github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 15:02:45 +00:00
Code Issues Projects Releases Wiki Activity

kata-ctl: Remove all utility functions to get platform protection

Browse Source 
Since these have been added to kata-sys-util, remove these from
kata-ctl. Change all invocations to get platform protection to make use
of kata-sys-util.

Fixes: #7144

Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This commit is contained in:
Archana Shinde 2023-07-05 20:10:59 +05:30
parent a24dbdc781
commit 61e4032b08
9 changed files with 312 additions and 280 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
src/libs/Cargo.lock generated
View File

@ -34,6 +34,17 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "atty"
version = "0.2.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d9b39be18770d11421cdb1b9947a45dd3f37e93092cbf377614828a319d5fee8"
dependencies = [
"hermit-abi",
"libc",
"winapi",
]
[[package]] [[package]]
name = "autocfg" name = "autocfg"
version = "1.1.0" version = "1.1.0"
@ -130,7 +141,7 @@ dependencies = [
"js-sys", "js-sys",
"num-integer", "num-integer",
"num-traits", "num-traits",
"time", "time 0.1.43",
"wasm-bindgen", "wasm-bindgen",
"winapi", "winapi",
] ]
@ -172,6 +183,27 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "dirs-next"
version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1"
dependencies = [
"cfg-if",
"dirs-sys-next",
]
[[package]]
name = "dirs-sys-next"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d"
dependencies = [
"libc",
"redox_users",
"winapi",
]
[[package]] [[package]]
name = "either" name = "either"
version = "1.6.1" version = "1.6.1"
@ -472,6 +504,7 @@ dependencies = [
name = "kata-sys-util" name = "kata-sys-util"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"anyhow",
"byteorder", "byteorder",
"cgroups-rs", "cgroups-rs",
"chrono", "chrono",
@ -559,6 +592,7 @@ dependencies = [
"slog-async", "slog-async",
"slog-json", "slog-json",
"slog-scope", "slog-scope",
"slog-term",
"tempfile", "tempfile",
] ]
@ -681,6 +715,15 @@ dependencies = [
"libc", "libc",
] ]
[[package]]
name = "num_threads"
version = "0.1.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2819ce041d2ee131036f4fc9d6ae7ae125a3a40e97ba64d04fe799ad9dabbb44"
dependencies = [
"libc",
]
[[package]] [[package]]
name = "oci" name = "oci"
version = "0.1.0" version = "0.1.0"
@ -950,13 +993,24 @@ dependencies = [
[[package]] [[package]]
name = "redox_syscall" name = "redox_syscall"
version = "0.2.10" version = "0.2.16"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8383f39639269cde97d255a32bdb68c047337295414940c68bdd30c2e13203ff" checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
dependencies = [ dependencies = [
"bitflags", "bitflags",
] ]
[[package]]
name = "redox_users"
version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b033d837a7cf162d7993aded9304e30a83213c648b6e389db233191f891e5c2b"
dependencies = [
"getrandom",
"redox_syscall",
"thiserror",
]
[[package]] [[package]]
name = "regex" name = "regex"
version = "1.6.0" version = "1.6.0"
@ -983,6 +1037,12 @@ dependencies = [
"winapi", "winapi",
] ]
[[package]]
name = "rustversion"
version = "1.0.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4f3208ce4d8448b3f3e7d168a73f5e0c43a61e32930de3bceeccedb388b6bf06"
[[package]] [[package]]
name = "ryu" name = "ryu"
version = "1.0.9" version = "1.0.9"
@ -1113,6 +1173,19 @@ dependencies = [
"slog", "slog",
] ]
[[package]]
name = "slog-term"
version = "2.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "87d29185c55b7b258b4f120eab00f48557d4d9bc814f41713f449d35b0f8977c"
dependencies = [
"atty",
"slog",
"term",
"thread_local",
"time 0.3.22",
]
[[package]] [[package]]
name = "smallvec" name = "smallvec"
version = "1.8.0" version = "1.8.0"
@ -1170,6 +1243,17 @@ dependencies = [
"winapi", "winapi",
] ]
[[package]]
name = "term"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f"
dependencies = [
"dirs-next",
"rustversion",
"winapi",
]
[[package]] [[package]]
name = "test-utils" name = "test-utils"
version = "0.1.0" version = "0.1.0"
@ -1216,6 +1300,35 @@ dependencies = [
"winapi", "winapi",
] ]
[[package]]
name = "time"
version = "0.3.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ea9e1b3cf1243ae005d9e74085d4d542f3125458f3a81af210d901dcd7411efd"
dependencies = [
"itoa",
"libc",
"num_threads",
"serde",
"time-core",
"time-macros",
]
[[package]]
name = "time-core"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7300fbefb4dadc1af235a9cef3737cea692a9d97e1b9cbcd4ebdae6f8868e6fb"
[[package]]
name = "time-macros"
version = "0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "372950940a5f07bf38dbe211d7283c9e6d7327df53794992d293e534c733d09b"
dependencies = [
"time-core",
]
[[package]] [[package]]
name = "tokio" name = "tokio"
version = "1.17.0" version = "1.17.0"

197
src/tools/kata-ctl/Cargo.lock generated
View File

@ -33,6 +33,21 @@ dependencies = [
"memchr", "memchr",
] ]
[[package]]
name = "android-tzdata"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e999941b234f3131b00bc13c22d06e8c5ff726d1b6318ac7eb276997bbb4fef0"
[[package]]
name = "android_system_properties"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
dependencies = [
"libc",
]
[[package]] [[package]]
name = "anstream" name = "anstream"
version = "0.2.6" version = "0.2.6"
@ -187,6 +202,34 @@ version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "cgroups-rs"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b098e7c3a70d03c288fa0a96ccf13e770eb3d78c4cc0e1549b3c13215d5f965"
dependencies = [
"libc",
"log",
"nix 0.25.1",
"regex",
"thiserror",
]
[[package]]
name = "chrono"
version = "0.4.26"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec837a71355b28f6556dbd569b37b3f363091c0bd4b2e735674521b4c5fd9bc5"
dependencies = [
"android-tzdata",
"iana-time-zone",
"js-sys",
"num-traits",
"time 0.1.45",
"wasm-bindgen",
"winapi",
]
[[package]] [[package]]
name = "clap" name = "clap"
version = "4.2.1" version = "4.2.1"
@ -230,6 +273,12 @@ version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a2dd5a6fe8c6e3502f568a6353e5273bbb15193ad9a89e457b9970798efbea1" checksum = "8a2dd5a6fe8c6e3502f568a6353e5273bbb15193ad9a89e457b9970798efbea1"
[[package]]
name = "common-path"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2382f75942f4b3be3690fe4f86365e9c853c1587d6ee58212cebf6e2a9ccd101"
[[package]] [[package]]
name = "concolor-override" name = "concolor-override"
version = "1.0.0" version = "1.0.0"
@ -358,6 +407,17 @@ dependencies = [
"libc", "libc",
] ]
[[package]]
name = "fail"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fe5e43d0f78a42ad591453aedb1d7ae631ce7ee445c7643691055a9ed8d3b01c"
dependencies = [
"log",
"once_cell",
"rand",
]
[[package]] [[package]]
name = "fastrand" name = "fastrand"
version = "1.8.0" version = "1.8.0"
@ -500,7 +560,7 @@ checksum = "c85e1d9ab2eadba7e5040d4e09cbd6d072b76a557ad64e797c2cb9d4da21d7e4"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
"libc", "libc",
"wasi", "wasi 0.11.0+wasi-snapshot-preview1",
] ]
[[package]] [[package]]
@ -676,6 +736,29 @@ dependencies = [
"tokio", "tokio",
] ]
[[package]]
name = "iana-time-zone"
version = "0.1.57"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2fad5b825842d2b38bd206f3e81d6957625fd7f0a361e345c30e01a0ae2dd613"
dependencies = [
"android_system_properties",
"core-foundation-sys",
"iana-time-zone-haiku",
"js-sys",
"wasm-bindgen",
"windows",
]
[[package]]
name = "iana-time-zone-haiku"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
dependencies = [
"cc",
]
[[package]] [[package]]
name = "idna" name = "idna"
version = "0.3.0" version = "0.3.0"
@ -778,6 +861,7 @@ dependencies = [
"epoll", "epoll",
"futures", "futures",
"hyper", "hyper",
"kata-sys-util",
"kata-types", "kata-types",
"libc", "libc",
"logging", "logging",
@ -805,6 +889,30 @@ dependencies = [
"vmm-sys-util", "vmm-sys-util",
] ]
[[package]]
name = "kata-sys-util"
version = "0.1.0"
dependencies = [
"anyhow",
"byteorder",
"cgroups-rs",
"chrono",
"common-path",
"fail",
"kata-types",
"lazy_static",
"libc",
"nix 0.24.3",
"oci",
"once_cell",
"rand",
"serde_json",
"slog",
"slog-scope",
"subprocess",
"thiserror",
]
[[package]] [[package]]
name = "kata-types" name = "kata-types"
version = "0.1.0" version = "0.1.0"
@ -923,7 +1031,7 @@ checksum = "e5d732bc30207a6423068df043e3d02e0735b155ad7ce1a6f76fe2baa5b158de"
dependencies = [ dependencies = [
"libc", "libc",
"log", "log",
"wasi", "wasi 0.11.0+wasi-snapshot-preview1",
"windows-sys 0.42.0", "windows-sys 0.42.0",
] ]
@ -1004,6 +1112,15 @@ dependencies = [
"static_assertions", "static_assertions",
] ]
[[package]]
name = "num-traits"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
dependencies = [
"autocfg",
]
[[package]] [[package]]
name = "num_cpus" name = "num_cpus"
version = "1.15.0" version = "1.15.0"
@ -1163,6 +1280,12 @@ version = "0.3.26"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160" checksum = "6ac9a59f73473f1b8d852421e59e64809f025994837ef743615c6d0c5b305160"
[[package]]
name = "ppv-lite86"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
[[package]] [[package]]
name = "privdrop" name = "privdrop"
version = "0.5.3" version = "0.5.3"
@ -1319,6 +1442,36 @@ dependencies = [
"proc-macro2", "proc-macro2",
] ]
[[package]]
name = "rand"
version = "0.8.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
dependencies = [
"libc",
"rand_chacha",
"rand_core",
]
[[package]]
name = "rand_chacha"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
dependencies = [
"ppv-lite86",
"rand_core",
]
[[package]]
name = "rand_core"
version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
dependencies = [
"getrandom",
]
[[package]] [[package]]
name = "redox_syscall" name = "redox_syscall"
version = "0.2.16" version = "0.2.16"
@ -1641,7 +1794,7 @@ dependencies = [
"serde", "serde",
"serde_json", "serde_json",
"slog", "slog",
"time", "time 0.3.17",
] ]
[[package]] [[package]]
@ -1665,7 +1818,7 @@ dependencies = [
"slog", "slog",
"term", "term",
"thread_local", "thread_local",
"time", "time 0.3.17",
] ]
[[package]] [[package]]
@ -1721,6 +1874,16 @@ dependencies = [
"syn 1.0.107", "syn 1.0.107",
] ]
[[package]]
name = "subprocess"
version = "0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c2e86926081dda636c546d8c5e641661049d7562a68f5488be4a1f7f66f6086"
dependencies = [
"libc",
"winapi",
]
[[package]] [[package]]
name = "syn" name = "syn"
version = "1.0.107" version = "1.0.107"
@ -1821,6 +1984,17 @@ dependencies = [
"once_cell", "once_cell",
] ]
[[package]]
name = "time"
version = "0.1.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b797afad3f312d1c66a56d11d0316f916356d11bd158fbc6ca6389ff6bf805a"
dependencies = [
"libc",
"wasi 0.10.0+wasi-snapshot-preview1",
"winapi",
]
[[package]] [[package]]
name = "time" name = "time"
version = "0.3.17" version = "0.3.17"
@ -2114,6 +2288,12 @@ dependencies = [
"try-lock", "try-lock",
] ]
[[package]]
name = "wasi"
version = "0.10.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
[[package]] [[package]]
name = "wasi" name = "wasi"
version = "0.11.0+wasi-snapshot-preview1" version = "0.11.0+wasi-snapshot-preview1"
@ -2248,6 +2428,15 @@ version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows"
version = "0.48.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e686886bc078bc1b0b600cac0147aadb815089b6e4da64016cbd754b6342700f"
dependencies = [
"windows-targets 0.48.0",
]
[[package]] [[package]]
name = "windows-sys" name = "windows-sys"
version = "0.42.0" version = "0.42.0"

1
src/tools/kata-ctl/Cargo.toml
View File

@ -30,6 +30,7 @@ sys-info = "0.9.1"
shim-interface = { path = "../../libs/shim-interface"} shim-interface = { path = "../../libs/shim-interface"}
kata-types = { path = "../../libs/kata-types" } kata-types = { path = "../../libs/kata-types" }
kata-sys-util = { path = "../../../src/libs/kata-sys-util/" }
safe-path = { path = "../../libs/safe-path" } safe-path = { path = "../../libs/safe-path" }
agent = { path = "../../runtime-rs/crates/agent"} agent = { path = "../../runtime-rs/crates/agent"}
serial_test = "0.5.1" serial_test = "0.5.1"

