hypervisors: Confidential Guests do not support Device hotplug

Similarly to VCPUs hotplug, Confidential Guests also do not support Device hotplug. Let's make it clear in the documentation and guard the code on both QEMU and Cloud Hypervisor side to ensure we don't advertise Device hotplug as being supported when running Confidential Guests. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2025-06-25 15:02:45 +00:00 · 2022-02-24 21:00:39 +01:00 · 2022-02-24 21:00:39 +01:00 · df8ffecde0
commit df8ffecde0
parent 28c4c044e6
6 changed files with 21 additions and 5 deletions
--- a/src/runtime/config/configuration-clh.toml.in
+++ b/src/runtime/config/configuration-clh.toml.in
@ -24,6 +24,7 @@ image = "@IMAGEPATH@"
 # Known limitations:
 # * Does not work by design:
 #   - CPU Hotplug 
 #   - Device Hotplug
 #
 # Default false
 # confidential_guest = true
--- a/src/runtime/config/configuration-qemu.toml.in
+++ b/src/runtime/config/configuration-qemu.toml.in
@ -25,6 +25,7 @@ machine_type = "@MACHINETYPE@"
 # Known limitations:
 # * Does not work by design:
 #   - CPU Hotplug 
 #   - Device Hotplug
 #
 # Default false
 # confidential_guest = true
--- a/src/runtime/virtcontainers/clh.go
+++ b/src/runtime/virtcontainers/clh.go
@ -589,6 +589,10 @@ func (clh *cloudHypervisor) HotplugAddDevice(ctx context.Context, devInfo interf
 	span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugAddDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id})
 	defer span.End()
 	if clh.config.ConfidentialGuest {
 		return nil, errors.New("Device hotplug addition is not supported in confidential mode")
 	}
 	switch devType {
 	case BlockDev:
 		drive := devInfo.(*config.BlockDrive)
@ -606,6 +610,10 @@ func (clh *cloudHypervisor) HotplugRemoveDevice(ctx context.Context, devInfo int
 	span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugRemoveDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id})
 	defer span.End()
 	if clh.config.ConfidentialGuest {
 		return nil, errors.New("Device hotplug addition is not supported in confidential mode")
 	}
 	var deviceID string
 	switch devType {
@ -860,7 +868,9 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities
 	clh.Logger().WithField("function", "Capabilities").Info("get Capabilities")
 	var caps types.Capabilities
 	caps.SetFsSharingSupport()
 	if !clh.config.ConfidentialGuest {
 		caps.SetBlockDeviceHotplugSupport()
 	}
 	return caps
 }
--- a/src/runtime/virtcontainers/qemu_amd64.go
+++ b/src/runtime/virtcontainers/qemu_amd64.go
@ -153,8 +153,9 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 func (q *qemuAmd64) capabilities() types.Capabilities {
 	var caps types.Capabilities
-	if q.qemuMachine.Type == QemuQ35 ||
+	if (q.qemuMachine.Type == QemuQ35 ||
-		q.qemuMachine.Type == QemuVirt {
+		q.qemuMachine.Type == QemuVirt) &&
 		q.protection == noneProtection {
 		caps.SetBlockDeviceHotplugSupport()
 	}
--- a/src/runtime/virtcontainers/qemu_arch_base.go
+++ b/src/runtime/virtcontainers/qemu_arch_base.go
@ -277,7 +277,9 @@ func (q *qemuArchBase) kernelParameters(debug bool) []Param {
 func (q *qemuArchBase) capabilities() types.Capabilities {
 	var caps types.Capabilities
 	if q.protection == noneProtection {
 		caps.SetBlockDeviceHotplugSupport()
 	}
 	caps.SetMultiQueueSupport()
 	caps.SetFsSharingSupport()
 	return caps
--- a/src/runtime/virtcontainers/qemu_ppc64le.go
+++ b/src/runtime/virtcontainers/qemu_ppc64le.go
@ -96,7 +96,8 @@ func (q *qemuPPC64le) capabilities() types.Capabilities {
 	var caps types.Capabilities
 	// pseries machine type supports hotplugging drives
-	if q.qemuMachine.Type == QemuPseries {
+	if q.qemuMachine.Type == QemuPseries &&
 		q.protection == noneProtection {
 		caps.SetBlockDeviceHotplugSupport()
 	}