Merge a3ce465070 into 9379a18c8a

2025-08-14 06:06:12 +00:00 · 2025-08-12 13:42:19 +02:00 · 2025-08-12 13:42:19 +02:00 · 67571493b6
commit 67571493b6
parent 9379a18c8a a3ce465070
6 changed files with 26 additions and 5 deletions
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
@ -72,6 +72,9 @@ valid_hypervisor_paths = @QEMUSNPVALIDHYPERVISORPATHS@
 # for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
 #snp_id_auth = ""

+# SNP Guest Policy, the ‘POLICY’ parameter to the SNP_LAUNCH_START command.
+#snp_guest_policy = 196608
+
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.
--- a/src/runtime/config/configuration-qemu-snp.toml.in
+++ b/src/runtime/config/configuration-qemu-snp.toml.in
@ -72,6 +72,9 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 # for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero)
 #snp_id_auth = ""

+# SNP Guest Policy, the ‘POLICY’ parameter to the SNP_LAUNCH_START command.
+#snp_guest_policy = 196608
+
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.
--- a/src/runtime/pkg/govmm/qemu/qemu.go
+++ b/src/runtime/pkg/govmm/qemu/qemu.go
@ -330,6 +330,9 @@ type Object struct {
 	// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (default: all-zero)
 	SnpIdAuth string

+	// SnpGuestPolicy is the integer representation of the SEV-SNP guest policy.
+	SnpGuestPolicy *uint64
+
 	// Raw byte slice of initdata digest
 	InitdataDigest []byte
 }
@ -415,6 +418,9 @@ func (object Object) QemuParams(config *Config) []string {
 		if object.SnpIdAuth != "" {
 			objectParams = append(objectParams, fmt.Sprintf("id-auth=%s", object.SnpIdAuth))
 		}
+		if object.SnpGuestPolicy != nil {
+			objectParams = append(objectParams, fmt.Sprintf("policy=%d", *object.SnpGuestPolicy))
+		}
 		if len(object.InitdataDigest) > 0 {
 			// due to https://github.com/confidential-containers/qemu/blob/amd-snp-202402240000/qapi/qom.json#L926-L929
 			// hostdata in SEV-SNP should be exactly 32 bytes
--- a/src/runtime/pkg/katautils/config.go
+++ b/src/runtime/pkg/katautils/config.go
@ -109,6 +109,7 @@ type hypervisor struct {
 	RemoteHypervisorSocket         string                    `toml:"remote_hypervisor_socket"`
 	SnpIdBlock                     string                    `toml:"snp_id_block"`
 	SnpIdAuth                      string                    `toml:"snp_id_auth"`
+	SnpGuestPolicy                 *uint64                   `toml:"snp_guest_policy"`
 	HypervisorPathList             []string                  `toml:"valid_hypervisor_paths"`
 	JailerPathList                 []string                  `toml:"valid_jailer_paths"`
 	VirtioFSDaemonList             []string                  `toml:"valid_virtio_fs_daemon_paths"`
@ -992,6 +993,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		ExtraMonitorSocket:       extraMonitorSocket,
 		SnpIdBlock:               h.SnpIdBlock,
 		SnpIdAuth:                h.SnpIdAuth,
+		SnpGuestPolicy:           h.SnpGuestPolicy,
 	}, nil
 }

--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@ -473,6 +473,9 @@ type HypervisorConfig struct {
 	// for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (default: all-zero)
 	SnpIdAuth string

+	// SnpGuestPolicy is the integer representation of the SEV-SNP guest policy.
+	SnpGuestPolicy *uint64
+
 	// KernelParams are additional guest kernel parameters.
 	KernelParams []Param

--- a/src/runtime/virtcontainers/qemu_amd64.go
+++ b/src/runtime/virtcontainers/qemu_amd64.go
@ -38,6 +38,8 @@ type qemuAmd64 struct {
 	snpIdBlock string

 	snpIdAuth string
+
+	snpGuestPolicy *uint64
 }

 const (
@ -126,11 +128,12 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 			protection:           noneProtection,
 			legacySerial:         config.LegacySerial,
 		},
-		vmFactory:  factory,
-		snpGuest:   config.SevSnpGuest,
-		qgsPort:    config.QgsPort,
-		snpIdBlock: config.SnpIdBlock,
-		snpIdAuth:  config.SnpIdAuth,
+		vmFactory:      factory,
+		snpGuest:       config.SevSnpGuest,
+		qgsPort:        config.QgsPort,
+		snpIdBlock:     config.SnpIdBlock,
+		snpIdAuth:      config.SnpIdAuth,
+		snpGuestPolicy: config.SnpGuestPolicy,
 	}

 	if config.ConfidentialGuest {
@ -315,6 +318,7 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware,
 			CBitPos:         cpuid.AMDMemEncrypt.CBitPosition,
 			ReducedPhysBits: 1,
 			InitdataDigest:  initdataDigest,
+			SnpGuestPolicy:  q.snpGuestPolicy,
 		}
 		if q.snpIdBlock != "" && q.snpIdAuth != "" {
 			obj.SnpIdBlock = q.snpIdBlock