6
src/tools/kata-ctl/src/arch/aarch64/mod.rs
View File

@ -84,10 +84,4 @@ mod arch_specific {
// TODO: Not implemented // TODO: Not implemented
Ok(true) Ok(true)
} }
#[allow(dead_code)]
// Guest protection is not supported on ARM64.
pub fn available_guest_protection() -> Result<check::GuestProtection, check::ProtectionError> {
Ok(check::GuestProtection::NoProtection)
}
} }

18
src/tools/kata-ctl/src/arch/powerpc64le/mod.rs
View File

@ -32,22 +32,4 @@ mod arch_specific {
// to get cpu details specific to powerpc architecture similar // to get cpu details specific to powerpc architecture similar
// to the goloang implementation of function getCPUDetails() // to the goloang implementation of function getCPUDetails()
} }
pub fn host_is_vmcontainer_capable() -> Result<bool> {
// TODO: Not implemented
Ok(true)
}
pub fn available_guest_protection() -> Result<check::GuestProtection, check::ProtectionError> {
if !Uid::effective().is_root() {
return Err(check::ProtectionError::NoPerms);
}
let metadata = fs::metadata(PEF_SYS_FIRMWARE_DIR);
if metadata.is_ok() && metadata.unwrap().is_dir() {
Ok(check::GuestProtection::Pef)
}
Ok(check::GuestProtection::NoProtection)
}
} }

74
src/tools/kata-ctl/src/arch/s390x/mod.rs
View File

@ -12,9 +12,7 @@ mod arch_specific {
use crate::types::*; use crate::types::*;
use crate::utils; use crate::utils;
use anyhow::{anyhow, Result}; use anyhow::{anyhow, Result};
use nix::unistd::Uid;
use slog::{info, o, warn}; use slog::{info, o, warn};
use std::collections::HashMap;
use std::io::BufRead; use std::io::BufRead;
use std::io::BufReader; use std::io::BufReader;
@ -95,41 +93,6 @@ mod arch_specific {
Err(anyhow!("System is not capable of running a VM")) Err(anyhow!("System is not capable of running a VM"))
} }
#[allow(dead_code)]
fn retrieve_cpu_facilities() -> Result<HashMap<i32, bool>> {
let f = std::fs::File::open(check::PROC_CPUINFO)?;
let mut reader = BufReader::new(f);
let mut contents = String::new();
let facilities_field = "facilities";
let mut facilities = HashMap::new();
while reader.read_line(&mut contents)? > 0 {
let fields: Vec<&str> = contents.split_whitespace().collect();
if fields.len() < 2 {
contents.clear();
continue;
}
if !fields[0].starts_with(facilities_field) {
contents.clear();
continue;
}
let mut start = 1;
if fields[1] == ":" {
start = 2;
}
for field in fields.iter().skip(start) {
let bit = field.parse::<i32>()?;
facilities.insert(bit, true);
}
return Ok(facilities);
}
Ok(facilities)
}
#[allow(dead_code)] #[allow(dead_code)]
pub fn check_cmd_line( pub fn check_cmd_line(
kernel_cmdline_path: &str, kernel_cmdline_path: &str,
@ -176,41 +139,4 @@ mod arch_specific {
// to get cpu details specific to s390x architecture similar // to get cpu details specific to s390x architecture similar
// to the goloang implementation of function getS390xCPUDetails() // to the goloang implementation of function getS390xCPUDetails()
} }
#[allow(dead_code)]
// Guest protection is not supported on ARM64.
pub fn available_guest_protection() -> Result<check::GuestProtection, check::ProtectionError> {
if !Uid::effective().is_root() {
return Err(check::ProtectionError::NoPerms)?;
}
let facilities = retrieve_cpu_facilities().map_err(|err| {
check::ProtectionError::CheckFailed(format!(
"Error retrieving cpu facilities file : {}",
err.to_string()
))
})?;
// Secure Execution
// https://www.kernel.org/doc/html/latest/virt/kvm/s390-pv.html
let se_cpu_facility_bit: i32 = 158;
if !facilities.contains_key(&se_cpu_facility_bit) {
return Ok(check::GuestProtection::NoProtection);
}
let cmd_line_values = vec!["1", "on", "y", "yes"];
let se_cmdline_param = "prot_virt";
let se_cmdline_present =
check_cmd_line("/proc/cmdline", se_cmdline_param, &cmd_line_values)
.map_err(|err| check::ProtectionError::CheckFailed(err.to_string()))?;
if !se_cmdline_present {
return Err(check::ProtectionError::InvalidValue(String::from(
"Protected Virtualization is not enabled on kernel command line!",
)));
}
Ok(check::GuestProtection::Se)
}
} }

