mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-05 18:14:55 +00:00
snp: remove snp certs on qemu cmdline
snp standard attestation with the upstream kernel and qemu do not support extended attestation with certs. Fixes: #10750 Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
This commit is contained in:
Ryan Savino
parent
f9bbe4e439
commit
e87231edc7
@ -148,7 +148,6 @@ FIRMWARETDVFVOLUMEPATH :=
|
|||||||
|
|
||||||
FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
|
FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
|
||||||
FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
|
FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
|
||||||
SNPCERTSPATH := /opt/snp/cert_chain.cert
|
|
||||||
|
|
||||||
ROOTMEASURECONFIG ?= ""
|
ROOTMEASURECONFIG ?= ""
|
||||||
KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
|
KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
|
||||||
@ -638,7 +637,6 @@ USER_VARS += FIRMWARETDVFPATH
|
|||||||
USER_VARS += FIRMWAREVOLUMEPATH
|
USER_VARS += FIRMWAREVOLUMEPATH
|
||||||
USER_VARS += FIRMWARETDVFVOLUMEPATH
|
USER_VARS += FIRMWARETDVFVOLUMEPATH
|
||||||
USER_VARS += FIRMWARESNPPATH
|
USER_VARS += FIRMWARESNPPATH
|
||||||
USER_VARS += SNPCERTSPATH
|
|
||||||
USER_VARS += MACHINEACCELERATORS
|
USER_VARS += MACHINEACCELERATORS
|
||||||
USER_VARS += CPUFEATURES
|
USER_VARS += CPUFEATURES
|
||||||
USER_VARS += TDXCPUFEATURES
|
USER_VARS += TDXCPUFEATURES
|
||||||
|
|||||||
@ -44,11 +44,6 @@ confidential_guest = true
|
|||||||
# enable SEV SNP VMs
|
# enable SEV SNP VMs
|
||||||
sev_snp_guest = true
|
sev_snp_guest = true
|
||||||
|
|
||||||
# The path to the file containing the SNP certificate chain (including
|
|
||||||
# VCEK/VLEK certificates). This wil be used to get the extended attestation
|
|
||||||
# report from the guest. The default path is @SNPCERTSPATH@.
|
|
||||||
snp_certs_path = "@SNPCERTSPATH@"
|
|
||||||
|
|
||||||
# Enable running QEMU VMM as a non-root user.
|
# Enable running QEMU VMM as a non-root user.
|
||||||
# By default QEMU VMM run as root. When this is set to true, QEMU VMM process runs as
|
# By default QEMU VMM run as root. When this is set to true, QEMU VMM process runs as
|
||||||
# a non-root random user. See documentation for the limitations of this mode.
|
# a non-root random user. See documentation for the limitations of this mode.
|
||||||
|
|||||||
@ -300,10 +300,6 @@ type Object struct {
|
|||||||
// and UEFI program image.
|
// and UEFI program image.
|
||||||
FirmwareVolume string
|
FirmwareVolume string
|
||||||
|
|
||||||
// The path to the file containing the AMD SEV-SNP certificate chain
|
|
||||||
// (including VCEK/VLEK certificates).
|
|
||||||
SnpCertsPath string
|
|
||||||
|
|
||||||
// CBitPos is the location of the C-bit in a guest page table entry
|
// CBitPos is the location of the C-bit in a guest page table entry
|
||||||
// This is only relevant for sev-guest objects
|
// This is only relevant for sev-guest objects
|
||||||
CBitPos uint32
|
CBitPos uint32
|
||||||
@ -392,10 +388,6 @@ func (object Object) QemuParams(config *Config) []string {
|
|||||||
objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos))
|
objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos))
|
||||||
objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits))
|
objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits))
|
||||||
objectParams = append(objectParams, "kernel-hashes=on")
|
objectParams = append(objectParams, "kernel-hashes=on")
|
||||||
if object.SnpCertsPath != "" {
|
|
||||||
objectParams = append(objectParams, fmt.Sprintf("certs-path=%s", object.SnpCertsPath))
|
|
||||||
}
|
|
||||||
|
|
||||||
driveParams = append(driveParams, "if=pflash,format=raw,readonly=on")
|
driveParams = append(driveParams, "if=pflash,format=raw,readonly=on")
|
||||||
driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File))
|
driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File))
|
||||||
case SecExecGuest:
|
case SecExecGuest:
|
||||||
|
|||||||
@ -116,5 +116,3 @@ const defaultPCIeSwitchPort = 0
|
|||||||
|
|
||||||
const defaultRemoteHypervisorSocket = "/run/peerpod/hypervisor.sock"
|
const defaultRemoteHypervisorSocket = "/run/peerpod/hypervisor.sock"
|
||||||
const defaultRemoteHypervisorTimeout = 600
|
const defaultRemoteHypervisorTimeout = 600
|
||||||
|
|
||||||
const defaultSnpCertsPath = "/opt/snp/cert_chain.cert"
|
|
||||||
|
|||||||
@ -104,7 +104,6 @@ type hypervisor struct {
|
|||||||
SeccompSandbox string `toml:"seccompsandbox"`
|
SeccompSandbox string `toml:"seccompsandbox"`
|
||||||
BlockDeviceAIO string `toml:"block_device_aio"`
|
BlockDeviceAIO string `toml:"block_device_aio"`
|
||||||
RemoteHypervisorSocket string `toml:"remote_hypervisor_socket"`
