nvidia: add nvrc.smi.srs=1 to default nvidia kernel params

The attestation-agent no longer sets nvidia devices to ready automatically. Instead, we should use nvrc for this. Since this is required for all nvidia workloads, add it to the default nv kernel params. With bounce buffers, the timing of attesting a device versus setting it to ready is not so important. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
2026-04-08 04:53:18 +00:00 · 2026-04-07 13:56:04 +00:00
parent 7385938c57
commit e40abcf72d
4 changed files with 6 additions and 10 deletions
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -489,6 +489,9 @@ ifneq (,$(QEMUCMD))
    KERNELPARAMS_NV += "pci=nocrs"
    KERNELPARAMS_NV += "pci=assign-busses"

+    KERNELPARAMS_CONFIDENTIAL_NV = $(KERNELPARAMS_NV)
+    KERNELPARAMS_CONFIDENTIAL_NV += "nvrc.smi.srs=1"
+
    # Setting this to false can lead to cgroup leakages in the host
    # Best practice for production is to set this to true
    DEFSANDBOXCGROUPONLY_NV = true
@@ -661,6 +664,7 @@ USER_VARS += DEFAULTMEMORY_NV
 USER_VARS += DEFAULTVFIOPORT_NV
 USER_VARS += DEFAULTPCIEROOTPORT_NV
 USER_VARS += KERNELPARAMS_NV
+USER_VARS += KERNELPARAMS_CONFIDENTIAL_NV
 USER_VARS += KERNELVERITYPARAMS_NV
 USER_VARS += KERNELVERITYPARAMS_CONFIDENTIAL_NV
 USER_VARS += DEFAULTTIMEOUT_NV
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
@@ -90,7 +90,7 @@ snp_guest_policy = 196608
 # may stop the virtual machine from booting.
 # To see the list of default parameters, enable hypervisor debug, create a
 # container and look for 'default-kernel-parameters' log entries.
-kernel_params = "@KERNELPARAMS_NV@"
+kernel_params = "@KERNELPARAMS_CONFIDENTIAL_NV@"

 # Optional dm-verity parameters (comma-separated key=value list):
 # root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
@@ -67,7 +67,7 @@ valid_hypervisor_paths = @QEMUTDXEXPERIMENTALVALIDHYPERVISORPATHS@
 # may stop the virtual machine from booting.
 # To see the list of default parameters, enable hypervisor debug, create a
 # container and look for 'default-kernel-parameters' log entries.
-kernel_params = "@KERNELPARAMS_NV@"
+kernel_params = "@KERNELPARAMS_CONFIDENTIAL_NV@"

 # Optional dm-verity parameters (comma-separated key=value list):
 # root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
--- a/tests/integration/kubernetes/k8s-nvidia-cuda.bats
+++ b/tests/integration/kubernetes/k8s-nvidia-cuda.bats
@@ -29,14 +29,6 @@ setup() {

    envsubst < "${pod_yaml_in}" > "${pod_yaml}"

-    if [ "${TEE}" = "true" ]; then
-        kernel_params_annotation="io.katacontainers.config.hypervisor.kernel_params"
-        kernel_params_value="nvrc.smi.srs=1"
-        set_metadata_annotation "${pod_yaml}" \
-            "${kernel_params_annotation}" \
-            "${kernel_params_value}"
-    fi
-
    policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
    add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"