From e40abcf72d10135b7fb032f066ab69d7dfa1e0bb Mon Sep 17 00:00:00 2001 From: Tobin Feldman-Fitzthum Date: Tue, 7 Apr 2026 13:56:04 +0000 Subject: [PATCH] nvidia: add nvrc.smi.srs=1 to default nvidia kernel params The attestation-agent no longer sets nvidia devices to ready automatically. Instead, we should use nvrc for this. Since this is required for all nvidia workloads, add it to the default nv kernel params. With bounce buffers, the timing of attesting a device versus setting it to ready is not so important. Signed-off-by: Tobin Feldman-Fitzthum --- src/runtime/Makefile | 4 ++++ .../config/configuration-qemu-nvidia-gpu-snp.toml.in | 2 +- .../config/configuration-qemu-nvidia-gpu-tdx.toml.in | 2 +- tests/integration/kubernetes/k8s-nvidia-cuda.bats | 8 -------- 4 files changed, 6 insertions(+), 10 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 54f47d6fa9..1ad2340b11 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -489,6 +489,9 @@ ifneq (,$(QEMUCMD)) KERNELPARAMS_NV += "pci=nocrs" KERNELPARAMS_NV += "pci=assign-busses" + KERNELPARAMS_CONFIDENTIAL_NV = $(KERNELPARAMS_NV) + KERNELPARAMS_CONFIDENTIAL_NV += "nvrc.smi.srs=1" + # Setting this to false can lead to cgroup leakages in the host # Best practice for production is to set this to true DEFSANDBOXCGROUPONLY_NV = true @@ -661,6 +664,7 @@ USER_VARS += DEFAULTMEMORY_NV USER_VARS += DEFAULTVFIOPORT_NV USER_VARS += DEFAULTPCIEROOTPORT_NV USER_VARS += KERNELPARAMS_NV +USER_VARS += KERNELPARAMS_CONFIDENTIAL_NV USER_VARS += KERNELVERITYPARAMS_NV USER_VARS += KERNELVERITYPARAMS_CONFIDENTIAL_NV USER_VARS += DEFAULTTIMEOUT_NV diff --git a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in index eff87f6f9a..633d85bef4 100644 --- a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in +++ b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in @@ -90,7 +90,7 @@ snp_guest_policy = 196608 # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. -kernel_params = "@KERNELPARAMS_NV@" +kernel_params = "@KERNELPARAMS_CONFIDENTIAL_NV@" # Optional dm-verity parameters (comma-separated key=value list): # root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=... diff --git a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in index eab536be0e..7f8b7456b0 100644 --- a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in +++ b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in @@ -67,7 +67,7 @@ valid_hypervisor_paths = @QEMUTDXEXPERIMENTALVALIDHYPERVISORPATHS@ # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. -kernel_params = "@KERNELPARAMS_NV@" +kernel_params = "@KERNELPARAMS_CONFIDENTIAL_NV@" # Optional dm-verity parameters (comma-separated key=value list): # root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=... diff --git a/tests/integration/kubernetes/k8s-nvidia-cuda.bats b/tests/integration/kubernetes/k8s-nvidia-cuda.bats index 6d70afbb83..524583a1e2 100644 --- a/tests/integration/kubernetes/k8s-nvidia-cuda.bats +++ b/tests/integration/kubernetes/k8s-nvidia-cuda.bats @@ -29,14 +29,6 @@ setup() { envsubst < "${pod_yaml_in}" > "${pod_yaml}" - if [ "${TEE}" = "true" ]; then - kernel_params_annotation="io.katacontainers.config.hypervisor.kernel_params" - kernel_params_value="nvrc.smi.srs=1" - set_metadata_annotation "${pod_yaml}" \ - "${kernel_params_annotation}" \ - "${kernel_params_value}" - fi - policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"