diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index 741f326316..3525bc236e 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -469,11 +469,13 @@ func (h hypervisor) getInitrdAndImage() (initrd string, image string, err error) image, errImage := h.image() - if image != "" && initrd != "" { + if h.ConfidentialGuest && h.MachineType == vc.QemuCCWVirtio { + if image != "" || initrd != "" { + return "", "", errors.New("Neither the image nor initrd path may be set for Secure Execution") + } + } else if image != "" && initrd != "" { return "", "", errors.New("having both an image and an initrd defined in the configuration file is not supported") - } - - if errInitrd != nil && errImage != nil { + } else if errInitrd != nil && errImage != nil { return "", "", fmt.Errorf("Either initrd or image must be set to a valid path (initrd: %v) (image: %v)", errInitrd, errImage) } @@ -605,16 +607,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { return vc.HypervisorConfig{}, err } - if image != "" && initrd != "" { - return vc.HypervisorConfig{}, - errors.New("having both an image and an initrd defined in the configuration file is not supported") - } - - if image == "" && initrd == "" { - return vc.HypervisorConfig{}, - errors.New("either image or initrd must be defined in the configuration file") - } - firmware, err := h.firmware() if err != nil { return vc.HypervisorConfig{}, err diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index cebc515705..12725160b8 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -527,17 +527,19 @@ func (conf *HypervisorConfig) CheckTemplateConfig() error { } func (conf *HypervisorConfig) Valid() error { - // Kata specific checks. Should be done outside the hypervisor if conf.KernelPath == "" { return fmt.Errorf("Missing kernel path") } - if conf.ImagePath == "" && conf.InitrdPath == "" { + if conf.ConfidentialGuest && conf.HypervisorMachineType == QemuCCWVirtio { + if conf.ImagePath != "" || conf.InitrdPath != "" { + fmt.Println("yes, failing") + return fmt.Errorf("Neither the image or initrd path may be set for Secure Execution") + } + } else if conf.ImagePath == "" && conf.InitrdPath == "" { return fmt.Errorf("Missing image and initrd path") - } - - if conf.ImagePath != "" && conf.InitrdPath != "" { + } else if conf.ImagePath != "" && conf.InitrdPath != "" { return fmt.Errorf("Image and initrd path cannot be both set") } @@ -559,7 +561,7 @@ func (conf *HypervisorConfig) Valid() error { if conf.BlockDeviceDriver == "" { conf.BlockDeviceDriver = defaultBlockDriver - } else if conf.BlockDeviceDriver == config.VirtioBlock && conf.HypervisorMachineType == "s390-ccw-virtio" { + } else if conf.BlockDeviceDriver == config.VirtioBlock && conf.HypervisorMachineType == QemuCCWVirtio { conf.BlockDeviceDriver = config.VirtioBlockCCW } diff --git a/src/runtime/virtcontainers/hypervisor_test.go b/src/runtime/virtcontainers/hypervisor_test.go index f604287956..ec475e86eb 100644 --- a/src/runtime/virtcontainers/hypervisor_test.go +++ b/src/runtime/virtcontainers/hypervisor_test.go @@ -144,6 +144,18 @@ func TestHypervisorConfigBothInitrdAndImage(t *testing.T) { testHypervisorConfigValid(t, hypervisorConfig, false) } +func TestHypervisorConfigSecureExecution(t *testing.T) { + hypervisorConfig := &HypervisorConfig{ + KernelPath: fmt.Sprintf("%s/%s", testDir, testKernel), + InitrdPath: fmt.Sprintf("%s/%s", testDir, testInitrd), + ConfidentialGuest: true, + HypervisorMachineType: QemuCCWVirtio, + } + + // Secure Execution should only specify a kernel (encrypted image contains all components) + testHypervisorConfigValid(t, hypervisorConfig, false) +} + func TestHypervisorConfigValidTemplateConfig(t *testing.T) { hypervisorConfig := &HypervisorConfig{ KernelPath: fmt.Sprintf("%s/%s", testDir, testKernel), diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index 94c35c8330..724ad50081 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -1840,7 +1840,7 @@ func (q *qemu) hotplugAddCPUs(amount uint32) (uint32, error) { threadID := fmt.Sprintf("%d", hc.Properties.Thread) // If CPU type is IBM pSeries, Z or arm virt, we do not set socketID and threadID - if machine.Type == "pseries" || machine.Type == "s390-ccw-virtio" || machine.Type == "virt" { + if machine.Type == "pseries" || machine.Type == QemuCCWVirtio || machine.Type == "virt" { socketID = "" threadID = "" dieID = ""