135
src/tools/kata-ctl/src/arch/x86_64/mod.rs
View File

@ -10,14 +10,10 @@ pub use arch_specific::*;
mod arch_specific { mod arch_specific {
use crate::check; use crate::check;
use crate::check::{GuestProtection, ProtectionError};
use crate::types::*; use crate::types::*;
use crate::utils; use crate::utils;
use anyhow::{anyhow, Context, Result}; use anyhow::{anyhow, Context, Result};
use nix::unistd::Uid;
use slog::{info, o, warn}; use slog::{info, o, warn};
use std::fs;
use std::path::Path;
const CPUINFO_DELIMITER: &str = "\nprocessor"; const CPUINFO_DELIMITER: &str = "\nprocessor";
const CPUINFO_FLAGS_TAG: &str = "flags"; const CPUINFO_FLAGS_TAG: &str = "flags";
@ -133,66 +129,6 @@ mod arch_specific {
result.context("KVM check failed") result.context("KVM check failed")
} }
pub const TDX_SYS_FIRMWARE_DIR: &str = "/sys/firmware/tdx_seam/";
pub const TDX_CPU_FLAG: &str = "tdx";
pub const SEV_KVM_PARAMETER_PATH: &str = "/sys/module/kvm_amd/parameters/sev";
pub const SNP_KVM_PARAMETER_PATH: &str = "/sys/module/kvm_amd/parameters/sev_snp";
pub fn available_guest_protection() -> Result<GuestProtection, ProtectionError> {
if !Uid::effective().is_root() {
return Err(ProtectionError::NoPerms);
}
arch_guest_protection(
TDX_SYS_FIRMWARE_DIR,
TDX_CPU_FLAG,
SEV_KVM_PARAMETER_PATH,
SNP_KVM_PARAMETER_PATH,
)
}
pub fn arch_guest_protection(
tdx_path: &str,
tdx_flag: &str,
sev_path: &str,
snp_path: &str,
) -> Result<GuestProtection, ProtectionError> {
let flags =
retrieve_cpu_flags().map_err(|err| ProtectionError::CheckFailed(err.to_string()))?;
let metadata = fs::metadata(tdx_path);
if metadata.is_ok() && metadata.unwrap().is_dir() && flags.contains(tdx_flag) {
return Ok(GuestProtection::Tdx);
}
let check_contents = |file_name: &str| -> Result<bool, ProtectionError> {
let file_path = Path::new(file_name);
if !file_path.exists() {
return Ok(false);
}
let contents = fs::read_to_string(file_name).map_err(|err| {
ProtectionError::CheckFailed(format!("Error reading file {} : {}", file_name, err))
})?;
if contents == "Y" {
return Ok(true);
}
Ok(false)
};
if check_contents(snp_path)? {
return Ok(GuestProtection::Snp);
}
if check_contents(sev_path)? {
return Ok(GuestProtection::Sev);
}
Ok(GuestProtection::NoProtection)
}
fn running_on_vmm() -> Result<bool> { fn running_on_vmm() -> Result<bool> {
match kata_sys_util::cpu::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER) { match kata_sys_util::cpu::get_single_cpu_info(check::PROC_CPUINFO, CPUINFO_DELIMITER) {
Ok(cpu_info) => { Ok(cpu_info) => {
@ -345,74 +281,3 @@ mod arch_specific {
Err(anyhow!("System is not capable of running a VM")) Err(anyhow!("System is not capable of running a VM"))
} }
} }
#[cfg(target_arch = "x86_64")]
#[cfg(test)]
mod tests {
use super::*;
use crate::check;
use nix::unistd::Uid;
use std::fs;
use std::io::Write;
use tempfile::tempdir;
#[test]
fn test_available_guest_protection_no_privileges() {
if !Uid::effective().is_root() {
let res = available_guest_protection();
assert!(res.is_err());
assert_eq!(
"No permission to check guest protection",
res.unwrap_err().to_string()
);
}
}
fn test_arch_guest_protection_snp() {
// Test snp
let dir = tempdir().unwrap();
let snp_file_path = dir.path().join("sev_snp");
let path = snp_file_path.clone();
let mut snp_file = fs::File::create(snp_file_path).unwrap();
writeln!(snp_file, "Y").unwrap();
let actual =
arch_guest_protection("/xyz/tmp", TDX_CPU_FLAG, "/xyz/tmp", path.to_str().unwrap());
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), check::GuestProtection::Snp);
writeln!(snp_file, "N").unwrap();
let actual =
arch_guest_protection("/xyz/tmp", TDX_CPU_FLAG, "/xyz/tmp", path.to_str().unwrap());
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), check::GuestProtection::NoProtection);
}
fn test_arch_guest_protection_sev() {
// Test sev
let dir = tempdir().unwrap();
let sev_file_path = dir.path().join("sev");
let sev_path = sev_file_path.clone();
let mut sev_file = fs::File::create(sev_file_path).unwrap();
writeln!(sev_file, "Y").unwrap();
let actual = arch_guest_protection(
"/xyz/tmp",
TDX_CPU_FLAG,
sev_path.to_str().unwrap(),
"/xyz/tmp",
);
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), check::GuestProtection::Sev);
writeln!(sev_file, "N").unwrap();
let actual = arch_guest_protection(
"/xyz/tmp",
TDX_CPU_FLAG,
sev_path.to_str().unwrap(),
"/xyz/tmp",
);
assert!(actual.is_ok());
assert_eq!(actual.unwrap(), check::GuestProtection::NoProtection);
}
}

39
src/tools/kata-ctl/src/check.rs
View File

@ -16,8 +16,6 @@ use nix::{ioctl_write_int_bad, request_code_none};
use reqwest::header::{CONTENT_TYPE, USER_AGENT}; use reqwest::header::{CONTENT_TYPE, USER_AGENT};
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use slog::{info, o}; use slog::{info, o};
use std::fmt;
use thiserror::Error;
#[cfg(any(target_arch = "x86_64"))] #[cfg(any(target_arch = "x86_64"))]
use std::process::{Command, Stdio}; use std::process::{Command, Stdio};
@ -98,43 +96,6 @@ pub fn check_cpu_attribs(
Ok(missing_attribs) Ok(missing_attribs)
} }
#[allow(dead_code)]
#[derive(Debug, PartialEq)]
pub enum GuestProtection {
NoProtection,
Tdx,
Sev,
Snp,
Pef,
Se,
}
impl fmt::Display for GuestProtection {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
match self {
GuestProtection::Tdx => write!(f, "tdx"),
GuestProtection::Sev => write!(f, "sev"),
GuestProtection::Snp => write!(f, "snp"),
GuestProtection::Pef => write!(f, "pef"),
GuestProtection::Se => write!(f, "se"),
GuestProtection::NoProtection => write!(f, "none"),
}
}
}
#[allow(dead_code)]
#[derive(Error, Debug)]
pub enum ProtectionError {
#[error("No permission to check guest protection")]
NoPerms,
#[error("Failed to check guest protection: {0}")]
CheckFailed(String),
#[error("Invalid guest protection value: {0}")]
InvalidValue(String),
}
pub fn run_network_checks() -> Result<()> { pub fn run_network_checks() -> Result<()> {
Ok(()) Ok(())
} }

3
src/tools/kata-ctl/src/ops/env_ops.rs
View File

@ -9,6 +9,7 @@ use crate::arch::arch_specific;
use crate::args::EnvArgument; use crate::args::EnvArgument;
use crate::ops::version; use crate::ops::version;
use crate::utils; use crate::utils;
use kata_sys_util::protection;
use kata_types::config::TomlConfig; use kata_types::config::TomlConfig;
use anyhow::{anyhow, Context, Result}; use anyhow::{anyhow, Context, Result};
@ -251,7 +252,7 @@ fn get_host_info() -> Result<HostInfo> {
let memory_info = get_memory_info()?; let memory_info = get_memory_info()?;
let guest_protection = let guest_protection =
arch_specific::available_guest_protection().map_err(|e| anyhow!(e.to_string()))?; protection::available_guest_protection().map_err(|e| anyhow!(e.to_string()))?;
let guest_protection = guest_protection.to_string(); let guest_protection = guest_protection.to_string();