From e87231edc700eca37ec180b68c46731ab5cae620 Mon Sep 17 00:00:00 2001 From: Ryan Savino Date: Fri, 17 Jan 2025 14:23:42 -0600 Subject: [PATCH] snp: remove snp certs on qemu cmdline snp standard attestation with the upstream kernel and qemu do not support extended attestation with certs. Fixes: #10750 Signed-Off-By: Ryan Savino --- src/runtime/Makefile | 2 -- .../config/configuration-qemu-snp.toml.in | 5 --- src/runtime/pkg/govmm/qemu/qemu.go | 8 ----- .../pkg/katautils/config-settings.go.in | 2 -- src/runtime/pkg/katautils/config.go | 35 ------------------- src/runtime/virtcontainers/hypervisor.go | 4 --- src/runtime/virtcontainers/qemu_amd64.go | 10 ++---- 7 files changed, 3 insertions(+), 63 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index afe0ea0ab6..71f9320665 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -148,7 +148,6 @@ FIRMWARETDVFVOLUMEPATH := FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd -SNPCERTSPATH := /opt/snp/cert_chain.cert ROOTMEASURECONFIG ?= "" KERNELTDXPARAMS += $(ROOTMEASURECONFIG) @@ -638,7 +637,6 @@ USER_VARS += FIRMWARETDVFPATH USER_VARS += FIRMWAREVOLUMEPATH USER_VARS += FIRMWARETDVFVOLUMEPATH USER_VARS += FIRMWARESNPPATH -USER_VARS += SNPCERTSPATH USER_VARS += MACHINEACCELERATORS USER_VARS += CPUFEATURES USER_VARS += TDXCPUFEATURES diff --git a/src/runtime/config/configuration-qemu-snp.toml.in b/src/runtime/config/configuration-qemu-snp.toml.in index a58406de8e..be5f40dfa1 100644 --- a/src/runtime/config/configuration-qemu-snp.toml.in +++ b/src/runtime/config/configuration-qemu-snp.toml.in @@ -44,11 +44,6 @@ confidential_guest = true # enable SEV SNP VMs sev_snp_guest = true -# The path to the file containing the SNP certificate chain (including -# VCEK/VLEK certificates). This wil be used to get the extended attestation -# report from the guest. The default path is @SNPCERTSPATH@. -snp_certs_path = "@SNPCERTSPATH@" - # Enable running QEMU VMM as a non-root user. # By default QEMU VMM run as root. When this is set to true, QEMU VMM process runs as # a non-root random user. See documentation for the limitations of this mode. diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index e1070b7319..292ecb2ffc 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -300,10 +300,6 @@ type Object struct { // and UEFI program image. FirmwareVolume string - // The path to the file containing the AMD SEV-SNP certificate chain - // (including VCEK/VLEK certificates). - SnpCertsPath string - // CBitPos is the location of the C-bit in a guest page table entry // This is only relevant for sev-guest objects CBitPos uint32 @@ -392,10 +388,6 @@ func (object Object) QemuParams(config *Config) []string { objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos)) objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits)) objectParams = append(objectParams, "kernel-hashes=on") - if object.SnpCertsPath != "" { - objectParams = append(objectParams, fmt.Sprintf("certs-path=%s", object.SnpCertsPath)) - } - driveParams = append(driveParams, "if=pflash,format=raw,readonly=on") driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File)) case SecExecGuest: diff --git a/src/runtime/pkg/katautils/config-settings.go.in b/src/runtime/pkg/katautils/config-settings.go.in index 0378fead38..df8e9bd636 100644 --- a/src/runtime/pkg/katautils/config-settings.go.in +++ b/src/runtime/pkg/katautils/config-settings.go.in @@ -116,5 +116,3 @@ const defaultPCIeSwitchPort = 0 const defaultRemoteHypervisorSocket = "/run/peerpod/hypervisor.sock" const defaultRemoteHypervisorTimeout = 600 - -const defaultSnpCertsPath = "/opt/snp/cert_chain.cert" diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index addd426013..1946c71cae 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -104,7 +104,6 @@ type hypervisor struct { SeccompSandbox string `toml:"seccompsandbox"` BlockDeviceAIO string `toml:"block_device_aio"` RemoteHypervisorSocket string `toml:"remote_hypervisor_socket"` - SnpCertsPath string `toml:"snp_certs_path"` HypervisorPathList []string `toml:"valid_hypervisor_paths"` JailerPathList []string `toml:"valid_jailer_paths"` VirtioFSDaemonList []string `toml:"valid_virtio_fs_daemon_paths"` @@ -285,34 +284,6 @@ func (h hypervisor) firmware() (string, error) { return ResolvePath(p) } -func (h hypervisor) snpCertsPath() (string, error) { - // snpCertsPath only matter when using Confidential Guests - if !h.ConfidentialGuest { - return "", nil - } - - // snpCertsPath only matter for SNP guests - if !h.SevSnpGuest { - return "", nil - } - - p := h.SnpCertsPath - - if p == "" { - p = defaultSnpCertsPath - } - - path, err := ResolvePath(p) - if err != nil { - if p == defaultSnpCertsPath { - msg := fmt.Sprintf("failed to resolve SNP certificates path: %s", defaultSnpCertsPath) - kataUtilsLogger.Warn(msg) - return "", nil - } - } - return path, err -} - func (h hypervisor) coldPlugVFIO() config.PCIePort { if h.ColdPlugVFIO == "" { return defaultColdPlugVFIO @@ -872,11 +843,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { return vc.HypervisorConfig{}, err } - snpCertsPath, err := h.snpCertsPath() - if err != nil { - return vc.HypervisorConfig{}, err - } - machineAccelerators := h.machineAccelerators() cpuFeatures := h.cpuFeatures() kernelParams := h.kernelParams() @@ -941,7 +907,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { RootfsType: rootfsType, FirmwarePath: firmware, FirmwareVolumePath: firmwareVolume, - SnpCertsPath: snpCertsPath, PFlash: pflashes, MachineAccelerators: machineAccelerators, CPUFeatures: cpuFeatures, diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index cad5e85d74..3bc5367d56 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -461,10 +461,6 @@ type HypervisorConfig struct { // The user maps to the uid. User string - // The path to the file containing the AMD SEV-SNP certificate chain - // (including VCEK/VLEK certificates). - SnpCertsPath string - // KernelParams are additional guest kernel parameters. KernelParams []Param diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go index 1d1be17118..ade7356eb6 100644 --- a/src/runtime/virtcontainers/qemu_amd64.go +++ b/src/runtime/virtcontainers/qemu_amd64.go @@ -33,8 +33,6 @@ type qemuAmd64 struct { sgxEPCSize int64 qgsPort uint32 - - snpCertsPath string } const ( @@ -127,10 +125,9 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) { protection: noneProtection, legacySerial: config.LegacySerial, }, - vmFactory: factory, - snpGuest: config.SevSnpGuest, - qgsPort: config.QgsPort, - snpCertsPath: config.SnpCertsPath, + vmFactory: factory, + snpGuest: config.SevSnpGuest, + qgsPort: config.QgsPort, } if config.ConfidentialGuest { @@ -314,7 +311,6 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware, File: firmware, CBitPos: cpuid.AMDMemEncrypt.CBitPosition, ReducedPhysBits: 1, - SnpCertsPath: q.snpCertsPath, }), "", nil case noneProtection: