From a3ce4650700e0ed65e1dc7df7bfad39277f714df Mon Sep 17 00:00:00 2001 From: Paul Meyer Date: Tue, 12 Aug 2025 09:49:50 +0200 Subject: [PATCH] runtime: make SNP guest policy configurable Dependening on the platform configuration, users might want to set a more secure policy than the QEMU default. Signed-off-by: Paul Meyer --- .../configuration-qemu-nvidia-gpu-snp.toml.in | 3 +++ src/runtime/config/configuration-qemu-snp.toml.in | 3 +++ src/runtime/pkg/govmm/qemu/qemu.go | 6 ++++++ src/runtime/pkg/katautils/config.go | 2 ++ src/runtime/virtcontainers/hypervisor.go | 3 +++ src/runtime/virtcontainers/qemu_amd64.go | 14 +++++++++----- 6 files changed, 26 insertions(+), 5 deletions(-) diff --git a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in index f56a287d9e..82aa19f4d4 100644 --- a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in +++ b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in @@ -72,6 +72,9 @@ valid_hypervisor_paths = @QEMUSNPVALIDHYPERVISORPATHS@ # for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero) #snp_id_auth = "" +# SNP Guest Policy, the ‘POLICY’ parameter to the SNP_LAUNCH_START command. +#snp_guest_policy = 196608 + # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. diff --git a/src/runtime/config/configuration-qemu-snp.toml.in b/src/runtime/config/configuration-qemu-snp.toml.in index 0c2a55021a..84f0d60bf7 100644 --- a/src/runtime/config/configuration-qemu-snp.toml.in +++ b/src/runtime/config/configuration-qemu-snp.toml.in @@ -72,6 +72,9 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@ # for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (QEMU default: all-zero) #snp_id_auth = "" +# SNP Guest Policy, the ‘POLICY’ parameter to the SNP_LAUNCH_START command. +#snp_guest_policy = 196608 + # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index 67beb4b249..249a12c856 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -330,6 +330,9 @@ type Object struct { // for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (default: all-zero) SnpIdAuth string + // SnpGuestPolicy is the integer representation of the SEV-SNP guest policy. + SnpGuestPolicy *uint64 + // Raw byte slice of initdata digest InitdataDigest []byte } @@ -415,6 +418,9 @@ func (object Object) QemuParams(config *Config) []string { if object.SnpIdAuth != "" { objectParams = append(objectParams, fmt.Sprintf("id-auth=%s", object.SnpIdAuth)) } + if object.SnpGuestPolicy != nil { + objectParams = append(objectParams, fmt.Sprintf("policy=%d", *object.SnpGuestPolicy)) + } if len(object.InitdataDigest) > 0 { // due to https://github.com/confidential-containers/qemu/blob/amd-snp-202402240000/qapi/qom.json#L926-L929 // hostdata in SEV-SNP should be exactly 32 bytes diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index f15d945ca9..85f6c72588 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -109,6 +109,7 @@ type hypervisor struct { RemoteHypervisorSocket string `toml:"remote_hypervisor_socket"` SnpIdBlock string `toml:"snp_id_block"` SnpIdAuth string `toml:"snp_id_auth"` + SnpGuestPolicy *uint64 `toml:"snp_guest_policy"` HypervisorPathList []string `toml:"valid_hypervisor_paths"` JailerPathList []string `toml:"valid_jailer_paths"` VirtioFSDaemonList []string `toml:"valid_virtio_fs_daemon_paths"` @@ -992,6 +993,7 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { ExtraMonitorSocket: extraMonitorSocket, SnpIdBlock: h.SnpIdBlock, SnpIdAuth: h.SnpIdAuth, + SnpGuestPolicy: h.SnpGuestPolicy, }, nil } diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index 22423ab122..1440ac748c 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -473,6 +473,9 @@ type HypervisorConfig struct { // for the SNP_LAUNCH_FINISH command defined in the SEV-SNP firmware ABI (default: all-zero) SnpIdAuth string + // SnpGuestPolicy is the integer representation of the SEV-SNP guest policy. + SnpGuestPolicy *uint64 + // KernelParams are additional guest kernel parameters. KernelParams []Param diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go index 78e7a5fc9f..6350ebb3b6 100644 --- a/src/runtime/virtcontainers/qemu_amd64.go +++ b/src/runtime/virtcontainers/qemu_amd64.go @@ -38,6 +38,8 @@ type qemuAmd64 struct { snpIdBlock string snpIdAuth string + + snpGuestPolicy *uint64 } const ( @@ -126,11 +128,12 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) { protection: noneProtection, legacySerial: config.LegacySerial, }, - vmFactory: factory, - snpGuest: config.SevSnpGuest, - qgsPort: config.QgsPort, - snpIdBlock: config.SnpIdBlock, - snpIdAuth: config.SnpIdAuth, + vmFactory: factory, + snpGuest: config.SevSnpGuest, + qgsPort: config.QgsPort, + snpIdBlock: config.SnpIdBlock, + snpIdAuth: config.SnpIdAuth, + snpGuestPolicy: config.SnpGuestPolicy, } if config.ConfidentialGuest { @@ -315,6 +318,7 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware, CBitPos: cpuid.AMDMemEncrypt.CBitPosition, ReducedPhysBits: 1, InitdataDigest: initdataDigest, + SnpGuestPolicy: q.snpGuestPolicy, } if q.snpIdBlock != "" && q.snpIdAuth != "" { obj.SnpIdBlock = q.snpIdBlock