github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-02 00:02:01 +00:00
Code Issues Projects Releases Wiki Activity

snp: remove snp certs on qemu cmdline

Browse Source 
snp standard attestation with the upstream kernel and qemu do not support extended attestation with certs.

Fixes: #10750

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
This commit is contained in:
Ryan Savino 2025-01-17 14:23:42 -06:00
parent f9bbe4e439
commit e87231edc7
7 changed files with 3 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/runtime/Makefile
View File

@ -148,7 +148,6 @@ FIRMWARETDVFVOLUMEPATH :=
FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
SNPCERTSPATH := /opt/snp/cert_chain.cert
ROOTMEASURECONFIG ?= ""
KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
@ -638,7 +637,6 @@ USER_VARS += FIRMWARETDVFPATH
USER_VARS += FIRMWAREVOLUMEPATH
USER_VARS += FIRMWARETDVFVOLUMEPATH
USER_VARS += FIRMWARESNPPATH
USER_VARS += SNPCERTSPATH
USER_VARS += MACHINEACCELERATORS
USER_VARS += CPUFEATURES
USER_VARS += TDXCPUFEATURES

5
src/runtime/config/configuration-qemu-snp.toml.in
View File

@ -44,11 +44,6 @@ confidential_guest = true
# enable SEV SNP VMs
sev_snp_guest = true
# The path to the file containing the SNP certificate chain (including
# VCEK/VLEK certificates). This wil be used to get the extended attestation
# report from the guest. The default path is @SNPCERTSPATH@.
snp_certs_path = "@SNPCERTSPATH@"
# Enable running QEMU VMM as a non-root user.
# By default QEMU VMM run as root. When this is set to true, QEMU VMM process runs as
# a non-root random user. See documentation for the limitations of this mode.

8
src/runtime/pkg/govmm/qemu/qemu.go
View File

@ -300,10 +300,6 @@ type Object struct {
// and UEFI program image.
FirmwareVolume string
// The path to the file containing the AMD SEV-SNP certificate chain
// (including VCEK/VLEK certificates).
SnpCertsPath string
// CBitPos is the location of the C-bit in a guest page table entry
// This is only relevant for sev-guest objects
CBitPos uint32
@ -392,10 +388,6 @@ func (object Object) QemuParams(config *Config) []string {
objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos))
objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits))
objectParams = append(objectParams, "kernel-hashes=on")
if object.SnpCertsPath != "" {
objectParams = append(objectParams, fmt.Sprintf("certs-path=%s", object.SnpCertsPath))
}
driveParams = append(driveParams, "if=pflash,format=raw,readonly=on")
driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File))
case SecExecGuest:

2
src/runtime/pkg/katautils/config-settings.go.in
View File

@ -116,5 +116,3 @@ const defaultPCIeSwitchPort = 0
const defaultRemoteHypervisorSocket = "/run/peerpod/hypervisor.sock"
const defaultRemoteHypervisorTimeout = 600
const defaultSnpCertsPath = "/opt/snp/cert_chain.cert"

35
src/runtime/pkg/katautils/config.go
View File

@ -104,7 +104,6 @@ type hypervisor struct {
SeccompSandbox string `toml:"seccompsandbox"`
BlockDeviceAIO string `toml:"block_device_aio"`
RemoteHypervisorSocket string `toml:"remote_hypervisor_socket"`
SnpCertsPath string `toml:"snp_certs_path"`
HypervisorPathList []string `toml:"valid_hypervisor_paths"`
JailerPathList []string `toml:"valid_jailer_paths"`
VirtioFSDaemonList []string `toml:"valid_virtio_fs_daemon_paths"`
@ -285,34 +284,6 @@ func (h hypervisor) firmware() (string, error) {
return ResolvePath(p)
}
func (h hypervisor) snpCertsPath() (string, error) {
// snpCertsPath only matter when using Confidential Guests
if !h.ConfidentialGuest {
return "", nil
}
// snpCertsPath only matter for SNP guests
if !h.SevSnpGuest {
return "", nil
}
p := h.SnpCertsPath
if p == "" {
p = defaultSnpCertsPath
}
path, err := ResolvePath(p)
if err != nil {
if p == defaultSnpCertsPath {
msg := fmt.Sprintf("failed to resolve SNP certificates path: %s", defaultSnpCertsPath)
kataUtilsLogger.Warn(msg)
return "", nil
}
}
return path, err
}
func (h hypervisor) coldPlugVFIO() config.PCIePort {
if h.ColdPlugVFIO == "" {
return defaultColdPlugVFIO
@ -872,11 +843,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
return vc.HypervisorConfig{}, err
}
snpCertsPath, err := h.snpCertsPath()
if err != nil {
return vc.HypervisorConfig{}, err
}
machineAccelerators := h.machineAccelerators()
cpuFeatures := h.cpuFeatures()
kernelParams := h.kernelParams()
@ -941,7 +907,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
RootfsType: rootfsType,
FirmwarePath: firmware,
FirmwareVolumePath: firmwareVolume,
SnpCertsPath: snpCertsPath,
PFlash: pflashes,
MachineAccelerators: machineAccelerators,
CPUFeatures: cpuFeatures,

4
src/runtime/virtcontainers/hypervisor.go
View File

@ -461,10 +461,6 @@ type HypervisorConfig struct {
// The user maps to the uid.
User string
// The path to the file containing the AMD SEV-SNP certificate chain
// (including VCEK/VLEK certificates).
SnpCertsPath string
// KernelParams are additional guest kernel parameters.
KernelParams []Param

10
src/runtime/virtcontainers/qemu_amd64.go
View File

@ -33,8 +33,6 @@ type qemuAmd64 struct {
sgxEPCSize int64
qgsPort uint32
snpCertsPath string
}
const (
@ -127,10 +125,9 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
protection: noneProtection,
legacySerial: config.LegacySerial,
},
vmFactory: factory,
snpGuest: config.SevSnpGuest,
qgsPort: config.QgsPort,
snpCertsPath: config.SnpCertsPath,
vmFactory: factory,
snpGuest: config.SevSnpGuest,
qgsPort: config.QgsPort,
}
if config.ConfidentialGuest {
@ -314,7 +311,6 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware,
File: firmware,
CBitPos: cpuid.AMDMemEncrypt.CBitPosition,
ReducedPhysBits: 1,
SnpCertsPath: q.snpCertsPath,
}), "", nil
case noneProtection: