github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-22 01:43:04 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11696 from BbolroC/enable-initdata-ibm-sel-runtime-rs

Browse Source 
runtime-rs Enable initdata IBM SEL
This commit is contained in:
Hyounggyu Choi 2025-08-21 09:23:46 +02:00 committed by GitHub
commit b7d2973ce5
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/libs/kata-types/src/initdata.rs
View File

@ -3,12 +3,12 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// //
use crate::sl;
use anyhow::{anyhow, Context, Result}; use anyhow::{anyhow, Context, Result};
use flate2::read::GzDecoder; use flate2::read::GzDecoder;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256, Sha384, Sha512}; use sha2::{Digest, Sha256, Sha384, Sha512};
use std::{collections::HashMap, io::Read}; use std::{collections::HashMap, io::Read};
use crate::sl;
/// Currently, initdata only supports version 0.1.0. /// Currently, initdata only supports version 0.1.0.
const INITDATA_VERSION: &str = "0.1.0"; const INITDATA_VERSION: &str = "0.1.0";
@ -24,6 +24,8 @@ pub enum ProtectedPlatform {
Snp, Snp,
/// Cca platform for ARM CCA /// Cca platform for ARM CCA
Cca, Cca,
/// Se platform for IBM SEL
Se,
/// Default with no protection /// Default with no protection
#[default] #[default]
NoProtection, NoProtection,
@ -155,6 +157,7 @@ fn adjust_digest(digest: &[u8], platform: ProtectedPlatform) -> Vec<u8> {
ProtectedPlatform::Tdx => 48, ProtectedPlatform::Tdx => 48,
ProtectedPlatform::Snp => 32, ProtectedPlatform::Snp => 32,
ProtectedPlatform::Cca => 64, ProtectedPlatform::Cca => 64,
ProtectedPlatform::Se => 256,
ProtectedPlatform::NoProtection => digest.len(), ProtectedPlatform::NoProtection => digest.len(),
}; };
@ -432,6 +435,12 @@ key = "value"
assert_eq!(cca_result.len(), 64); assert_eq!(cca_result.len(), 64);
assert_eq!(&cca_result[..32], &short_digest[..]); assert_eq!(&cca_result[..32], &short_digest[..]);
assert_eq!(&cca_result[32..], vec![0u8; 32]); assert_eq!(&cca_result[32..], vec![0u8; 32]);
// Test SE platform (requires 256 bytes)
let long_digest = vec![0xAA; 256];
let se_result = adjust_digest(&long_digest, ProtectedPlatform::Se);
assert_eq!(se_result.len(), 256);
assert_eq!(&se_result[..256], &long_digest[..256]);
} }
/// Test hypervisor initdata processing with compression /// Test hypervisor initdata processing with compression

1
src/runtime-rs/crates/runtimes/virt_container/src/sandbox.rs
View File

@ -452,6 +452,7 @@ impl VirtSandbox {
GuestProtection::Snp(_details) => { GuestProtection::Snp(_details) => {
calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)? calculate_initdata_digest(&initdata, ProtectedPlatform::Snp)?
} }
GuestProtection::Se => calculate_initdata_digest(&initdata, ProtectedPlatform::Se)?,
// TODO: there's more `GuestProtection` types to be supported. // TODO: there's more `GuestProtection` types to be supported.
_ => return Ok(None), _ => return Ok(None),
}; };

2
tests/integration/kubernetes/k8s-initdata.bats
View File

@ -54,7 +54,7 @@ function setup_kbs_image_policy_for_initdata() {
esac esac
case "$KATA_HYPERVISOR" in case "$KATA_HYPERVISOR" in
"qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se") "qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se"|"qemu-se-runtime-rs")
;; ;;
*) *)
skip "Test not supported for ${KATA_HYPERVISOR}." skip "Test not supported for ${KATA_HYPERVISOR}."