github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-06 02:24:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #3923 from Jakob-Naucke/no-initrd-se

Browse Source 
runtime: Allow and require no initrd for SE
This commit is contained in:
Fabiano Fidêncio 2022-04-05 09:26:07 +02:00 committed by GitHub
commit b39caf43f1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 27 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/runtime/pkg/katautils/config.go
View File

@ -469,11 +469,13 @@ func (h hypervisor) getInitrdAndImage() (initrd string, image string, err error)
image, errImage := h.image() image, errImage := h.image()
if image != "" && initrd != "" { if h.ConfidentialGuest && h.MachineType == vc.QemuCCWVirtio {
if image != "" || initrd != "" {
return "", "", errors.New("Neither the image nor initrd path may be set for Secure Execution")
}
} else if image != "" && initrd != "" {
return "", "", errors.New("having both an image and an initrd defined in the configuration file is not supported") return "", "", errors.New("having both an image and an initrd defined in the configuration file is not supported")
} } else if errInitrd != nil && errImage != nil {
if errInitrd != nil && errImage != nil {
return "", "", fmt.Errorf("Either initrd or image must be set to a valid path (initrd: %v) (image: %v)", errInitrd, errImage) return "", "", fmt.Errorf("Either initrd or image must be set to a valid path (initrd: %v) (image: %v)", errInitrd, errImage)
} }
@ -605,16 +607,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
return vc.HypervisorConfig{}, err return vc.HypervisorConfig{}, err
} }
if image != "" && initrd != "" {
return vc.HypervisorConfig{},
errors.New("having both an image and an initrd defined in the configuration file is not supported")
}
if image == "" && initrd == "" {
return vc.HypervisorConfig{},
errors.New("either image or initrd must be defined in the configuration file")
}
firmware, err := h.firmware() firmware, err := h.firmware()
if err != nil { if err != nil {
return vc.HypervisorConfig{}, err return vc.HypervisorConfig{}, err

14
src/runtime/virtcontainers/hypervisor.go
View File

@ -527,17 +527,19 @@ func (conf *HypervisorConfig) CheckTemplateConfig() error {
} }
func (conf *HypervisorConfig) Valid() error { func (conf *HypervisorConfig) Valid() error {
// Kata specific checks. Should be done outside the hypervisor // Kata specific checks. Should be done outside the hypervisor
if conf.KernelPath == "" { if conf.KernelPath == "" {
return fmt.Errorf("Missing kernel path") return fmt.Errorf("Missing kernel path")
} }
if conf.ImagePath == "" && conf.InitrdPath == "" { if conf.ConfidentialGuest && conf.HypervisorMachineType == QemuCCWVirtio {
if conf.ImagePath != "" || conf.InitrdPath != "" {
fmt.Println("yes, failing")
return fmt.Errorf("Neither the image or initrd path may be set for Secure Execution")
}
} else if conf.ImagePath == "" && conf.InitrdPath == "" {
return fmt.Errorf("Missing image and initrd path") return fmt.Errorf("Missing image and initrd path")
} } else if conf.ImagePath != "" && conf.InitrdPath != "" {
if conf.ImagePath != "" && conf.InitrdPath != "" {
return fmt.Errorf("Image and initrd path cannot be both set") return fmt.Errorf("Image and initrd path cannot be both set")
} }
@ -559,7 +561,7 @@ func (conf *HypervisorConfig) Valid() error {
if conf.BlockDeviceDriver == "" { if conf.BlockDeviceDriver == "" {
conf.BlockDeviceDriver = defaultBlockDriver conf.BlockDeviceDriver = defaultBlockDriver
} else if conf.BlockDeviceDriver == config.VirtioBlock && conf.HypervisorMachineType == "s390-ccw-virtio" { } else if conf.BlockDeviceDriver == config.VirtioBlock && conf.HypervisorMachineType == QemuCCWVirtio {
conf.BlockDeviceDriver = config.VirtioBlockCCW conf.BlockDeviceDriver = config.VirtioBlockCCW
} }

12
src/runtime/virtcontainers/hypervisor_test.go
View File

@ -144,6 +144,18 @@ func TestHypervisorConfigBothInitrdAndImage(t *testing.T) {
testHypervisorConfigValid(t, hypervisorConfig, false) testHypervisorConfigValid(t, hypervisorConfig, false)
} }
func TestHypervisorConfigSecureExecution(t *testing.T) {
hypervisorConfig := &HypervisorConfig{
KernelPath: fmt.Sprintf("%s/%s", testDir, testKernel),
InitrdPath: fmt.Sprintf("%s/%s", testDir, testInitrd),
ConfidentialGuest: true,
HypervisorMachineType: QemuCCWVirtio,
}
// Secure Execution should only specify a kernel (encrypted image contains all components)
testHypervisorConfigValid(t, hypervisorConfig, false)
}
func TestHypervisorConfigValidTemplateConfig(t *testing.T) { func TestHypervisorConfigValidTemplateConfig(t *testing.T) {
hypervisorConfig := &HypervisorConfig{ hypervisorConfig := &HypervisorConfig{
KernelPath: fmt.Sprintf("%s/%s", testDir, testKernel), KernelPath: fmt.Sprintf("%s/%s", testDir, testKernel),

2
src/runtime/virtcontainers/qemu.go
View File

@ -1840,7 +1840,7 @@ func (q *qemu) hotplugAddCPUs(amount uint32) (uint32, error) {
threadID := fmt.Sprintf("%d", hc.Properties.Thread) threadID := fmt.Sprintf("%d", hc.Properties.Thread)
// If CPU type is IBM pSeries, Z or arm virt, we do not set socketID and threadID // If CPU type is IBM pSeries, Z or arm virt, we do not set socketID and threadID
if machine.Type == "pseries" || machine.Type == "s390-ccw-virtio" || machine.Type == "virt" { if machine.Type == "pseries" || machine.Type == QemuCCWVirtio || machine.Type == "virt" {
socketID = "" socketID = ""
threadID = "" threadID = ""
dieID = "" dieID = ""