER_VARS += DEFVFIOMODE_SE
 USER_VARS += BUILDFLAGS
 
 
diff --git a/src/runtime/config/configuration-qemu-se.toml.in b/src/runtime/config/configuration-qemu-se.toml.in
index d9ffa819b..207f03a53 100644
--- a/src/runtime/config/configuration-qemu-se.toml.in
+++ b/src/runtime/config/configuration-qemu-se.toml.in
@@ -326,6 +326,18 @@ pflashes = []
 # Default is false
 #disable_image_nvdimm = true
 
+# Enable hot-plugging of VFIO devices to a bridge-port,
+# root-port or switch-port.
+# The default setting is "no-port"
+#hot_plug_vfio = "bridge-port"
+
+# In a confidential compute environment hot-plugging can compromise
+# security.
+# Enable cold-plugging of VFIO devices to a bridge-port,
+# root-port or switch-port.
+# The default setting is "no-port", which means disabled.
+cold_plug_vfio = "bridge-port"
+
 # VFIO devices are hotplugged on a bridge by default.
 # Enable hotplugging on root bus. This may be required for devices with
 # a large PCI bar, as this is a current limitation with hotplugging on
@@ -628,7 +640,7 @@ sandbox_bind_mounts=@DEFBINDMOUNTS@
 #    Using this mode requires specially built workloads that know how
 #    to locate the relevant device interfaces within the VM.
 #
-vfio_mode="@DEFVFIOMODE@"
+vfio_mode="@DEFVFIOMODE_SE@"
 
 # If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
 # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.