diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 0971c6c4b9..dc7f1f9f55 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -24,6 +24,7 @@ image = "@IMAGEPATH@" # Known limitations: # * Does not work by design: # - CPU Hotplug +# - Device Hotplug # # Default false # confidential_guest = true diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index a603d7607a..1282be310b 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -25,6 +25,7 @@ machine_type = "@MACHINETYPE@" # Known limitations: # * Does not work by design: # - CPU Hotplug +# - Device Hotplug # # Default false # confidential_guest = true diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 3cf1ca3e1e..f463d17445 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -589,6 +589,10 @@ func (clh *cloudHypervisor) HotplugAddDevice(ctx context.Context, devInfo interf span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugAddDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id}) defer span.End() + if clh.config.ConfidentialGuest { + return nil, errors.New("Device hotplug addition is not supported in confidential mode") + } + switch devType { case BlockDev: drive := devInfo.(*config.BlockDrive) @@ -606,6 +610,10 @@ func (clh *cloudHypervisor) HotplugRemoveDevice(ctx context.Context, devInfo int span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugRemoveDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id}) defer span.End() + if clh.config.ConfidentialGuest { + return nil, errors.New("Device hotplug addition is not supported in confidential mode") + } + var deviceID string switch devType { @@ -860,7 +868,9 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities clh.Logger().WithField("function", "Capabilities").Info("get Capabilities") var caps types.Capabilities caps.SetFsSharingSupport() - caps.SetBlockDeviceHotplugSupport() + if !clh.config.ConfidentialGuest { + caps.SetBlockDeviceHotplugSupport() + } return caps } diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go index f3ae89b59c..067a555036 100644 --- a/src/runtime/virtcontainers/qemu_amd64.go +++ b/src/runtime/virtcontainers/qemu_amd64.go @@ -153,8 +153,9 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) { func (q *qemuAmd64) capabilities() types.Capabilities { var caps types.Capabilities - if q.qemuMachine.Type == QemuQ35 || - q.qemuMachine.Type == QemuVirt { + if (q.qemuMachine.Type == QemuQ35 || + q.qemuMachine.Type == QemuVirt) && + q.protection == noneProtection { caps.SetBlockDeviceHotplugSupport() } diff --git a/src/runtime/virtcontainers/qemu_arch_base.go b/src/runtime/virtcontainers/qemu_arch_base.go index b65cb61e3d..6601a74d81 100644 --- a/src/runtime/virtcontainers/qemu_arch_base.go +++ b/src/runtime/virtcontainers/qemu_arch_base.go @@ -277,7 +277,9 @@ func (q *qemuArchBase) kernelParameters(debug bool) []Param { func (q *qemuArchBase) capabilities() types.Capabilities { var caps types.Capabilities - caps.SetBlockDeviceHotplugSupport() + if q.protection == noneProtection { + caps.SetBlockDeviceHotplugSupport() + } caps.SetMultiQueueSupport() caps.SetFsSharingSupport() return caps diff --git a/src/runtime/virtcontainers/qemu_ppc64le.go b/src/runtime/virtcontainers/qemu_ppc64le.go index f78ed24297..d6f768128b 100644 --- a/src/runtime/virtcontainers/qemu_ppc64le.go +++ b/src/runtime/virtcontainers/qemu_ppc64le.go @@ -96,7 +96,8 @@ func (q *qemuPPC64le) capabilities() types.Capabilities { var caps types.Capabilities // pseries machine type supports hotplugging drives - if q.qemuMachine.Type == QemuPseries { + if q.qemuMachine.Type == QemuPseries && + q.protection == noneProtection { caps.SetBlockDeviceHotplugSupport() }