diff --git a/src/libs/kata-types/src/initdata.rs b/src/libs/kata-types/src/initdata.rs index 97e295bb5e..d86b331168 100644 --- a/src/libs/kata-types/src/initdata.rs +++ b/src/libs/kata-types/src/initdata.rs @@ -3,12 +3,12 @@ // SPDX-License-Identifier: Apache-2.0 // +use crate::sl; use anyhow::{anyhow, Context, Result}; use flate2::read::GzDecoder; use serde::{Deserialize, Serialize}; use sha2::{Digest, Sha256, Sha384, Sha512}; use std::{collections::HashMap, io::Read}; -use crate::sl; /// Currently, initdata only supports version 0.1.0. const INITDATA_VERSION: &str = "0.1.0"; @@ -24,6 +24,8 @@ pub enum ProtectedPlatform { Snp, /// Cca platform for ARM CCA Cca, + /// Se platform for IBM SEL + Se, /// Default with no protection #[default] NoProtection, @@ -155,6 +157,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec { ProtectedPlatform::Tdx => 48, ProtectedPlatform::Snp => 32, ProtectedPlatform::Cca => 64, + ProtectedPlatform::Se => 256, ProtectedPlatform::NoProtection => digest.len(), }; @@ -432,6 +435,12 @@ key = "value" assert_eq!(cca_result.len(), 64); assert_eq!(&cca_result[..32], &short_digest[..]); assert_eq!(&cca_result[32..], vec![0u8; 32]); + + // Test SE platform (requires 256 bytes) + let long_digest = vec![0xAA; 256]; + let se_result = adjust_digest(&long_digest, ProtectedPlatform::Se); + assert_eq!(se_result.len(), 256); + assert_eq!(&se_result[..256], &long_digest[..256]); } /// Test hypervisor initdata processing with compression diff --git a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs index 801718e734..51ad550f65 100644 --- a/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs +++ b/src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs @@ -452,6 +452,7 @@ impl VirtSandbox { GuestProtection::Snp(_details) => { calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)? } + GuestProtection::Se => calculate_initdata_digest(&initdata, ProtectedPlatform::Se)?, // TODO: there's more `GuestProtection` types to be supported. _ => return Ok(None), }; diff --git a/tests/integration/kubernetes/k8s-initdata.bats b/tests/integration/kubernetes/k8s-initdata.bats index 1e98cf316a..e785c413d2 100644 --- a/tests/integration/kubernetes/k8s-initdata.bats +++ b/tests/integration/kubernetes/k8s-initdata.bats @@ -54,7 +54,7 @@ function setup_kbs_image_policy_for_initdata() { esac case "$KATA_HYPERVISOR" in - "qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se") + "qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se"|"qemu-se-runtime-rs") ;; *) skip "Test not supported for ${KATA_HYPERVISOR}."