mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-09-01 08:56:32 +00:00
hypervisors: Confidential Guests do not support Device hotplug
Similarly to VCPUs hotplug, Confidential Guests also do not support Device hotplug. Let's make it clear in the documentation and guard the code on both QEMU and Cloud Hypervisor side to ensure we don't advertise Device hotplug as being supported when running Confidential Guests. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This commit is contained in:
@@ -24,6 +24,7 @@ image = "@IMAGEPATH@"
|
||||
# Known limitations:
|
||||
# * Does not work by design:
|
||||
# - CPU Hotplug
|
||||
# - Device Hotplug
|
||||
#
|
||||
# Default false
|
||||
# confidential_guest = true
|
||||
|
@@ -25,6 +25,7 @@ machine_type = "@MACHINETYPE@"
|
||||
# Known limitations:
|
||||
# * Does not work by design:
|
||||
# - CPU Hotplug
|
||||
# - Device Hotplug
|
||||
#
|
||||
# Default false
|
||||
# confidential_guest = true
|
||||
|
@@ -589,6 +589,10 @@ func (clh *cloudHypervisor) HotplugAddDevice(ctx context.Context, devInfo interf
|
||||
span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugAddDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id})
|
||||
defer span.End()
|
||||
|
||||
if clh.config.ConfidentialGuest {
|
||||
return nil, errors.New("Device hotplug addition is not supported in confidential mode")
|
||||
}
|
||||
|
||||
switch devType {
|
||||
case BlockDev:
|
||||
drive := devInfo.(*config.BlockDrive)
|
||||
@@ -606,6 +610,10 @@ func (clh *cloudHypervisor) HotplugRemoveDevice(ctx context.Context, devInfo int
|
||||
span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugRemoveDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id})
|
||||
defer span.End()
|
||||
|
||||
if clh.config.ConfidentialGuest {
|
||||
return nil, errors.New("Device hotplug addition is not supported in confidential mode")
|
||||
}
|
||||
|
||||
var deviceID string
|
||||
|
||||
switch devType {
|
||||
@@ -860,7 +868,9 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities
|
||||
clh.Logger().WithField("function", "Capabilities").Info("get Capabilities")
|
||||
var caps types.Capabilities
|
||||
caps.SetFsSharingSupport()
|
||||
caps.SetBlockDeviceHotplugSupport()
|
||||
if !clh.config.ConfidentialGuest {
|
||||
caps.SetBlockDeviceHotplugSupport()
|
||||
}
|
||||
return caps
|
||||
}
|
||||
|
||||
|
@@ -153,8 +153,9 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
|
||||
func (q *qemuAmd64) capabilities() types.Capabilities {
|
||||
var caps types.Capabilities
|
||||
|
||||
if q.qemuMachine.Type == QemuQ35 ||
|
||||
q.qemuMachine.Type == QemuVirt {
|
||||
if (q.qemuMachine.Type == QemuQ35 ||
|
||||
q.qemuMachine.Type == QemuVirt) &&
|
||||
q.protection == noneProtection {
|
||||
caps.SetBlockDeviceHotplugSupport()
|
||||
}
|
||||
|
||||
|
@@ -277,7 +277,9 @@ func (q *qemuArchBase) kernelParameters(debug bool) []Param {
|
||||
|
||||
func (q *qemuArchBase) capabilities() types.Capabilities {
|
||||
var caps types.Capabilities
|
||||
caps.SetBlockDeviceHotplugSupport()
|
||||
if q.protection == noneProtection {
|
||||
caps.SetBlockDeviceHotplugSupport()
|
||||
}
|
||||
caps.SetMultiQueueSupport()
|
||||
caps.SetFsSharingSupport()
|
||||
return caps
|
||||
|
@@ -96,7 +96,8 @@ func (q *qemuPPC64le) capabilities() types.Capabilities {
|
||||
var caps types.Capabilities
|
||||
|
||||
// pseries machine type supports hotplugging drives
|
||||
if q.qemuMachine.Type == QemuPseries {
|
||||
if q.qemuMachine.Type == QemuPseries &&
|
||||
q.protection == noneProtection {
|
||||
caps.SetBlockDeviceHotplugSupport()
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user