From c142fa2541d66a814c691e33ecdd0357399d8872 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 23 Aug 2022 14:36:21 +0200 Subject: [PATCH] clh: Lift the sharedFS restriction used with TDX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When booting the TDX kernel with `tdx_disable_filter`, as it's been done for QEMU, VirtioFS can work without any issues. Whether this will be part of the upstream kernel or not is a different story, but it easily could make it there as Cloud Hypervisor relies on the VIRTIO_F_IOMMU_PLATFORM feature, which forces the guest to use the DMA API, making these devices compatible with TDX. See Sebastien Boeuf's explanation of this in the 3c973fa7ce208e7113f69424b7574b83f584885d commit: """ By using DMA API, the guest triggers the TDX codepath to share some of the guest memory, in particular the virtqueues and associated buffers so that the VMM and vhost-user backends/processes can access this memory. """ Fixes: #4977 Signed-off-by: Fabiano FidĂȘncio --- src/runtime/config/configuration-clh.toml.in | 4 --- src/runtime/virtcontainers/clh.go | 34 +------------------- 2 files changed, 1 insertion(+), 37 deletions(-) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index f09c095f0e..59ddf43e12 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -28,10 +28,6 @@ image = "@IMAGEPATH@" # - CPU Hotplug # - Memory Hotplug # - NVDIMM devices -# - SharedFS, such as virtio-fs and virtio-fs-nydus -# -# Requirements: -# * virtio-block used as rootfs, thus the usage of devmapper snapshotter. # # Supported TEEs: # * Intel TDX diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index b14391b932..2514b59465 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -279,11 +279,6 @@ func (clh *cloudHypervisor) setConfig(config *HypervisorConfig) error { } func (clh *cloudHypervisor) createVirtiofsDaemon(sharedPath string) (VirtiofsDaemon, error) { - if !clh.supportsSharedFS() { - clh.Logger().Info("SharedFS is not supported") - return nil, nil - } - virtiofsdSocketPath, err := clh.virtioFsSocketPath(clh.id) if err != nil { return nil, err @@ -319,11 +314,6 @@ func (clh *cloudHypervisor) createVirtiofsDaemon(sharedPath string) (VirtiofsDae } func (clh *cloudHypervisor) setupVirtiofsDaemon(ctx context.Context) error { - if !clh.supportsSharedFS() { - clh.Logger().Info("SharedFS is not supported") - return nil - } - if clh.config.SharedFS == config.Virtio9P { return errors.New("cloud-hypervisor only supports virtio based file sharing") } @@ -347,11 +337,6 @@ func (clh *cloudHypervisor) setupVirtiofsDaemon(ctx context.Context) error { } func (clh *cloudHypervisor) stopVirtiofsDaemon(ctx context.Context) (err error) { - if !clh.supportsSharedFS() { - clh.Logger().Info("SharedFS is not supported") - return nil - } - if clh.state.VirtiofsDaemonPid == 0 { clh.Logger().Warn("The virtiofsd had stopped") return nil @@ -368,11 +353,6 @@ func (clh *cloudHypervisor) stopVirtiofsDaemon(ctx context.Context) (err error) } func (clh *cloudHypervisor) loadVirtiofsDaemon(sharedPath string) (VirtiofsDaemon, error) { - if !clh.supportsSharedFS() { - clh.Logger().Info("SharedFS is not supported") - return nil, nil - } - virtiofsdSocketPath, err := clh.virtioFsSocketPath(clh.id) if err != nil { return nil, err @@ -389,12 +369,6 @@ func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) { return utils.BuildSocketPath(clh.config.VMStorePath, id, nydusdAPISock) } -func (clh *cloudHypervisor) supportsSharedFS() bool { - caps := clh.Capabilities(clh.ctx) - - return caps.IsFsSharingSupported() -} - func (clh *cloudHypervisor) enableProtection() error { protection, err := availableGuestProtection() if err != nil { @@ -1061,10 +1035,6 @@ func (clh *cloudHypervisor) AddDevice(ctx context.Context, devInfo interface{}, case types.HybridVSock: clh.addVSock(defaultGuestVSockCID, v.UdsPath) case types.Volume: - if !clh.supportsSharedFS() { - return fmt.Errorf("SharedFS is not supported") - } - err = clh.addVolume(v) default: clh.Logger().WithField("function", "AddDevice").Warnf("Add device of type %v is not supported.", v) @@ -1091,9 +1061,7 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities clh.Logger().WithField("function", "Capabilities").Info("get Capabilities") var caps types.Capabilities - if !clh.config.ConfidentialGuest { - caps.SetFsSharingSupport() - } + caps.SetFsSharingSupport() caps.SetBlockDeviceHotplugSupport() return caps }