hypervisors: Confidential Guests do not support NVDIMM

NVDIMM is also not supported with Confidential Guests and Virtio Block
devices should be used instead.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>

src/runtime/config/configuration-clh.toml.in

@@ -26,6 +26,7 @@ image = "@IMAGEPATH@"
 #   - CPU Hotplug 
 #   - Device Hotplug
 #   - Memory Hotplug
+#   - NVDIMM devices
 #
 # Default false
 # confidential_guest = true

src/runtime/config/configuration-qemu.toml.in

@@ -27,6 +27,7 @@ machine_type = "@MACHINETYPE@"
 #   - CPU Hotplug 
 #   - Device Hotplug
 #   - Memory Hotplug
+#   - NVDIMM devices
 #
 # Default false
 # confidential_guest = true
@@ -286,6 +287,9 @@ pflashes = []
 
 # If false and nvdimm is supported, use nvdimm device to plug guest image.
 # Otherwise virtio-block device is used.
+#
+# nvdimm is not supported when `confidential_guest = true`.
+#
 # Default is false
 #disable_image_nvdimm = true
 

src/runtime/virtcontainers/clh.go

@@ -271,6 +271,9 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 
 	// First take the default parameters defined by this driver
 	params := commonNvdimmKernelRootParams
+	if clh.config.ConfidentialGuest {
+		params = commonVirtioblkKernelRootParams
+	}
 	params = append(params, clhKernelParams...)
 
 	// Followed by extra debug parameters if debug enabled in configuration file
@@ -296,13 +299,24 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 	}
 
 	if imagePath != "" {
-		pmem := chclient.NewPmemConfig(imagePath)
+		if clh.config.ConfidentialGuest {
-		*pmem.DiscardWrites = true
+			disk := chclient.NewDiskConfig(imagePath)
+			disk.SetReadonly(true)
 
-		if clh.vmconfig.Pmem != nil {
+			if clh.vmconfig.Disks != nil {
-			*clh.vmconfig.Pmem = append(*clh.vmconfig.Pmem, *pmem)
+				*clh.vmconfig.Disks = append(*clh.vmconfig.Disks, *disk)
+			} else {
+				clh.vmconfig.Disks = &[]chclient.DiskConfig{*disk}
+			}
 		} else {
-			clh.vmconfig.Pmem = &[]chclient.PmemConfig{*pmem}
+			pmem := chclient.NewPmemConfig(imagePath)
+			*pmem.DiscardWrites = true
+
+			if clh.vmconfig.Pmem != nil {
+				*clh.vmconfig.Pmem = append(*clh.vmconfig.Pmem, *pmem)
+			} else {
+				clh.vmconfig.Pmem = &[]chclient.PmemConfig{*pmem}
+			}
 		}
 	} else {
 		initrdPath, err := clh.config.InitrdAssetPath()

src/runtime/virtcontainers/qemu_amd64.go

@@ -132,6 +132,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 		if err := q.enableProtection(); err != nil {
 			return nil, err
 		}
+
+		if !q.qemuArchBase.disableNvdimm {
+			hvLogger.WithField("subsystem", "qemuAmd64").Warn("Nvdimm is not supported with confidential guest, disabling it.")
+			q.qemuArchBase.disableNvdimm = true
+		}
 	}
 
 	if config.SGXEPCSize != 0 {

src/runtime/virtcontainers/qemu_ppc64le.go

@@ -83,6 +83,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 		if err := q.enableProtection(); err != nil {
 			return nil, err
 		}
+
+		if !q.qemuArchBase.disableNvdimm {
+			hvLogger.WithField("subsystem", "qemuPPC64le").Warn("Nvdimm is not supported with confidential guest, disabling it.")
+			q.qemuArchBase.disableNvdimm = true
+		}
 	}
 
 	q.handleImagePath(config)

src/runtime/virtcontainers/qemu_s390x.go

@@ -77,6 +77,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 		if err := q.enableProtection(); err != nil {
 			return nil, err
 		}
+
+		if !q.qemuArchBase.disableNvdimm {
+			hvLogger.WithField("subsystem", "qemuS390x").Warn("Nvdimm is not supported with confidential guest, disabling it.")
+			q.qemuArchBase.disableNvdimm = true
+		}
 	}
 
 	if config.ImagePath != "" {