diff --git a/src/runtime/pkg/katautils/config-settings.go.in b/src/runtime/pkg/katautils/config-settings.go.in index 2aaba8f88e..730b0c8bb8 100644 --- a/src/runtime/pkg/katautils/config-settings.go.in +++ b/src/runtime/pkg/katautils/config-settings.go.in @@ -56,6 +56,8 @@ const defaultVhostUserStorePath string = "/var/run/kata-containers/vhost-user/" const defaultRxRateLimiterMaxRate = uint64(0) const defaultTxRateLimiterMaxRate = uint64(0) +var defaultSGXEPCSize = int64(0) + const defaultTemplatePath string = "/run/vc/vm/template" const defaultVMCacheEndpoint string = "/var/run/kata-containers/cache.sock" diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index e967b081e9..5a7680920d 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -822,6 +822,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { PCIeRootPort: h.PCIeRootPort, DisableVhostNet: true, VirtioFSExtraArgs: h.VirtioFSExtraArgs, + SGXEPCSize: defaultSGXEPCSize, }, nil } @@ -1014,6 +1015,7 @@ func GetDefaultHypervisorConfig() vc.HypervisorConfig { DisableImageNvdimm: defaultDisableImageNvdimm, RxRateLimiterMaxRate: defaultRxRateLimiterMaxRate, TxRateLimiterMaxRate: defaultTxRateLimiterMaxRate, + SGXEPCSize: defaultSGXEPCSize, } } diff --git a/src/runtime/pkg/katautils/config_test.go b/src/runtime/pkg/katautils/config_test.go index 2fc36dec66..5c3f53c1f4 100644 --- a/src/runtime/pkg/katautils/config_test.go +++ b/src/runtime/pkg/katautils/config_test.go @@ -83,6 +83,7 @@ func createAllRuntimeConfigFiles(dir, hypervisor string) (config testRuntimeConf disableNewNetNs := false sharedFS := "virtio-9p" virtioFSdaemon := path.Join(dir, "virtiofsd") + epcSize := int64(0) configFileOptions := ktu.RuntimeConfigOptions{ Hypervisor: "qemu", @@ -165,6 +166,7 @@ func createAllRuntimeConfigFiles(dir, hypervisor string) (config testRuntimeConf SharedFS: sharedFS, VirtioFSDaemon: virtioFSdaemon, VirtioFSCache: defaultVirtioFSCacheMode, + SGXEPCSize: epcSize, } agentConfig := vc.KataAgentConfig{ diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 9303e44956..80e5783c4b 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -321,6 +321,15 @@ func (clh *cloudHypervisor) createSandbox(ctx context.Context, id string, networ cache: clh.config.VirtioFSCache, } + if clh.config.SGXEPCSize > 0 { + epcSection := chclient.SgxEpcConfig{ + Size: clh.config.SGXEPCSize, + Prefault: true, + } + + clh.vmconfig.SgxEpc = append(clh.vmconfig.SgxEpc, epcSection) + } + return nil } diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index ccf9434cfd..cf1a53b700 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -415,6 +415,10 @@ type HypervisorConfig struct { // TxRateLimiterMaxRate is used to control network I/O outbound bandwidth on VM level. TxRateLimiterMaxRate uint64 + + // SGXEPCSize specifies the size in bytes for the EPC Section. + // Enable SGX. Hardware-based isolation and memory encryption. + SGXEPCSize int64 } // vcpu mapping from vcpu number to thread number diff --git a/src/runtime/virtcontainers/persist.go b/src/runtime/virtcontainers/persist.go index 4a1962a12d..74f007d57c 100644 --- a/src/runtime/virtcontainers/persist.go +++ b/src/runtime/virtcontainers/persist.go @@ -247,6 +247,7 @@ func (s *Sandbox) dumpConfig(ss *persistapi.SandboxState) { VMid: sconfig.HypervisorConfig.VMid, RxRateLimiterMaxRate: sconfig.HypervisorConfig.RxRateLimiterMaxRate, TxRateLimiterMaxRate: sconfig.HypervisorConfig.TxRateLimiterMaxRate, + SGXEPCSize: sconfig.HypervisorConfig.SGXEPCSize, } ss.Config.KataAgentConfig = &persistapi.KataAgentConfig{ @@ -508,6 +509,7 @@ func loadSandboxConfig(id string) (*SandboxConfig, error) { VMid: hconf.VMid, RxRateLimiterMaxRate: hconf.RxRateLimiterMaxRate, TxRateLimiterMaxRate: hconf.TxRateLimiterMaxRate, + SGXEPCSize: hconf.SGXEPCSize, } sconfig.AgentConfig = KataAgentConfig{ diff --git