|
RemoteHypervisorSocket string `toml:"remote_hypervisor_socket"`
|
||||||
SnpCertsPath string `toml:"snp_certs_path"`
|
|
||||||
HypervisorPathList []string `toml:"valid_hypervisor_paths"`
|
HypervisorPathList []string `toml:"valid_hypervisor_paths"`
|
||||||
JailerPathList []string `toml:"valid_jailer_paths"`
|
JailerPathList []string `toml:"valid_jailer_paths"`
|
||||||
VirtioFSDaemonList []string `toml:"valid_virtio_fs_daemon_paths"`
|
VirtioFSDaemonList []string `toml:"valid_virtio_fs_daemon_paths"`
|
||||||
@ -285,34 +284,6 @@ func (h hypervisor) firmware() (string, error) {
|
|||||||
return ResolvePath(p)
|
return ResolvePath(p)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h hypervisor) snpCertsPath() (string, error) {
|
|
||||||
// snpCertsPath only matter when using Confidential Guests
|
|
||||||
if !h.ConfidentialGuest {
|
|
||||||
return "", nil
|
|
||||||
}
|
|
||||||
|
|
||||||
// snpCertsPath only matter for SNP guests
|
|
||||||
if !h.SevSnpGuest {
|
|
||||||
return "", nil
|
|
||||||
}
|
|
||||||
|
|
||||||
p := h.SnpCertsPath
|
|
||||||
|
|
||||||
if p == "" {
|
|
||||||
p = defaultSnpCertsPath
|
|
||||||
}
|
|
||||||
|
|
||||||
path, err := ResolvePath(p)
|
|
||||||
if err != nil {
|
|
||||||
if p == defaultSnpCertsPath {
|
|
||||||
msg := fmt.Sprintf("failed to resolve SNP certificates path: %s", defaultSnpCertsPath)
|
|
||||||
kataUtilsLogger.Warn(msg)
|
|
||||||
return "", nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return path, err
|
|
||||||
}
|
|
||||||
|
|
||||||
func (h hypervisor) coldPlugVFIO() config.PCIePort {
|
func (h hypervisor) coldPlugVFIO() config.PCIePort {
|
||||||
if h.ColdPlugVFIO == "" {
|
if h.ColdPlugVFIO == "" {
|
||||||
return defaultColdPlugVFIO
|
return defaultColdPlugVFIO
|
||||||
@ -872,11 +843,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
|
|||||||
return vc.HypervisorConfig{}, err
|
return vc.HypervisorConfig{}, err
|
||||||
}
|
}
|
||||||
|
|
||||||
snpCertsPath, err := h.snpCertsPath()
|
|
||||||
if err != nil {
|
|
||||||
return vc.HypervisorConfig{}, err
|
|
||||||
}
|
|
||||||
|
|
||||||
machineAccelerators := h.machineAccelerators()
|
machineAccelerators := h.machineAccelerators()
|
||||||
cpuFeatures := h.cpuFeatures()
|
cpuFeatures := h.cpuFeatures()
|
||||||
kernelParams := h.kernelParams()
|
kernelParams := h.kernelParams()
|
||||||
@ -941,7 +907,6 @@ func newQemuHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
|
|||||||
RootfsType: rootfsType,
|
RootfsType: rootfsType,
|
||||||
FirmwarePath: firmware,
|
FirmwarePath: firmware,
|
||||||
FirmwareVolumePath: firmwareVolume,
|
FirmwareVolumePath: firmwareVolume,
|
||||||
SnpCertsPath: snpCertsPath,
|
|
||||||
PFlash: pflashes,
|
PFlash: pflashes,
|
||||||
MachineAccelerators: machineAccelerators,
|
MachineAccelerators: machineAccelerators,
|
||||||
CPUFeatures: cpuFeatures,
|
CPUFeatures: cpuFeatures,
|
||||||
|
|||||||
@ -461,10 +461,6 @@ type HypervisorConfig struct {
|
|||||||
// The user maps to the uid.
|
// The user maps to the uid.
|
||||||
User string
|
User string
|
||||||
|
|
||||||
// The path to the file containing the AMD SEV-SNP certificate chain
|
|
||||||
// (including VCEK/VLEK certificates).
|
|
||||||
SnpCertsPath string
|
|
||||||
|
|
||||||
// KernelParams are additional guest kernel parameters.
|
// KernelParams are additional guest kernel parameters.
|
||||||
KernelParams []Param
|
KernelParams []Param
|
||||||
|
|
||||||
|
|||||||
@ -33,8 +33,6 @@ type qemuAmd64 struct {
|
|||||||
sgxEPCSize int64
|
sgxEPCSize int64
|
||||||
|
|
||||||
qgsPort uint32
|
qgsPort uint32
|
||||||
|
|
||||||
snpCertsPath string
|
|
||||||
}
|
}
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -127,10 +125,9 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
|
|||||||
protection: noneProtection,
|
protection: noneProtection,
|
||||||
legacySerial: config.LegacySerial,
|
legacySerial: config.LegacySerial,
|
||||||
},
|
},
|
||||||
vmFactory: factory,
|
vmFactory: factory,
|
||||||
snpGuest: config.SevSnpGuest,
|
snpGuest: config.SevSnpGuest,
|
||||||
qgsPort: config.QgsPort,
|
qgsPort: config.QgsPort,
|
||||||
snpCertsPath: config.SnpCertsPath,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.ConfidentialGuest {
|
if config.ConfidentialGuest {
|
||||||
@ -314,7 +311,6 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware,
|
|||||||
File: firmware,
|
File: firmware,
|
||||||
CBitPos: cpuid.AMDMemEncrypt.CBitPosition,
|
CBitPos: cpuid.AMDMemEncrypt.CBitPosition,
|
||||||
ReducedPhysBits: 1,
|
ReducedPhysBits: 1,
|
||||||
SnpCertsPath: q.snpCertsPath,
|
|
||||||
}), "", nil
|
}), "", nil
|
||||||
case noneProtection:
|
case noneProtection:
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user