github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-05 10:10:50 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3923 from Jakob-Naucke/no-initrd-se

Browse Source 
runtime: Allow and require no initrd for SE
This commit is contained in:
Fabiano Fidêncio 2022-04-05 09:26:07 +02:00 committed by GitHub
commit b39caf43f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/runtime/pkg/katautils/config.go
View File

@ -469,11 +469,13 @@ func (h hypervisor) getInitrdAndImage() (initrd string, image string, err error)
image, errImage := h.image() image, errImage := h.image()
if image != "" && initrd != "" { if h.ConfidentialGuest && h.MachineType == vc.QemuCCWVirtio {
return "", "", errors.New("having both an image and an initrd defined in the configuration file is not supported") if image != "" || initrd != "" {
return "", "", errors.New("Neither the image nor initrd path may be set for Secure Execution")
} }
} else if image != "" && initrd != "" {
if errInitrd != nil && errImage != nil { return "", "", errors.New("having both an image and an initrd defined in the configuration file is not supported")
} else if errInitrd != nil && errImage != nil {
return "", "", fmt.Errorf("Either initrd or image must be set to a valid path (initrd: %v) (image: %v)", errInitrd, errImage) return "", "", fmt.Errorf("Either initrd or image must be set to a valid path (initrd: %v) (image: %v)", errInitrd, errImage)
} }
@ -605,16 +607,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
return vc.HypervisorConfig{}, err return vc.HypervisorConfig{}, err
} }
if image != "" && initrd != "" {
return vc.HypervisorConfig{},
errors.New("having both an image and an initrd defined in the configuration file is not supported")
}
if image == "" && initrd == "" {
return vc.HypervisorConfig{},
errors.New("either image or initrd must be defined in the configuration file")
}
firmware, err := h.firmware() firmware, err := h.firmware()
if err != nil { if err != nil {
return vc.HypervisorConfig{}, err return vc.HypervisorConfig{}, err

14
src/runtime/virtcontainers/hypervisor.go
View File

@ -527,17 +527,19 @@ func (conf *HypervisorConfig) CheckTemplateConfig() error {
} }
func (conf *HypervisorConfig) Valid() error { func (conf *HypervisorConfig) Valid() error {
// Kata specific checks. Should be done outside the hypervisor // Kata specific checks. Should be done outside the hypervisor
if conf.KernelPath == "" { if conf.KernelPath == "" {
return fmt.Errorf("Missing kernel path") return fmt.Errorf("Missing kernel path")
} }
if conf.ImagePath == "" && conf.InitrdPath == "" { if conf.ConfidentialGuest && conf.HypervisorMachineType == QemuCCWVirtio {
return fmt.Errorf("Missing image and initrd path") if conf.ImagePath != "" || conf.InitrdPath != "" {
fmt.Println("yes, failing")
return fmt.Errorf("Neither the image or initrd path may be set for Secure Execution")
} }
} else if conf.ImagePath == "" && conf.InitrdPath == "" {
if conf.ImagePath != "" && conf.InitrdPath != "" { return fmt.Errorf("Missing image and initrd path")
} else if conf.ImagePath != "" && conf.InitrdPath != "" {
return fmt.Errorf("Image and initrd path cannot be both set") return fmt.Errorf("Image and initrd path cannot be both set")
} }
@ -559,7 +561,7 @@ func (conf *HypervisorConfig) Valid() error {
if conf.BlockDeviceDriver == "" { if conf.BlockDeviceDriver == "" {
conf.BlockDeviceDriver = defaultBlockDriver conf.BlockDeviceDriver = defaultBlockDriver
} else if conf.BlockDeviceDriver == config.VirtioBlock && conf.HypervisorMachineType == "s390-ccw-virtio" { } else if conf.BlockDeviceDriver == config.VirtioBlock && conf.HypervisorMachineType == QemuCCWVirtio {
conf.BlockDeviceDriver = config.VirtioBlockCCW conf.BlockDeviceDriver = config.VirtioBlockCCW
} }

12
src/runtime/virtcontainers/hypervisor_test.go
View File

@ -144,6 +144,18 @@ func TestHypervisorConfigBothInitrdAndImage(t *testing.T) {
testHypervisorConfigValid(t, hypervisorConfig, false) testHypervisorConfigValid(t, hypervisorConfig, false)
} }
func TestHypervisorConfigSecureExecution(t *testing.T) {
hypervisorConfig := &HypervisorConfig{
KernelPath: fmt.Sprintf("%s/%s", testDir, testKernel),
InitrdPath: fmt.Sprintf("%s/%s", testDir, testInitrd),
ConfidentialGuest: true,
HypervisorMachineType: QemuCCWVirtio,
}
// Secure Execution should only specify a kernel (encrypted image contains all components)
testHypervisorConfigValid(t, hypervisorConfig, false)
}
func TestHypervisorConfigValidTemplateConfig(t *testing.T) { func TestHypervisorConfigValidTemplateConfig(t *testing.T) {
hypervisorConfig := &HypervisorConfig{ hypervisorConfig := &HypervisorConfig{
KernelPath: fmt.Sprintf("%s/%s", testDir, testKernel), KernelPath: fmt.Sprintf("%s/%s", testDir, testKernel),

2
src/runtime/virtcontainers/qemu.go
View File

@ -1840,7 +1840,7 @@ func (q *qemu) hotplugAddCPUs(amount uint32) (uint32, error) {
threadID := fmt.Sprintf("%d", hc.Properties.Thread) threadID := fmt.Sprintf("%d", hc.Properties.Thread)
// If CPU type is IBM pSeries, Z or arm virt, we do not set socketID and threadID // If CPU type is IBM pSeries, Z or arm virt, we do not set socketID and threadID
if machine.Type == "pseries" || machine.Type == "s390-ccw-virtio" || machine.Type == "virt" { if machine.Type == "pseries" || machine.Type == QemuCCWVirtio || machine.Type == "virt" {
socketID = "" socketID = ""
threadID = "" threadID = ""
dieID = "" dieID = ""