From 87deb68ab7307578931a3edf53e9280f32f2bd9b Mon Sep 17 00:00:00 2001
From: Pavel Mores <pmores@redhat.com>
Date: Thu, 30 Jan 2025 17:08:38 +0100
Subject: [PATCH] runtime-rs: add implementation of ProtectionDevice

ProtectionDevice is a new device type whose implementation structure
matches the one of other devices in the device module.  It is split into
an inner "config" part which contains device details (we implement
SEV/SEV-SNP for now) and the customary outer "device" part which just adds
a device instance ID and the customary Device trait implementation.

Signed-off-by: Pavel Mores <pmores@redhat.com>
---
 .../hypervisor/src/device/device_manager.rs   | 15 +++-
 .../hypervisor/src/device/driver/mod.rs       |  2 +
 .../src/device/driver/protection_device.rs    | 80 +++++++++++++++++++
 .../crates/hypervisor/src/device/mod.rs       |  7 +-
 .../hypervisor/src/dragonball/inner_device.rs |  2 +-
 5 files changed, 99 insertions(+), 7 deletions(-)
 create mode 100644 src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs

diff --git a/src/runtime-rs/crates/hypervisor/src/device/device_manager.rs b/src/runtime-rs/crates/hypervisor/src/device/device_manager.rs
index 8ed29939b0..2427beabc6 100644
--- a/src/runtime-rs/crates/hypervisor/src/device/device_manager.rs
+++ b/src/runtime-rs/crates/hypervisor/src/device/device_manager.rs
@@ -13,9 +13,9 @@ use tokio::sync::{Mutex, RwLock};
 
 use crate::{
     vhost_user_blk::VhostUserBlkDevice, BlockConfig, BlockDevice, HybridVsockDevice, Hypervisor,
-    NetworkDevice, ShareFsDevice, VfioDevice, VhostUserConfig, VhostUserNetDevice, VsockDevice,
-    KATA_BLK_DEV_TYPE, KATA_CCW_DEV_TYPE, KATA_MMIO_BLK_DEV_TYPE, KATA_NVDIMM_DEV_TYPE,
-    VIRTIO_BLOCK_CCW, VIRTIO_BLOCK_MMIO, VIRTIO_BLOCK_PCI, VIRTIO_PMEM,
+    NetworkDevice, ProtectionDevice, ShareFsDevice, VfioDevice, VhostUserConfig,
+    VhostUserNetDevice, VsockDevice, KATA_BLK_DEV_TYPE, KATA_CCW_DEV_TYPE, KATA_MMIO_BLK_DEV_TYPE,
+    KATA_NVDIMM_DEV_TYPE, VIRTIO_BLOCK_CCW, VIRTIO_BLOCK_MMIO, VIRTIO_BLOCK_PCI, VIRTIO_PMEM,
 };
 
 use super::{
@@ -250,7 +250,7 @@ impl DeviceManager {
                         return Some(device_id.to_string());
                     }
                 }
-                DeviceType::HybridVsock(_) | DeviceType::Vsock(_) => {
+                DeviceType::HybridVsock(_) | DeviceType::Vsock(_) | DeviceType::Protection(_) => {
                     continue;
                 }
             }
@@ -386,6 +386,13 @@ impl DeviceManager {
 
                 Arc::new(Mutex::new(ShareFsDevice::new(&device_id, config)))
             }
+            DeviceConfig::ProtectionDevCfg(pconfig) => {
+                // No need to do find device for protection device.
+                Arc::new(Mutex::new(ProtectionDevice::new(
+                    device_id.clone(),
+                    pconfig,
+                )))
+            }
         };
 
         // register device to devices
diff --git a/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs b/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs
index 6b6d23c839..34e2022b98 100644
--- a/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs
+++ b/src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs
@@ -4,6 +4,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+mod protection_device;
 mod vfio;
 mod vhost_user;
 pub mod vhost_user_blk;
@@ -13,6 +14,7 @@ mod virtio_fs;
 mod virtio_net;
 mod virtio_vsock;
 
