runtime: Enable choice between AMD SEV and SNP

This is based on a patch from @niteeshkd that adds a config parameter to choose between AMD SEV and SEV-SNP VMs as the confidential guest type in case both types are supported. SEV is the default. Signed-off-by: Joana Pecholt <joana.pecholt@aisec.fraunhofer.de>
2025-09-25 18:53:44 +00:00 · 2022-09-09 16:23:05 +02:00
parent 22bda0838c
commit ded60173d4
7 changed files with 27 additions and 2 deletions
--- a/src/runtime/virtcontainers/documentation/api/1.0/api.md
+++ b/src/runtime/virtcontainers/documentation/api/1.0/api.md
@@ -348,6 +348,10 @@ type HypervisorConfig struct {
 	// Enable or disable different hardware features, ranging
 	// from memory encryption to both memory and CPU-state encryption and integrity.
 	ConfidentialGuest bool
+
+	// Enables SEV-SNP guests in case both AMD SEV and SNP are supported.
+	// SEV is default.
+	SevSnpGuest bool
 }
 ```

--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
@@ -527,6 +527,9 @@ type HypervisorConfig struct {
 	// from memory encryption to both memory and CPU-state encryption and integrity.
 	ConfidentialGuest bool

+	// Enable SEV-SNP guests on AMD machines capable of both
+	SevSnpGuest bool
+
 	// BootToBeTemplate used to indicate if the VM is created to be a template VM
 	BootToBeTemplate bool

--- a/src/runtime/virtcontainers/hypervisor_linux_amd64.go
+++ b/src/runtime/virtcontainers/hypervisor_linux_amd64.go
@@ -29,12 +29,12 @@ func availableGuestProtection() (guestProtection, error) {
 		return tdxProtection, nil
 	}
 	// SEV-SNP is supported and enabled when the kvm module `sev_snp` parameter is set to `Y`
+	// SEV-SNP support infers SEV (-ES) support
 	if _, err := os.Stat(snpKvmParameterPath); err == nil {
 		if c, err := os.ReadFile(snpKvmParameterPath); err == nil && len(c) > 0 && (c[0] == 'Y') {
 			return snpProtection, nil
 		}
 	}
-	// Only choose SEV if SEV-SNP unsupported
 	// SEV is supported and enabled when the kvm module `sev` parameter is set to `1` (or `Y` for linux >= 5.12)
 	if _, err := os.Stat(sevKvmParameterPath); err == nil {
 		if c, err := os.ReadFile(sevKvmParameterPath); err == nil && len(c) > 0 && (c[0] == '1' || c[0] == 'Y') {
--- a/src/runtime/virtcontainers/qemu_amd64.go
+++ b/src/runtime/virtcontainers/qemu_amd64.go
@@ -24,6 +24,8 @@ type qemuAmd64 struct {
 	// inherit from qemuArchBase, overwrite methods if needed
 	qemuArchBase

+	snpGuest bool
+
 	vmFactory bool

 	devLoadersCount uint32
@@ -122,6 +124,7 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 			legacySerial:         config.LegacySerial,
 		},
 		vmFactory: factory,
+		snpGuest:  config.SevSnpGuest,
 	}

 	if config.ConfidentialGuest {
@@ -176,7 +179,7 @@ func (q *qemuAmd64) cpuModel() string {
 	// Temporary until QEMU cpu model 'host' supports AMD SEV-SNP
 	protection, err := availableGuestProtection()
 	if err == nil {
-		if protection == snpProtection {
+		if protection == snpProtection && q.snpGuest {
 			cpuModel = "EPYC-v4"
 		}
 	}
@@ -212,6 +215,11 @@ func (q *qemuAmd64) enableProtection() error {
 	if err != nil {
 		return err
 	}
+	// Configure SNP only if specified in config
+	if q.protection == snpProtection && !q.snpGuest {
+		q.protection = sevProtection
+	}
+
 	logger := hvLogger.WithFields(logrus.Fields{
 		"subsystem":               "qemuAmd64",
 		"machine":                 q.qemuMachine,