github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-29 12:14:48 +00:00
Code Issues Projects Releases Wiki Activity

virtcontainers: Do not add a virtio-rng-ccw device

Browse Source 
On s390x, skip adding a virtio-rng device. The on-chip CPACF provides
entropy instead. For Confidential Containers, when using Secure
Execution, entropy attacks on virtio-rng are mitigated.

Fixes: #3598
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
This commit is contained in:
Jakob Naucke 2022-02-02 17:06:20 +01:00
parent 6d6748afd7
commit 7ffe9e5198
No known key found for this signature in database
GPG Key ID: 45FA1C7D310C0EBE
1 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/runtime/virtcontainers/qemu.go
View File

@ -619,13 +619,16 @@ func (q *qemu) CreateVM(ctx context.Context, id string, networkNS NetworkNamespa
qemuConfig.IOThreads = []govmmQemu.IOThread{*ioThread}
}
// Add RNG device to hypervisor
rngDev := config.RNGDev{
ID: rngID,
Filename: q.config.EntropySource,
}
qemuConfig.Devices, err = q.arch.appendRNGDevice(ctx, qemuConfig.Devices, rngDev)
if err != nil {
return err
// Skip for s390x as CPACF is used
if machine.Type != QemuCCWVirtio {
rngDev := config.RNGDev{
ID: rngID,
Filename: q.config.EntropySource,
}
qemuConfig.Devices, err = q.arch.appendRNGDevice(ctx, qemuConfig.Devices, rngDev)
if err != nil {
return err
}
}
// Add PCIe Root Port devices to hypervisor