github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-04 19:16:23 +00:00
Code Issues Projects Releases Wiki Activity

runtime-rs: extend SEV/SEV-SNP detection by including a details struct

Browse Source 
This matches the existing TDX handling where additional details are
retrieved right away after TDX is detected.  Note that the actual details
(cbitpos) acquisition is NOT included at this time.

This change might seem bigger than it is.  The change itself is just in
protection.rs, the rest are corresponding adjustments.

Signed-off-by: Pavel Mores <pmores@redhat.com>
This commit is contained in:
Pavel Mores 2025-01-30 14:06:22 +01:00 committed by Pavel Mores
parent c549d12da7
commit a3f973db3b
4 changed files with 41 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/libs/kata-sys-util/src/protection.rs
View File

@ -31,14 +31,19 @@ pub struct TDXDetails {
pub minor_version: u32,
}
#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
pub struct SevSnpDetails {
pub cbitpos: u32,
}
#[allow(dead_code)]
#[derive(Debug, Clone, PartialEq, Default, Serialize, Deserialize)]
pub enum GuestProtection {
#[default]
NoProtection,
Tdx(TDXDetails),
Sev,
Snp,
Sev(SevSnpDetails),
Snp(SevSnpDetails),
Pef,
Se,
}
@ -51,8 +56,8 @@ impl fmt::Display for GuestProtection {
"tdx (major_version: {}, minor_version: {})",
details.major_version, details.minor_version
),
GuestProtection::Sev => write!(f, "sev"),
GuestProtection::Snp => write!(f, "snp"),
GuestProtection::Sev(details) => write!(f, "sev (cbitpos: {}", details.cbitpos),
GuestProtection::Snp(details) => write!(f, "snp (cbitpos: {}", details.cbitpos),
GuestProtection::Pef => write!(f, "pef"),
GuestProtection::Se => write!(f, "se"),
GuestProtection::NoProtection => write!(f, "none"),
@ -190,12 +195,22 @@ pub fn arch_guest_protection(
Ok(false)
};
if check_contents(snp_path)? {
return Ok(GuestProtection::Snp);
}
let retrieve_sev_cbitpos = || -> Result<u32, ProtectionError> {
Err(ProtectionError::CheckFailed(
"cbitpos retrieval NOT IMPLEMENTED YET".to_owned(),
))
};
if check_contents(sev_path)? {
return Ok(GuestProtection::Sev);
let is_snp_available = check_contents(snp_path)?;
let is_sev_available = is_snp_available || check_contents(sev_path)?;
if is_snp_available || is_sev_available {
let cbitpos = retrieve_sev_cbitpos()?;
let sev_snp_details = SevSnpDetails { cbitpos };
return Ok(if is_snp_available {
GuestProtection::Snp(sev_snp_details)
} else {
GuestProtection::Sev(sev_snp_details)
});
}
Ok(GuestProtection::NoProtection)

8
src/runtime-rs/crates/hypervisor/ch-config/src/convert.rs
View File

@ -549,7 +549,7 @@ fn get_platform_cfg(guest_protection_to_use: GuestProtection) -> Option<Platform
#[cfg(test)]
mod tests {
use super::*;
use kata_sys_util::protection::TDXDetails;
use kata_sys_util::protection::{SevSnpDetails, TDXDetails};
use kata_types::config::hypervisor::{
BlockDeviceInfo, Hypervisor as HypervisorConfig, SecurityInfo,
};
@ -2180,6 +2180,8 @@ mod tests {
minor_version: 0,
};
let sev_snp_details = SevSnpDetails { cbitpos: 42 };
#[derive(Debug)]
struct TestData<'a> {
use_image: bool,
@ -2202,14 +2204,14 @@ mod tests {
use_image: true,
container_rootfs_driver: "container",
vm_rootfs_driver: "vm",
guest_protection_to_use: GuestProtection::Sev,
guest_protection_to_use: GuestProtection::Sev(sev_snp_details.clone()),
result: Ok(()),
},
TestData {
use_image: true,
container_rootfs_driver: "container",
vm_rootfs_driver: "vm",
guest_protection_to_use: GuestProtection::Snp,
guest_protection_to_use: GuestProtection::Snp(sev_snp_details.clone()),
result: Ok(()),
},
TestData {

8
src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs
View File

@ -508,7 +508,7 @@ pub fn guest_protection_is_tdx(guest_protection_to_use: GuestProtection) -> bool
#[cfg(test)]
mod tests {
use super::*;
use kata_sys_util::protection::TDXDetails;
use kata_sys_util::protection::{SevSnpDetails, TDXDetails};
#[test]
fn test_guest_protection_is_tdx() {
@ -517,6 +517,8 @@ mod tests {
minor_version: 0,
};
let sev_snp_details = SevSnpDetails { cbitpos: 42 };
#[derive(Debug)]
struct TestData {
protection: GuestProtection,
@ -537,11 +539,11 @@ mod tests {
result: false,
},
TestData {
protection: GuestProtection::Sev,
protection: GuestProtection::Sev(sev_snp_details.clone()),
result: false,
},
TestData {
protection: GuestProtection::Snp,
protection: GuestProtection::Snp(sev_snp_details.clone()),
result: false,
},
TestData {

12
src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs
View File

@ -956,7 +956,7 @@ fn get_ch_vcpu_tids(proc_path: &str) -> Result<HashMap<u32, u32>> {
#[cfg(test)]
mod tests {
use super::*;
use kata_sys_util::protection::TDXDetails;
use kata_sys_util::protection::{SevSnpDetails, TDXDetails};
#[cfg(target_arch = "x86_64")]
use kata_sys_util::protection::TDX_SYS_FIRMWARE_DIR;
@ -990,6 +990,8 @@ mod tests {
minor_version: 0,
};
let sev_snp_details = SevSnpDetails { cbitpos: 42 };
#[derive(Debug)]
struct TestData {
value: Option<GuestProtection>,
@ -1010,12 +1012,12 @@ mod tests {
result: Ok(GuestProtection::Se),
},
TestData {
value: Some(GuestProtection::Sev),
result: Ok(GuestProtection::Sev),
value: Some(GuestProtection::Sev(sev_snp_details.clone())),
result: Ok(GuestProtection::Sev(sev_snp_details.clone())),
},
TestData {
value: Some(GuestProtection::Snp),
result: Ok(GuestProtection::Snp),
value: Some(GuestProtection::Snp(sev_snp_details.clone())),
result: Ok(GuestProtection::Snp(sev_snp_details.clone())),
},
TestData {
value: Some(GuestProtection::Tdx(tdx_details.clone())),