Merge pull request #1882 from Amulyam24/pef

runtime: Add support for PEF
2025-09-14 05:19:21 +00:00 · 2021-06-01 12:56:53 +05:30
parent 41e04495f4 37a426b4c6
commit 604e3a6fa1
6 changed files with 147 additions and 23 deletions
--- a/src/runtime/virtcontainers/hypervisor_ppc64le.go
+++ b/src/runtime/virtcontainers/hypervisor_ppc64le.go
@@ -0,0 +1,17 @@
+// Copyright (c) 2021 IBM
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package virtcontainers
+
+import "os"
+
+//Returns pefProtection if the firmware directory exists
+func availableGuestProtection() (guestProtection, error) {
+
+	if d, err := os.Stat(pefSysFirmwareDir); err == nil && d.IsDir() {
+		return pefProtection, err
+	}
+
+	return noneProtection, nil
+}
--- a/src/runtime/virtcontainers/qemu_ppc64le.go
+++ b/src/runtime/virtcontainers/qemu_ppc64le.go
@@ -27,6 +27,14 @@ const defaultQemuMachineOptions = "accel=kvm,usb=off"

 const qmpMigrationWaitTimeout = 5 * time.Second

+const pefSysFirmwareDir = "/sys/firmware/ultravisor/"
+
+const pefID = "pef0"
+
+const tpmID = "tpm0"
+
+const tpmHostPath = "/dev/tpmrm0"
+
 var kernelParams = []Param{
 	{"rcupdate.rcu_expedited", "1"},
 	{"reboot", "k"},
@@ -43,7 +51,7 @@ var supportedQemuMachine = govmmQemu.Machine{

 // Logger returns a logrus logger appropriate for logging qemu messages
 func (q *qemuPPC64le) Logger() *logrus.Entry {
-	return virtLog.WithField("subsystem", "qemu")
+	return virtLog.WithField("subsystem", "qemuPPC64le")
 }

 // MaxQemuVCPUs returns the maximum number of vCPUs supported
@@ -69,9 +77,16 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 			kernelParamsNonDebug: kernelParamsNonDebug,
 			kernelParamsDebug:    kernelParamsDebug,
 			kernelParams:         kernelParams,
+			protection:           noneProtection,
 		},
 	}

+	if config.ConfidentialGuest {
+		if err := q.enableProtection(); err != nil {
+			return nil, err
+		}
+	}
+
 	q.handleImagePath(config)

 	q.memoryOffset = config.MemOffset
@@ -116,3 +131,49 @@ func (q *qemuPPC64le) appendBridges(devices []govmmQemu.Device) []govmmQemu.Devi
 func (q *qemuPPC64le) appendIOMMU(devices []govmmQemu.Device) ([]govmmQemu.Device, error) {
 	return devices, fmt.Errorf("PPC64le does not support appending a vIOMMU")
 }
+
+// Enables guest protection
+func (q *qemuPPC64le) enableProtection() error {
+	var err error
+	q.protection, err = availableGuestProtection()
+	if err != nil {
+		return err
+	}
+
+	switch q.protection {
+	case pefProtection:
+		if q.qemuMachine.Options != "" {
+			q.qemuMachine.Options += ","
+		}
+		q.qemuMachine.Options += fmt.Sprintf("confidential-guest-support=%s", pefID)
+		virtLog.WithFields(logrus.Fields{
+			"subsystem":     "qemuPPC64le",
+			"machine":       q.qemuMachine,
+			"kernel-params": q.kernelParams,
+		}).Info("Enabling PEF protection")
+		return nil
+
+	default:
+		return fmt.Errorf("This system doesn't support Confidential Computing (Guest Protection)")
+	}
+}
+
+// append protection device
+func (q *qemuPPC64le) appendProtectionDevice(devices []govmmQemu.Device, firmware string) ([]govmmQemu.Device, string, error) {
+	switch q.protection {
+	case pefProtection:
+		return append(devices,
+			govmmQemu.Object{
+				Driver:   govmmQemu.SpaprTPMProxy,
+				Type:     govmmQemu.PEFGuest,
+				ID:       pefID,
+				DeviceID: tpmID,
+				File:     tpmHostPath,
+			}), firmware, nil
+	case noneProtection:
+		return devices, firmware, nil
+
+	default:
+		return devices, "", fmt.Errorf("Unsupported guest protection technology: %v", q.protection)
+	}
+}