From 62d3d7c58ffa9c4b87209eafb73589d0085df6e2 Mon Sep 17 00:00:00 2001 From: Niteesh Dubey Date: Fri, 23 Feb 2024 21:02:38 +0000 Subject: [PATCH] runtime: enable kernel-hashes for SNP confidential container This is required to provide the hashes of kernel, initrd and cmdline needed during the attestation of the coco. Fixes: #9150 Signed-off-by: Niteesh Dubey --- src/runtime/Makefile | 2 +- src/runtime/pkg/govmm/qemu/qemu.go | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 4c14fbc788..23d28085f6 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -149,7 +149,7 @@ FIRMWARETDVFPATH := PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT FIRMWARETDVFVOLUMEPATH := FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd -FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd +FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd ROOTMEASURECONFIG ?= "" KERNELPARAMS += $(ROOTMEASURECONFIG) diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index 092c0b8ca2..d9c1e21a2c 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -375,12 +375,19 @@ func (object Object) QemuParams(config *Config) []string { objectParams = append(objectParams, prepareObjectWithTdxQgs(object)) config.Bios = object.File case SEVGuest: - fallthrough + objectParams = append(objectParams, string(object.Type)) + objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) + objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos)) + objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits)) + + driveParams = append(driveParams, "if=pflash,format=raw,readonly=on") + driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File)) case SNPGuest: objectParams = append(objectParams, string(object.Type)) objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos)) objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits)) + objectParams = append(objectParams, "kernel-hashes=on") driveParams = append(driveParams, "if=pflash,format=raw,readonly=on") driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File))