github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-25 15:02:45 +00:00
Code Issues Projects Releases Wiki Activity

clh: Don't use SharedFS with Confidential Guests

Browse Source 
kata-containers/pulls#3771 added TDX support for Cloud Hypervisor, but
two big things got overlooked while doing that.

1. virtio-fs, as of now, cannot be part of the trust boundary, so the
   Confidential Guest will not be using it.

2. virtio-block hotplug should be enabled in order to use virtio-block
   for the rootfs (used with the devmapper plugin).

When trying to use cloud-hypervisor with TDX using virtio-fs, we're
facing the following error on the guest kernel:
```
virtiofs virtio2: device must provide VIRTIO_F_ACCESS_PLATFORM
```

After checking and double-checking with virtiofs and cloud-hypervisor
developers, it happens as confidential containers might put some
limitations on the device, so it can't access all of the guests' memory
and that's where this restriction seems to be coming from. Vivek
mentioned that virtiofsd do not support VIRTIO_F_ACCESS_PLATFORM (aka
VIRTIO_F_IOMMU_PLATFORM) yet, and that for ecrypted guests virtiofs may
not be the best solution at the moment.

@sboeuf put this in a very nice way: "if the virtio-fs driver doesn't
support VIRTIO_F_ACCESS_PLATFORM, then the pages corresponding to the
virtqueues and the buffers won't be marked as SHARED, meaning the VMM
won't have access to it".

Interestingly enough, it works with QEMU, and it may be due to some
change done on the patched QEMU that @devimc is packaging, but we won't
take the path to figure out what was the change and patch
cloud-hypervisor on the same way, because of 1.

Fixes: #3810

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This commit is contained in:
Fabiano Fidêncio 2022-03-03 12:28:40 +01:00
parent c30b3a9ff1
commit 97951a2d12
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/runtime/config/configuration-clh.toml.in
View File

@ -27,6 +27,10 @@ image = "@IMAGEPATH@"
# - CPU Hotplug # - CPU Hotplug
# - Memory Hotplug # - Memory Hotplug
# - NVDIMM devices # - NVDIMM devices
# - SharedFS, such as virtio-fs and virtio-fs-nydus
#
# Requirements:
# * virtio-block used as rootfs, thus the usage of devmapper snapshotter.
# #
# Supported TEEs: # Supported TEEs:
# * Intel TDX # * Intel TDX

2
src/runtime/virtcontainers/clh.go
View File

@ -988,7 +988,9 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities
clh.Logger().WithField("function", "Capabilities").Info("get Capabilities") clh.Logger().WithField("function", "Capabilities").Info("get Capabilities")
var caps types.Capabilities var caps types.Capabilities
if !clh.config.ConfidentialGuest {
caps.SetFsSharingSupport() caps.SetFsSharingSupport()
}
caps.SetBlockDeviceHotplugSupport() caps.SetBlockDeviceHotplugSupport()
return caps return caps
} }