github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-06 20:09:44 +00:00
Code Issues Projects Releases Wiki Activity

runtime/config: Add VFIO config for IBM SEL

Browse Source 
With #11076 merged, a VFIO configuration is needed in the runtime
when IBM SEL is involved (e.g., qemu-se or qemu-se-runtime-rs).

For the Go runtime, we already have a nightly test
(e.g., https://github.com/kata-containers/kata-containers/actions/runs/14964175872/job/42031097043)
in which this change has been applied.
For the Rust runtime, the feature has not yet been migrated.
Thus, this change serves as a placeholder and a reminder for future implementation.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
Hyounggyu Choi 2025-05-12 13:16:54 +02:00
parent 78ff72a386
commit 4fac1293bd
4 changed files with 31 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/runtime-rs/Makefile
View File

@ -282,6 +282,7 @@ ifneq (,$(QEMUCMD))
SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE)) SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE))
SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE) SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE)
DEFVFIOMODE_SE = vfio
CONFIGS += $(CONFIG_QEMU_SE) CONFIGS += $(CONFIG_QEMU_SE)
@ -489,6 +490,7 @@ USER_VARS += DEFSTATICRESOURCEMGMT_CLH
USER_VARS += DEFSTATICRESOURCEMGMT_QEMU USER_VARS += DEFSTATICRESOURCEMGMT_QEMU
USER_VARS += DEFBINDMOUNTS USER_VARS += DEFBINDMOUNTS
USER_VARS += DEFVFIOMODE USER_VARS += DEFVFIOMODE
USER_VARS += DEFVFIOMODE_SE
USER_VARS += BUILDFLAGS USER_VARS += BUILDFLAGS
USER_VARS += RUNTIMENAME USER_VARS += RUNTIMENAME
USER_VARS += HYPERVISOR_DB USER_VARS += HYPERVISOR_DB

14
src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in
View File

@ -332,6 +332,18 @@ pflashes = []
# Default is false # Default is false
#disable_image_nvdimm = true #disable_image_nvdimm = true
# Enable hot-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port"
#hot_plug_vfio = "root-port"
# In a confidential compute environment hot-plugging can compromise
# security.
# Enable cold-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port", which means disabled.
cold_plug_vfio = "root-port"
# VFIO devices are hotplugged on a bridge by default. # VFIO devices are hotplugged on a bridge by default.
# Enable hotplugging on root bus. This may be required for devices with # Enable hotplugging on root bus. This may be required for devices with
# a large PCI bar, as this is a current limitation with hotplugging on # a large PCI bar, as this is a current limitation with hotplugging on
@ -647,7 +659,7 @@ sandbox_bind_mounts=@DEFBINDMOUNTS@
# Using this mode requires specially built workloads that know how # Using this mode requires specially built workloads that know how
# to locate the relevant device interfaces within the VM. # to locate the relevant device interfaces within the VM.
# #
vfio_mode="@DEFVFIOMODE@" vfio_mode="@DEFVFIOMODE_SE@"
# If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will # If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
# be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.

3
src/runtime/Makefile
View File

@ -417,6 +417,8 @@ ifneq (,$(QEMUCMD))
SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE)) SYSCONFIG_QEMU_SE = $(abspath $(SYSCONFDIR)/$(CONFIG_FILE_QEMU_SE))
SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE) SYSCONFIG_PATHS += $(SYSCONFIG_QEMU_SE)
DEFVFIOMODE_SE = vfio
CONFIGS += $(CONFIG_QEMU_SE) CONFIGS += $(CONFIG_QEMU_SE)
# qemu-specific options (all should be suffixed by "_QEMU") # qemu-specific options (all should be suffixed by "_QEMU")
@ -745,6 +747,7 @@ USER_VARS += DEFBINDMOUNTS
USER_VARS += DEFCREATECONTAINERTIMEOUT USER_VARS += DEFCREATECONTAINERTIMEOUT
USER_VARS += DEFDANCONF USER_VARS += DEFDANCONF
USER_VARS += DEFVFIOMODE USER_VARS += DEFVFIOMODE
USER_VARS += DEFVFIOMODE_SE
USER_VARS += BUILDFLAGS USER_VARS += BUILDFLAGS

14
src/runtime/config/configuration-qemu-se.toml.in
View File

@ -326,6 +326,18 @@ pflashes = []
# Default is false # Default is false
#disable_image_nvdimm = true #disable_image_nvdimm = true
# Enable hot-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port"
#hot_plug_vfio = "bridge-port"
# In a confidential compute environment hot-plugging can compromise
# security.
# Enable cold-plugging of VFIO devices to a bridge-port,
# root-port or switch-port.
# The default setting is "no-port", which means disabled.
cold_plug_vfio = "bridge-port"
# VFIO devices are hotplugged on a bridge by default. # VFIO devices are hotplugged on a bridge by default.
# Enable hotplugging on root bus. This may be required for devices with # Enable hotplugging on root bus. This may be required for devices with
# a large PCI bar, as this is a current limitation with hotplugging on # a large PCI bar, as this is a current limitation with hotplugging on
@ -628,7 +640,7 @@ sandbox_bind_mounts=@DEFBINDMOUNTS@
# Using this mode requires specially built workloads that know how # Using this mode requires specially built workloads that know how
# to locate the relevant device interfaces within the VM. # to locate the relevant device interfaces within the VM.
# #
vfio_mode="@DEFVFIOMODE@" vfio_mode="@DEFVFIOMODE_SE@"
# If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will # If enabled, the runtime will not create Kubernetes emptyDir mounts on the guest filesystem. Instead, emptyDir mounts will
# be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest. # be created on the host and shared via virtio-fs. This is potentially slower, but allows sharing of files from host to guest.