mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-18 07:58:36 +00:00
runtime: make SNP guest policy configurable
Dependening on the platform configuration, users might want to set a more secure policy than the QEMU default. Signed-off-by: Paul Meyer <katexochen0@gmail.com>
This commit is contained in:
Paul Meyer
parent
9379a18c8a
commit
5635410dd3
@ -62,8 +62,9 @@ valid_hypervisor_paths = @QEMUSNPVALIDHYPERVISORPATHS@
|
|||||||
|
|
||||||
# SNP 'ID Block' and 'ID Authentication Information Structure'.
|
# SNP 'ID Block' and 'ID Authentication Information Structure'.
|
||||||
# If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
|
# If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
|
||||||
# Notice that the default SNP policy of QEMU (0x30000) is used by Kata, and the IDBlock
|
# Notice that the default SNP policy of QEMU (0x30000) is used by Kata, if not explicitly
|
||||||
# must be generated with exactly this policy.
|
# set via 'snp_guest_policy' option. The IDBlock contains the guest policy as field, and
|
||||||
|
# it must match the value from 'snp_guest_policy' or, if unset, the QEMU default policy.
|
||||||
#
|
#
|
||||||
# 96-byte, base64-encoded blob to provide the ‘ID Block’ structure for the
|
# 96-byte, base64-encoded blob to provide the ‘ID Block’ structure for the
|
||||||
# SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
|
# SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
|
||||||
@ -72,6 +73,13 @@ valid_hypervisor_paths = @QEMUSNPVALIDHYPERVISORPATHS@
|
|||||||
# for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
|
# for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
|
||||||
#snp_id_auth = ""
|
#snp_id_auth = ""
|
||||||
|
|
||||||
|
# SNP Guest Policy, the ‘POLICY’ parameter to the SNP_LAUNCH_START command.
|
||||||
|
# If unset, the QEMU default policy (0x30000) will be used.
|
||||||
|
# Notice that the guest policy is enforced at VM launch, and your pod VMs
|
||||||
|
# won't start at all if the policy denys it. This will be indicated by a
|
||||||
|
# 'SNP_LAUNCH_START' error.
|
||||||
|
#snp_guest_policy = 196608
|
||||||
|
|
||||||
# Optional space-separated list of options to pass to the guest kernel.
|
# Optional space-separated list of options to pass to the guest kernel.
|
||||||
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
|
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
|
||||||
# trouble running pre-2.15 glibc.
|
# trouble running pre-2.15 glibc.
|
||||||
|
|||||||
@ -62,8 +62,9 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
|
|||||||
|
|
||||||
# SNP 'ID Block' and 'ID Authentication Information Structure'.
|
# SNP 'ID Block' and 'ID Authentication Information Structure'.
|
||||||
# If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
|
# If one of snp_id_block or snp_id_auth is specified, the other must be specified, too.
|
||||||
# Notice that the default SNP policy of QEMU (0x30000) is used by Kata, and the IDBlock
|
# Notice that the default SNP policy of QEMU (0x30000) is used by Kata, if not explicitly
|
||||||
# must be generated with exactly this policy.
|
# set via 'snp_guest_policy' option. The IDBlock contains the guest policy as field, and
|
||||||
|
# it must match the value from 'snp_guest_policy' or, if unset, the QEMU default policy.
|
||||||
#
|
#
|
||||||
# 96-byte, base64-encoded blob to provide the ‘ID Block’ structure for the
|
# 96-byte, base64-encoded blob to provide the ‘ID Block’ structure for the
|
||||||
# SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
|
# SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
|
||||||
@ -72,6 +73,13 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
|
|||||||
# for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
|
# for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
|
||||||
#snp_id_auth = ""
|
#snp_id_auth = ""
|
||||||
|
|
||||||
|
# SNP Guest Policy, the ‘POLICY’ parameter to the SNP_LAUNCH_START command.
|
||||||
|
# If unset, the QEMU default policy (0x30000) will be used.
|
||||||
|
# Notice that the guest policy is enforced at VM launch, and your pod VMs
|
||||||
|
# won't start at all if the policy denys it. This will be indicated by a
|
||||||
|
# 'SNP_LAUNCH_START' error.
|
||||||
|
#snp_guest_policy = 196608
|
||||||
|
|
||||||
# Optional space-separated list of options to pass to the guest kernel.
|
# Optional space-separated list of options to pass to the guest kernel.
|
||||||
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
|
# For example, use `kernel_params = "vsyscall=emulate"` if you are having
|
||||||
# trouble running pre-2.15 glibc.
|
# trouble running pre-2.15 glibc.
|
||||||
|
|||||||
@ -330,6 +330,9 @@ type Object struct {
|
|||||||
// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (default: all-zero)
|
// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (default: all-zero)
|
||||||
SnpIdAuth string
|
SnpIdAuth string
|
||||||
|
|
||||||
|
// SnpGuestPolicy is the integer representation of the SEV-SNP guest policy.
