runtime-rs: add implementation of ProtectionDevice

ProtectionDevice is a new device type whose implementation structure
matches the one of other devices in the device module.  It is split into
an inner "config" part which contains device details (we implement
SEV/SEV-SNP for now) and the customary outer "device" part which just adds
a device instance ID and the customary Device trait implementation.

Signed-off-by: Pavel Mores <pmores@redhat.com>

src/runtime-rs/crates/hypervisor/src/device/device_manager.rs

@@ -13,9 +13,9 @@ use tokio::sync::{Mutex, RwLock};
 
 use crate::{
     vhost_user_blk::VhostUserBlkDevice, BlockConfig, BlockDevice, HybridVsockDevice, Hypervisor,
-    NetworkDevice, ShareFsDevice, VfioDevice, VhostUserConfig, VhostUserNetDevice, VsockDevice,
+    NetworkDevice, ProtectionDevice, ShareFsDevice, VfioDevice, VhostUserConfig,
-    KATA_BLK_DEV_TYPE, KATA_CCW_DEV_TYPE, KATA_MMIO_BLK_DEV_TYPE, KATA_NVDIMM_DEV_TYPE,
+    VhostUserNetDevice, VsockDevice, KATA_BLK_DEV_TYPE, KATA_CCW_DEV_TYPE, KATA_MMIO_BLK_DEV_TYPE,
-    VIRTIO_BLOCK_CCW, VIRTIO_BLOCK_MMIO, VIRTIO_BLOCK_PCI, VIRTIO_PMEM,
+    KATA_NVDIMM_DEV_TYPE, VIRTIO_BLOCK_CCW, VIRTIO_BLOCK_MMIO, VIRTIO_BLOCK_PCI, VIRTIO_PMEM,
 };
 
 use super::{
@@ -250,7 +250,7 @@ impl DeviceManager {
                         return Some(device_id.to_string());
                     }
                 }
-                DeviceType::HybridVsock(_) | DeviceType::Vsock(_) => {
+                DeviceType::HybridVsock(_) | DeviceType::Vsock(_) | DeviceType::Protection(_) => {
                     continue;
                 }
             }
@@ -386,6 +386,13 @@ impl DeviceManager {
 
                 Arc::new(Mutex::new(ShareFsDevice::new(&device_id, config)))
             }
+            DeviceConfig::ProtectionDevCfg(pconfig) => {
+                // No need to do find device for protection device.
+                Arc::new(Mutex::new(ProtectionDevice::new(
+                    device_id.clone(),
+                    pconfig,
+                )))
+            }
         };
 
         // register device to devices

src/runtime-rs/crates/hypervisor/src/device/driver/mod.rs

@@ -4,6 +4,7 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+mod protection_device;
 mod vfio;
 mod vhost_user;
 pub mod vhost_user_blk;
@@ -13,6 +14,7 @@ mod virtio_fs;
 mod virtio_net;
 mod virtio_vsock;
 
+pub use protection_device::{ProtectionDevice, ProtectionDeviceConfig, SevSnpConfig};
 pub use vfio::{
     bind_device_to_host, bind_device_to_vfio, get_vfio_device, HostDevice, VfioBusMode, VfioConfig,
     VfioDevice,

src/runtime-rs/crates/hypervisor/src/device/driver/protection_device.rs

@@ -0,0 +1,80 @@
+// Copyright (c) 2025 Red Hat
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+
+use crate::{
+    device::{topology::PCIeTopology, Device, DeviceType},
+    Hypervisor as hypervisor,
+};
+use anyhow::{Context, Result};
+use async_trait::async_trait;
+
+#[derive(Debug, Clone)]
+pub enum ProtectionDeviceConfig {
+    SevSnp(SevSnpConfig),
+}
+
+#[derive(Debug, Clone)]
+pub struct SevSnpConfig {
+    pub is_snp: bool,
+    pub cbitpos: u32,
+    pub firmware: String,
+    pub certs_path: String,
+}
+
+#[derive(Debug, Clone)]
+pub struct ProtectionDevice {
+    pub device_id: String,
+    pub config: ProtectionDeviceConfig,
+}
+
+impl ProtectionDevice {
+    pub fn new(device_id: String, config: &ProtectionDeviceConfig) -> Self {
+        Self {
+            device_id: device_id.clone(),
+            config: config.clone(),
+        }
+    }
+}
+
+#[async_trait]
+impl Device for ProtectionDevice {
+    async fn attach(
+        &mut self,
+        _pcie_topo: &mut Option<&mut PCIeTopology>,
+        h: &dyn hypervisor,
+    ) -> Result<()> {
+        h.add_device(DeviceType::Protection(self.clone()))
+            .await
+            .context("add protection device.")?;
+
+        return Ok(());
+    }
+
+    // Except for attach() and get_device_info(), the rest of Device operations
+    // don't seem to make sense for proctection device.
+    async fn detach(
+        &mut self,
+        _pcie_topo: &mut Option<&mut PCIeTopology>,
+        _h: &dyn hypervisor,
+    ) -> Result<Option<u64>> {
+        Ok(None)
+    }
+
+    async fn update(&mut self, _h: &dyn hypervisor) -> Result<()> {
+        Ok(())
+    }
+
+    async fn get_device_info(&self) -> DeviceType {
+        DeviceType::Protection(self.clone())
+    }
+
+    async fn increase_attach_count(&mut self) -> Result<bool> {
+        Ok(false)
+    }
+
+    async fn decrease_attach_count(&mut self) -> Result<bool> {
+        Ok(false)
+    }
+}

src/runtime-rs/crates/hypervisor/src/device/mod.rs

@@ -9,8 +9,9 @@ use std::fmt;
 use crate::device::driver::vhost_user_blk::VhostUserBlkDevice;
 use crate::{
     BlockConfig, BlockDevice, HybridVsockConfig, HybridVsockDevice, Hypervisor as hypervisor,
-    NetworkConfig, NetworkDevice, ShareFsConfig, ShareFsDevice, VfioConfig, VfioDevice,
+    NetworkConfig, NetworkDevice, ProtectionDevice, ProtectionDeviceConfig, ShareFsConfig,
-    VhostUserConfig, VhostUserNetDevice, VsockConfig, VsockDevice,
+    ShareFsDevice, VfioConfig, VfioDevice, VhostUserConfig, VhostUserNetDevice, VsockConfig,
+    VsockDevice,
 };
 use anyhow::Result;
 use async_trait::async_trait;
@@ -35,6 +36,7 @@ pub enum DeviceConfig {
     VfioCfg(VfioConfig),
     VsockCfg(VsockConfig),
     HybridVsockCfg(HybridVsockConfig),
+    ProtectionDevCfg(ProtectionDeviceConfig),
 }
 
 #[derive(Debug, Clone)]
@@ -47,6 +49,7 @@ pub enum DeviceType {
     ShareFs(ShareFsDevice),
     HybridVsock(HybridVsockDevice),
     Vsock(VsockDevice),
+    Protection(ProtectionDevice),
 }
 
 impl fmt::Display for DeviceType {

src/runtime-rs/crates/hypervisor/src/dragonball/inner_device.rs

@@ -96,7 +96,7 @@ impl DragonballInner {
                     .context("add vhost-user-net device")?;
                 Ok(DeviceType::VhostUserNetwork(dev))
             }
-            DeviceType::Vsock(_) => todo!(),
+            DeviceType::Vsock(_) | DeviceType::Protection(_) => todo!(),
         }
     }