virtcontainers: Support SEV

fixes #1869

Signed-off-by: Jim Cadden <jcadden@ibm.com>

src/runtime/virtcontainers/hypervisor_amd64.go

@@ -6,6 +6,7 @@
 package virtcontainers
 
 import "os"
+import "io/ioutil"
 
 // Implementation of this function is architecture specific
 func availableGuestProtection() (guestProtection, error) {
@@ -18,8 +19,12 @@ func availableGuestProtection() (guestProtection, error) {
 	if d, err := os.Stat(tdxSysFirmwareDir); (err == nil && d.IsDir()) || flags[tdxCPUFlag] {
 		return tdxProtection, nil
 	}
-
-	// TODO: Add support for other technologies: SEV
+	// SEV is supported and enabled when the kvm module `sev` parameter is set to `1`
+	if _, err := os.Stat(sevKvmParameterPath); err == nil {
+		if c, err := ioutil.ReadFile(sevKvmParameterPath); err == nil && len(c) > 0 && c[0] == '1' {
+			return sevProtection, nil
+		}
+	}
 
 	return noneProtection, nil
 }

src/runtime/virtcontainers/qemu_amd64.go

@@ -13,6 +13,7 @@ import (
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
 	"github.com/sirupsen/logrus"
 
+	"github.com/intel-go/cpuid"
 	govmmQemu "github.com/kata-containers/govmm/qemu"
 )
 
@@ -37,6 +38,8 @@ const (
 	tdxSysFirmwareDir = "/sys/firmware/tdx_seam/"
 
 	tdxCPUFlag = "tdx"
+
+	sevKvmParameterPath = "/sys/module/kvm_amd/parameters/sev"
 )
 
 var qemuPaths = map[string]string{
@@ -227,8 +230,19 @@ func (q *qemuAmd64) enableProtection() error {
 			"kernel-params": q.kernelParameters}).
 			Info("Enabling TDX guest protection")
 		return nil
+	case sevProtection:
+		if q.qemuMachine.Options != "" {
+			q.qemuMachine.Options += ","
+		}
+		q.qemuMachine.Options += "confidential-guest-support=sev"
+		virtLog.WithFields(logrus.Fields{
+			"subsystem":     "qemuAmd64",
+			"machine":       q.qemuMachine,
+			"kernel-params": q.kernelParameters}).
+			Info("Enabling SEV guest protection")
+		return nil
 
-	// TODO: Add support for other x86_64 technologies: SEV
+	// TODO: Add support for other x86_64 technologies
 
 	default:
 		return fmt.Errorf("This system doesn't support Confidential Computing (Guest Protection)")
@@ -250,6 +264,16 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware
 				Debug:    false,
 				File:     firmware,
 			}), "", nil
+	case sevProtection:
+		return append(devices,
+			govmmQemu.Object{
+				Type:            govmmQemu.SEVGuest,
+				ID:              "sev",
+				Debug:           false,
+				File:            firmware,
+				CBitPos:         cpuid.AMDMemEncrypt.CBitPosition,
+				ReducedPhysBits: cpuid.AMDMemEncrypt.PhysAddrReduction,
+			}), "", nil
 	case noneProtection:
 		return devices, firmware, nil
 

src/runtime/virtcontainers/qemu_amd64_test.go

@@ -12,6 +12,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/intel-go/cpuid"
 	govmmQemu "github.com/kata-containers/govmm/qemu"
 	"github.com/kata-containers/kata-containers/src/runtime/virtcontainers/types"
 	"github.com/stretchr/testify/assert"
@@ -300,12 +301,25 @@ func TestQemuAmd64AppendProtectionDevice(t *testing.T) {
 	assert.Empty(bios)
 
 	// sev protection
-	// TODO: update once it's supported
 	amd64.(*qemuAmd64).protection = sevProtection
+
 	devices, bios, err = amd64.appendProtectionDevice(devices, firmware)
-	assert.Error(err)
+	assert.NoError(err)
 	assert.Empty(bios)
 
+	expectedOut := []govmmQemu.Device{
+		govmmQemu.Object{
+			Type:            govmmQemu.SEVGuest,
+			ID:              "sev",
+			Debug:           false,
+			File:            firmware,
+			CBitPos:         cpuid.AMDMemEncrypt.CBitPosition,
+			ReducedPhysBits: cpuid.AMDMemEncrypt.PhysAddrReduction,
+		},
+	}
+
+	assert.Equal(expectedOut, devices)
+
 	// tdxProtection
 	amd64.(*qemuAmd64).protection = tdxProtection
 
@@ -313,7 +327,7 @@ func TestQemuAmd64AppendProtectionDevice(t *testing.T) {
 	assert.NoError(err)
 	assert.Empty(bios)
 
-	expectedOut := []govmmQemu.Device{
+	expectedOut = []govmmQemu.Device{
 		govmmQemu.Object{
 			Driver:   govmmQemu.Loader,
 			Type:     govmmQemu.TDXGuest,