mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-02 07:02:16 +00:00
Merge pull request #13106 from fidencio/topic/runtime-rs-ensure-bios-is-passed-to-qemu-on-non-CC-cases
runtime-rs: qemu: pass -bios for non-confidential guests
This commit is contained in:
@@ -65,13 +65,13 @@ kernel_verity_params = "@KERNELVERITYPARAMS_NV@"
|
||||
|
||||
# Path to the firmware.
|
||||
# If you want that qemu uses the default firmware leave this option empty
|
||||
firmware = "@FIRMWAREPATH@"
|
||||
firmware = "@FIRMWAREPATH_NV@"
|
||||
|
||||
# Path to the firmware volume.
|
||||
# firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
|
||||
# as configuration) and FIRMWARE_CODE.fd (UEFI program image). UEFI variables
|
||||
# can be customized per each user while UEFI code is kept same.
|
||||
firmware_volume = "@FIRMWAREVOLUMEPATH@"
|
||||
firmware_volume = "@FIRMWAREVOLUMEPATH_NV@"
|
||||
|
||||
# Machine accelerators
|
||||
# comma-separated list of machine accelerators to pass to the hypervisor.
|
||||
|
||||
@@ -2603,9 +2603,26 @@ impl<'a> QemuCmdLine<'a> {
|
||||
{
|
||||
qemu_cmd_line.add_seccomp_sandbox(seccomp_sandbox);
|
||||
}
|
||||
|
||||
// For confidential guests (SEV/SEV-SNP/TDX), `-bios` is appended later
|
||||
// by `add_{sev,sev_snp,tdx}_protection_device()` via the
|
||||
// ProtectionDevice handling in QemuInner::start_vm(), using the
|
||||
// firmware copied into the ProtectionDeviceConfig. For non-CC guests
|
||||
// there is no such code path, so wire `boot_info.firmware` directly
|
||||
// here. Otherwise the firmware configured in the TOML (e.g. OVMF.fd
|
||||
// for the nvidia-gpu profile) would silently never reach qemu's
|
||||
// command line.
|
||||
if !config.security_info.confidential_guest && !config.boot_info.firmware.is_empty() {
|
||||
qemu_cmd_line.add_bios(&config.boot_info.firmware);
|
||||
}
|
||||
|
||||
Ok(qemu_cmd_line)
|
||||
}
|
||||
|
||||
fn add_bios(&mut self, firmware: &str) {
|
||||
self.devices.push(Box::new(Bios::new(firmware.to_owned())));
|
||||
}
|
||||
|
||||
/// Takes ownership of the CCW subchannel, leaving `None` in its place.
|
||||
/// Used to transfer boot-time CCW state to Qmp for hotplug allocation.
|
||||
pub fn take_ccw_subchannel(&mut self) -> Option<CcwSubChannel> {
|
||||
|
||||
Reference in New Issue
Block a user