|
||||||
|
SnpGuestPolicy *uint64
|
||||||
|
|
||||||
// Raw byte slice of initdata digest
|
// Raw byte slice of initdata digest
|
||||||
InitdataDigest []byte
|
InitdataDigest []byte
|
||||||
}
|
}
|
||||||
@ -415,6 +418,9 @@ func (object Object) QemuParams(config *Config) []string {
|
|||||||
if object.SnpIdAuth != "" {
|
if object.SnpIdAuth != "" {
|
||||||
objectParams = append(objectParams, fmt.Sprintf("id-auth=%s", object.SnpIdAuth))
|
objectParams = append(objectParams, fmt.Sprintf("id-auth=%s", object.SnpIdAuth))
|
||||||
}
|
}
|
||||||
|
if object.SnpGuestPolicy != nil {
|
||||||
|
objectParams = append(objectParams, fmt.Sprintf("policy=%d", *object.SnpGuestPolicy))
|
||||||
|
}
|
||||||
if len(object.InitdataDigest) > 0 {
|
if len(object.InitdataDigest) > 0 {
|
||||||
// due to https://github.com/confidential-containers/qemu/blob/amd-snp-202402240000/qapi/qom.json#L926-L929
|
// due to https://github.com/confidential-containers/qemu/blob/amd-snp-202402240000/qapi/qom.json#L926-L929
|
||||||
// hostdata in SEV-SNP should be exactly 32 bytes
|
// hostdata in SEV-SNP should be exactly 32 bytes
|
||||||
|
|||||||
@ -109,6 +109,7 @@ type hypervisor struct {
|
|||||||
RemoteHypervisorSocket string `toml:"remote_hypervisor_socket"`
|
RemoteHypervisorSocket string `toml:"remote_hypervisor_socket"`
|
||||||
SnpIdBlock string `toml:"snp_id_block"`
|
SnpIdBlock string `toml:"snp_id_block"`
|
||||||
SnpIdAuth string `toml:"snp_id_auth"`
|
SnpIdAuth string `toml:"snp_id_auth"`
|
||||||
|
SnpGuestPolicy *uint64 `toml:"snp_guest_policy"`
|
||||||
HypervisorPathList []string `toml:"valid_hypervisor_paths"`
|
HypervisorPathList []string `toml:"valid_hypervisor_paths"`
|
||||||
JailerPathList []string `toml:"valid_jailer_paths"`
|
JailerPathList []string `toml:"valid_jailer_paths"`
|
||||||
VirtioFSDaemonList []string `toml:"valid_virtio_fs_daemon_paths"`
|
VirtioFSDaemonList []string `toml:"valid_virtio_fs_daemon_paths"`
|
||||||
@ -992,6 +993,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
|
|||||||
ExtraMonitorSocket: extraMonitorSocket,
|
ExtraMonitorSocket: extraMonitorSocket,
|
||||||
SnpIdBlock: h.SnpIdBlock,
|
SnpIdBlock: h.SnpIdBlock,
|
||||||
SnpIdAuth: h.SnpIdAuth,
|
SnpIdAuth: h.SnpIdAuth,
|
||||||
|
SnpGuestPolicy: h.SnpGuestPolicy,
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -473,6 +473,9 @@ type HypervisorConfig struct {
|
|||||||
// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (default: all-zero)
|
// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (default: all-zero)
|
||||||
SnpIdAuth string
|
SnpIdAuth string
|
||||||
|
|
||||||
|
// SnpGuestPolicy is the integer representation of the SEV-SNP guest policy.
|
||||||
|
SnpGuestPolicy *uint64
|
||||||
|
|
||||||
// KernelParams are additional guest kernel parameters.
|
// KernelParams are additional guest kernel parameters.
|
||||||
KernelParams []Param
|
KernelParams []Param
|
||||||
|
|
||||||
|
|||||||
@ -38,6 +38,8 @@ type qemuAmd64 struct {
|
|||||||
snpIdBlock string
|
snpIdBlock string
|
||||||
|
|
||||||
snpIdAuth string
|
snpIdAuth string
|
||||||
|
|
||||||
|
snpGuestPolicy *uint64
|
||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -126,11 +128,12 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
|
|||||||
protection: noneProtection,
|
protection: noneProtection,
|
||||||
legacySerial: config.LegacySerial,
|
legacySerial: config.LegacySerial,
|
||||||
},
|
},
|
||||||
vmFactory: factory,
|
vmFactory: factory,
|
||||||
snpGuest: config.SevSnpGuest,
|
snpGuest: config.SevSnpGuest,
|
||||||
qgsPort: config.QgsPort,
|
qgsPort: config.QgsPort,
|
||||||
snpIdBlock: config.SnpIdBlock,
|
snpIdBlock: config.SnpIdBlock,
|
||||||
snpIdAuth: config.SnpIdAuth,
|
snpIdAuth: config.SnpIdAuth,
|
||||||
|
snpGuestPolicy: config.SnpGuestPolicy,
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.ConfidentialGuest {
|
if config.ConfidentialGuest {
|
||||||
@ -315,6 +318,7 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware,
|
|||||||
CBitPos: cpuid.AMDMemEncrypt.CBitPosition,
|
CBitPos: cpuid.AMDMemEncrypt.CBitPosition,
|
||||||
ReducedPhysBits: 1,
|
ReducedPhysBits: 1,
|
||||||
InitdataDigest: initdataDigest,
|
InitdataDigest: initdataDigest,
|
||||||
|
SnpGuestPolicy: q.snpGuestPolicy,
|
||||||
}
|
}
|
||||||
if q.snpIdBlock != "" && q.snpIdAuth != "" {
|
if q.snpIdBlock != "" && q.snpIdAuth != "" {
|
||||||
obj.SnpIdBlock = q.snpIdBlock
|
obj.SnpIdBlock = q.snpIdBlock
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user