diff --git a/src/libs/kata-sys-util/src/protection.rs b/src/libs/kata-sys-util/src/protection.rs index 2bbd4d8bd0..1b73017366 100644 --- a/src/libs/kata-sys-util/src/protection.rs +++ b/src/libs/kata-sys-util/src/protection.rs @@ -31,14 +31,19 @@ pub struct TDXDetails { pub minor_version: u32, } +#[derive(Debug, Clone, PartialEq, Serialize, Deserialize)] +pub struct SevSnpDetails { + pub cbitpos: u32, +} + #[allow(dead_code)] #[derive(Debug, Clone, PartialEq, Default, Serialize, Deserialize)] pub enum GuestProtection { #[default] NoProtection, Tdx(TDXDetails), - Sev, - Snp, + Sev(SevSnpDetails), + Snp(SevSnpDetails), Pef, Se, } @@ -51,8 +56,8 @@ impl fmt::Display for GuestProtection { "tdx (major_version: {}, minor_version: {})", details.major_version, details.minor_version ), - GuestProtection::Sev => write!(f, "sev"), - GuestProtection::Snp => write!(f, "snp"), + GuestProtection::Sev(details) => write!(f, "sev (cbitpos: {}", details.cbitpos), + GuestProtection::Snp(details) => write!(f, "snp (cbitpos: {}", details.cbitpos), GuestProtection::Pef => write!(f, "pef"), GuestProtection::Se => write!(f, "se"), GuestProtection::NoProtection => write!(f, "none"), @@ -190,12 +195,22 @@ pub fn arch_guest_protection( Ok(false) }; - if check_contents(snp_path)? { - return Ok(GuestProtection::Snp); - } + let retrieve_sev_cbitpos = || -> Result { + Err(ProtectionError::CheckFailed( + "cbitpos retrieval NOT IMPLEMENTED YET".to_owned(), + )) + }; - if check_contents(sev_path)? { - return Ok(GuestProtection::Sev); + let is_snp_available = check_contents(snp_path)?; + let is_sev_available = is_snp_available || check_contents(sev_path)?; + if is_snp_available || is_sev_available { + let cbitpos = retrieve_sev_cbitpos()?; + let sev_snp_details = SevSnpDetails { cbitpos }; + return Ok(if is_snp_available { + GuestProtection::Snp(sev_snp_details) + } else { + GuestProtection::Sev(sev_snp_details) + }); } Ok(GuestProtection::NoProtection) diff --git a/src/runtime-rs/crates/hypervisor/ch-config/src/convert.rs b/src/runtime-rs/crates/hypervisor/ch-config/src/convert.rs index e830ce39d8..ebd56c3a9b 100644 --- a/src/runtime-rs/crates/hypervisor/ch-config/src/convert.rs +++ b/src/runtime-rs/crates/hypervisor/ch-config/src/convert.rs @@ -549,7 +549,7 @@ fn get_platform_cfg(guest_protection_to_use: GuestProtection) -> Option { use_image: bool, @@ -2202,14 +2204,14 @@ mod tests { use_image: true, container_rootfs_driver: "container", vm_rootfs_driver: "vm", - guest_protection_to_use: GuestProtection::Sev, + guest_protection_to_use: GuestProtection::Sev(sev_snp_details.clone()), result: Ok(()), }, TestData { use_image: true, container_rootfs_driver: "container", vm_rootfs_driver: "vm", - guest_protection_to_use: GuestProtection::Snp, + guest_protection_to_use: GuestProtection::Snp(sev_snp_details.clone()), result: Ok(()), }, TestData { diff --git a/src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs b/src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs index 780c2ec850..e428a9710d 100644 --- a/src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs +++ b/src/runtime-rs/crates/hypervisor/ch-config/src/lib.rs @@ -508,7 +508,7 @@ pub fn guest_protection_is_tdx(guest_protection_to_use: GuestProtection) -> bool #[cfg(test)] mod tests { use super::*; - use kata_sys_util::protection::TDXDetails; + use kata_sys_util::protection::{SevSnpDetails, TDXDetails}; #[test] fn test_guest_protection_is_tdx() { @@ -517,6 +517,8 @@ mod tests { minor_version: 0, }; + let sev_snp_details = SevSnpDetails { cbitpos: 42 }; + #[derive(Debug)] struct TestData { protection: GuestProtection, @@ -537,11 +539,11 @@ mod tests { result: false, }, TestData { - protection: GuestProtection::Sev, + protection: GuestProtection::Sev(sev_snp_details.clone()), result: false, }, TestData { - protection: GuestProtection::Snp, + protection: GuestProtection::Snp(sev_snp_details.clone()), result: false, }, TestData { diff --git a/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs b/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs index 841eb97f0c..41660ea14e 100644 --- a/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs +++ b/src/runtime-rs/crates/hypervisor/src/ch/inner_hypervisor.rs @@ -956,7 +956,7 @@ fn get_ch_vcpu_tids(proc_path: &str) -> Result> { #[cfg(test)] mod tests { use super::*; - use kata_sys_util::protection::TDXDetails; + use kata_sys_util::protection::{SevSnpDetails, TDXDetails}; #[cfg(target_arch = "x86_64")] use kata_sys_util::protection::TDX_SYS_FIRMWARE_DIR; @@ -990,6 +990,8 @@ mod tests { minor_version: 0, }; + let sev_snp_details = SevSnpDetails { cbitpos: 42 }; + #[derive(Debug)] struct TestData { value: Option, @@ -1010,12 +1012,12 @@ mod tests { result: Ok(GuestProtection::Se), }, TestData { - value: Some(GuestProtection::Sev), - result: Ok(GuestProtection::Sev), + value: Some(GuestProtection::Sev(sev_snp_details.clone())), + result: Ok(GuestProtection::Sev(sev_snp_details.clone())), }, TestData { - value: Some(GuestProtection::Snp), - result: Ok(GuestProtection::Snp), + value: Some(GuestProtection::Snp(sev_snp_details.clone())), + result: Ok(GuestProtection::Snp(sev_snp_details.clone())), }, TestData { value: Some(GuestProtection::Tdx(tdx_details.clone())),