a/src/runtime/virtcontainers/persist/api/config.go b/src/runtime/virtcontainers/persist/api/config.go index 5bf45ff71a..15092209b9 100644 --- a/src/runtime/virtcontainers/persist/api/config.go +++ b/src/runtime/virtcontainers/persist/api/config.go @@ -185,6 +185,10 @@ type HypervisorConfig struct { // TxRateLimiterMaxRate is used to control network I/O outbound bandwidth on VM level. TxRateLimiterMaxRate uint64 + + // SGXEPCSize specifies the size in bytes for the EPC Section. + // Enable SGX. Hardware-based isolation and memory encryption. + SGXEPCSize int64 } // KataAgentConfig is a structure storing information needed diff --git a/src/runtime/virtcontainers/pkg/annotations/annotations.go b/src/runtime/virtcontainers/pkg/annotations/annotations.go index b9b3bf2fa3..ff9bd13e47 100644 --- a/src/runtime/virtcontainers/pkg/annotations/annotations.go +++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go @@ -270,3 +270,13 @@ const ( // SHA512 is the SHA-512 (64) hash algorithm SHA512 string = "sha512" ) + +// Third-party annotations - annotations defined by other projects or k8s plugins +// but that can change Kata Containers behaviour. + +const ( + // This annotation enables SGX. Hardware-based isolation and memory encryption. + // Supported suffixes are: Ki | Mi | Gi | Ti | Pi | Ei . For example: 4Mi + // For more information about supported suffixes see https://physics.nist.gov/cuu/Units/binary.html + SGXEPC = "sgx.intel.com/epc" +) diff --git a/src/runtime/virtcontainers/pkg/oci/utils.go b/src/runtime/virtcontainers/pkg/oci/utils.go index 1562c5bab7..08baccb9a9 100644 --- a/src/runtime/virtcontainers/pkg/oci/utils.go +++ b/src/runtime/virtcontainers/pkg/oci/utils.go @@ -19,6 +19,7 @@ import ( crioAnnotations "github.com/cri-o/cri-o/pkg/annotations" specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/sirupsen/logrus" + "k8s.io/apimachinery/pkg/api/resource" vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers" "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/device/config" @@ -442,6 +443,20 @@ func addHypervisorConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig) config.HypervisorConfig.EntropySource = value } } + if epcSize, ok := ocispec.Annotations[vcAnnotations.SGXEPC]; ok { + quantity, err := resource.ParseQuantity(epcSize) + if err != nil { + return fmt.Errorf("Couldn't parse EPC '%v': %v", err, epcSize) + } + + if quantity.Format != resource.BinarySI { + return fmt.Errorf("Unsupported EPC format '%v': use Ki | Mi | Gi | Ti | Pi | Ei as suffix", epcSize) + } + + size, _ := quantity.AsInt64() + + config.HypervisorConfig.SGXEPCSize = size + } return nil } diff --git a/src/runtime/virtcontainers/pkg/oci/utils_test.go b/src/runtime/virtcontainers/pkg/oci/utils_test.go index 8b011f5bd1..828ecc56d9 100644 --- a/src/runtime/virtcontainers/pkg/oci/utils_test.go +++ b/src/runtime/virtcontainers/pkg/oci/utils_test.go @@ -787,6 +787,7 @@ func TestAddHypervisorAnnotations(t *testing.T) { ocispec.Annotations[vcAnnotations.PCIeRootPort] = "2" ocispec.Annotations[vcAnnotations.EntropySource] = "/dev/urandom" ocispec.Annotations[vcAnnotations.IOMMUPlatform] = "true" + ocispec.Annotations[vcAnnotations.SGXEPC] = "64Mi" // 10Mbit ocispec.Annotations[vcAnnotations.RxRateLimiterMaxRate] = "10000000" ocispec.Annotations[vcAnnotations.TxRateLimiterMaxRate] = "10000000" @@ -823,6 +824,7 @@ func TestAddHypervisorAnnotations(t *testing.T) { assert.Equal(config.HypervisorConfig.PCIeRootPort, uint32(2)) assert.Equal(config.HypervisorConfig.EntropySource, "/dev/urandom") assert.Equal(config.HypervisorConfig.IOMMUPlatform, true) + assert.Equal(config.HypervisorConfig.SGXEPCSize, int64(67108864)) assert.Equal(config.HypervisorConfig.RxRateLimiterMaxRate, uint64(10000000)) assert.Equal(config.HypervisorConfig.TxRateLimiterMaxRate, uint64(10000000))