From 0bafa2def979ed45e78e1c8eff9dac1340b3dee5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 28 Feb 2022 10:24:33 +0100 Subject: [PATCH 1/3] config: clh: Mention supported TEEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's mention the supported TEEs to be used with confidential guests. Right now, Cloud Hyperisor supports only Intel TDX, used together with TD Shim. Signed-off-by: Fabiano FidĂȘncio --- src/runtime/config/configuration-clh.toml.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index afb5370757..bf00dff615 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -28,6 +28,9 @@ image = "@IMAGEPATH@" # - Memory Hotplug # - NVDIMM devices # +# Supported TEEs: +# * Intel TDX +# # Default false # confidential_guest = true From 641d475fa663f41874a6451a34f134c36ee0be2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 28 Feb 2022 10:27:21 +0100 Subject: [PATCH 2/3] config: clh: Use "Intel TDX" instead of just "TDX" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's use "Intel TDX" rather than just "TDX", as it can ease the understanding of the terminology. Signed-off-by: Fabiano FidĂȘncio --- src/runtime/config/configuration-clh.toml.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index bf00dff615..5bdc2cc064 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -40,7 +40,7 @@ image = "@IMAGEPATH@" # # For more information about firmwared that can be used with specific TEEs, # please, refer to: -# * TDX: +# * Intel TDX: # - td-shim: https://github.com/confidential-containers/td-shim # # firmware = "@FIRMWAREPATH@" From de57466212e06769165bb821882ce58204ba5a5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 28 Feb 2022 11:57:42 +0100 Subject: [PATCH 3/3] config: Expand confidential_guest comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's clarify that an error will be reported in case confidential_guest is enabled, but the hardware where Kata Containers is running doesn't provide the required feature set. Fixes: #3787 Signed-off-by: Fabiano FidĂȘncio --- src/runtime/config/configuration-clh.toml.in | 3 ++- src/runtime/config/configuration-qemu.toml.in | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 5bdc2cc064..4afafaf08d 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -19,7 +19,8 @@ image = "@IMAGEPATH@" # Toggling that setting may trigger different hardware features, ranging # from memory encryption to both memory and CPU-state encryption and integrity. # The Kata Containers runtime dynamically detects the available feature set and -# aims at enabling the largest possible one. +# aims at enabling the largest possible one, returning an error if none is +# available, or none is supported by the hypervisor. # # Known limitations: # * Does not work by design: diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 00c5dbfff0..af5c583647 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -20,7 +20,8 @@ machine_type = "@MACHINETYPE@" # Toggling that setting may trigger different hardware features, ranging # from memory encryption to both memory and CPU-state encryption and integrity. # The Kata Containers runtime dynamically detects the available feature set and -# aims at enabling the largest possible one. +# aims at enabling the largest possible one, returning an error if none is +# available, or none is supported by the hypervisor. # # Known limitations: # * Does not work by design: