github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-30 04:34:27 +00:00
Code Issues Projects Releases Wiki Activity

virtcontainers: Do not add a virtio-rng-ccw device

Browse Source 
On s390x, skip adding a virtio-rng device. The on-chip CPACF provides
entropy instead. For Confidential Containers, when using Secure
Execution, entropy attacks on virtio-rng are mitigated.

Fixes: #3598
Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
This commit is contained in:
Jakob Naucke 2022-02-02 17:06:20 +01:00
parent 6d6748afd7
commit 7ffe9e5198
No known key found for this signature in database
GPG Key ID: 45FA1C7D310C0EBE
1 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/runtime/virtcontainers/qemu.go
View File

@ -619,6 +619,8 @@ func (q *qemu) CreateVM(ctx context.Context, id string, networkNS NetworkNamespa
qemuConfig.IOThreads = []govmmQemu.IOThread{*ioThread} qemuConfig.IOThreads = []govmmQemu.IOThread{*ioThread}
} }
// Add RNG device to hypervisor // Add RNG device to hypervisor
// Skip for s390x as CPACF is used
if machine.Type != QemuCCWVirtio {
rngDev := config.RNGDev{ rngDev := config.RNGDev{
ID: rngID, ID: rngID,
Filename: q.config.EntropySource, Filename: q.config.EntropySource,
@ -627,6 +629,7 @@ func (q *qemu) CreateVM(ctx context.Context, id string, networkNS NetworkNamespa
if err != nil { if err != nil {
return err return err
} }
}
// Add PCIe Root Port devices to hypervisor // Add PCIe Root Port devices to hypervisor
// The pcie.0 bus do not support hot-plug, but PCIe device can be hot-plugged into PCIe Root Port. // The pcie.0 bus do not support hot-plug, but PCIe device can be hot-plugged into PCIe Root Port.