+pub use protection_device::{ProtectionDevice, ProtectionDeviceConfig, SevSnpConfig};
 pub use vfio::{
     bind_device_to_host, bind_device_to_vfio, get_vfio_device, HostDevice, VfioBusMode, VfioConfig,
     VfioDevice,
diff --git a/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs b/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs
new file mode 100644
index 0000000000..17e51a5724
--- /dev/null
+++ b/src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs
@@ -0,0 +1,80 @@
+// Copyright (c) 2025 Red Hat
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use crate::{
+    device::{topology::PCIeTopology, Device, DeviceType},
+    Hypervisor as hypervisor,
+};
+use anyhow::{Context, Result};
+use async_trait::async_trait;
+
+#[derive(Debug, Clone)]
+pub enum ProtectionDeviceConfig {
+    SevSnp(SevSnpConfig),
+}
+
+#[derive(Debug, Clone)]
+pub struct SevSnpConfig {
+    pub is_snp: bool,
+    pub cbitpos: u32,
+    pub firmware: String,
+    pub certs_path: String,
+}
+
+#[derive(Debug, Clone)]
+pub struct ProtectionDevice {
+    pub device_id: String,
+    pub config: ProtectionDeviceConfig,
+}
+
+impl ProtectionDevice {
+    pub fn new(device_id: String, config: &ProtectionDeviceConfig) -> Self {
+        Self {
+            device_id: device_id.clone(),
+            config: config.clone(),
+        }
+    }
+}
+
+#[async_trait]
+impl Device for ProtectionDevice {
+    async fn attach(
+        &mut self,
+        _pcie_topo: &mut Option<&mut PCIeTopology>,
+        h: &dyn hypervisor,
+    ) -> Result<()> {
+        h.add_device(DeviceType::Protection(self.clone()))
+            .await
+            .context("add protection device.")?;
+
+        return Ok(());
+    }
+
+    // Except for attach() and get_device_info(), the rest of Device operations
+    // don't seem to make sense for proctection device.
+    async fn detach(
+        &mut self,
+        _pcie_topo: &mut Option<&mut PCIeTopology>,
+        _h: &dyn hypervisor,
+    ) -> Result<Option<u64>> {
+        Ok(None)
+    }
+
+    async fn update(&mut self, _h: &dyn hypervisor) -> Result<()> {
+        Ok(())
+    }
+
+    async fn get_device_info(&self) -> DeviceType {
+        DeviceType::Protection(self.clone())
+    }
+
+    async fn increase_attach_count(&mut self) -> Result<bool> {
+        Ok(false)
+    }
+
+    async fn decrease_attach_count(&mut self) -> Result<bool> {
+        Ok(false)
+    }
+}
diff --git a/src/runtime-rs/crates/hypervisor/src/device/mod.rs b/src/runtime-rs/crates/hypervisor/src/device/mod.rs
index 0a139c2f4c..dc4c31926b 100644
--- a/src/runtime-rs/crates/hypervisor/src/device/mod.rs
+++ b/src/runtime-rs/crates/hypervisor/src/device/mod.rs
@@ -9,8 +9,9 @@ use std::fmt;
 use crate::device::driver::vhost_user_blk::VhostUserBlkDevice;
 use crate::{
     BlockConfig, BlockDevice, HybridVsockConfig, HybridVsockDevice, Hypervisor as hypervisor,
-    NetworkConfig, NetworkDevice, ShareFsConfig, ShareFsDevice, VfioConfig, VfioDevice,
-    VhostUserConfig, VhostUserNetDevice, VsockConfig, VsockDevice,
+    NetworkConfig, NetworkDevice, ProtectionDevice, ProtectionDeviceConfig, ShareFsConfig,
+    ShareFsDevice, VfioConfig, VfioDevice, VhostUserConfig, VhostUserNetDevice, VsockConfig,
+    VsockDevice,
 };
 use anyhow::Result;
 use async_trait::async_trait;
@@ -35,6 +36,7 @@ pub enum DeviceConfig {
     VfioCfg(VfioConfig),
     VsockCfg(VsockConfig),
     HybridVsockCfg(HybridVsockConfig),
+    ProtectionDevCfg(ProtectionDeviceConfig),
 }
 
 #[derive(Debug, Clone)]
@@ -47,6 +49,7 @@ pub enum DeviceType {
     ShareFs(ShareFsDevice),
     HybridVsock(HybridVsockDevice),
     Vsock(VsockDevice),
+    Protection(ProtectionDevice),
 }
 
 impl fmt::Display for DeviceType {
diff --git a/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs b/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs
index 3b381f23da..f3f46b90c5 100644
--- a/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs
+++ b/src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs
@@ -96,7 +96,7 @@ impl DragonballInner {
                     .context("add vhost-user-net device")?;
                 Ok(DeviceType::VhostUserNetwork(dev))
             }
-            DeviceType::Vsock(_) => todo!(),
+            DeviceType::Vsock(_) | DeviceType::Protection(_) => todo!(),
         }
     }