Merge pull request #11696 from BbolroC/enable-initdata-ibm-sel-runtime-rs

runtime-rs Enable initdata IBM SEL
2025-08-21 17:34:31 +00:00 · 2025-08-21 09:23:46 +02:00 · 2025-08-21 09:23:46 +02:00 · b7d2973ce5
commit b7d2973ce5
parent c980b6e191 c4b4a3d8bb
3 changed files with 12 additions and 2 deletions
--- a/src/libs/kata-types/src/initdata.rs
+++ b/src/libs/kata-types/src/initdata.rs
@ -3,12 +3,12 @@
 // SPDX-License-Identifier: Apache-2.0
 //

+use crate::sl;
 use anyhow::{anyhow, Context, Result};
 use flate2::read::GzDecoder;
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256, Sha384, Sha512};
 use std::{collections::HashMap, io::Read};
-use crate::sl;

 /// Currently, initdata only supports version 0.1.0.
 const INITDATA_VERSION: &str = "0.1.0";
@ -24,6 +24,8 @@ pub enum ProtectedPlatform {
    Snp,
    /// Cca platform for ARM CCA
    Cca,
+    /// Se platform for IBM SEL
+    Se,
    /// Default with no protection
    #[default]
    NoProtection,
@ -155,6 +157,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
        ProtectedPlatform::Tdx => 48,
        ProtectedPlatform::Snp => 32,
        ProtectedPlatform::Cca => 64,
+        ProtectedPlatform::Se => 256,
        ProtectedPlatform::NoProtection => digest.len(),
    };

@ -432,6 +435,12 @@ key = "value"
        assert_eq!(cca_result.len(), 64);
        assert_eq!(&cca_result[..32], &short_digest[..]);
        assert_eq!(&cca_result[32..], vec![0u8; 32]);
+
+        // Test SE platform (requires 256 bytes)
+        let long_digest = vec![0xAA; 256];
+        let se_result = adjust_digest(&long_digest, ProtectedPlatform::Se);
+        assert_eq!(se_result.len(), 256);
+        assert_eq!(&se_result[..256], &long_digest[..256]);
    }

    /// Test hypervisor initdata processing with compression
--- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
+++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
@ -452,6 +452,7 @@ impl VirtSandbox {
            GuestProtection::Snp(_details) => {
                calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)?
            }
+            GuestProtection::Se => calculate_initdata_digest(&initdata, ProtectedPlatform::Se)?,
            // TODO: there's more `GuestProtection` types to be supported.
            _ => return Ok(None),
        };
--- a/tests/integration/kubernetes/k8s-initdata.bats
+++ b/tests/integration/kubernetes/k8s-initdata.bats
@ -54,7 +54,7 @@ function setup_kbs_image_policy_for_initdata() {
    esac

    case "$KATA_HYPERVISOR" in
-        "qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se")
+        "qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se"|"qemu-se-runtime-rs")
            ;;
        *)
            skip "Test not supported for ${KATA_HYPERVISOR}."