diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in index 07e3f31a4b..1296d20b95 100644 --- a/src/runtime/config/configuration-clh.toml.in +++ b/src/runtime/config/configuration-clh.toml.in @@ -15,6 +15,33 @@ path = "@CLHPATH@" kernel = "@KERNELPATH_CLH@" image = "@IMAGEPATH@" +# Enable confidential guest support. +# Toggling that setting may trigger different hardware features, ranging +# from memory encryption to both memory and CPU-state encryption and integrity. +# The Kata Containers runtime dynamically detects the available feature set and +# aims at enabling the largest possible one. +# +# Known limitations: +# * Does not work by design: +# - CPU Hotplug +# - Device Hotplug +# - Memory Hotplug +# - NVDIMM devices +# +# Default false +# confidential_guest = true + +# Path to the firmware. +# If you want Cloud Hypervisor to use a specific firmware, set its path below. +# This is option is only used when confidential_guest is enabled. +# +# For more information about firmwared that can be used with specific TEEs, +# please, refer to: +# * TDX: +# - td-shim: https://github.com/confidential-containers/td-shim +# +# firmware = "@FIRMWAREPATH@" + # List of valid annotation names for the hypervisor # Each member of the list is a regular expression, which is the base name # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path" diff --git a/src/runtime/config/configuration-qemu.toml.in b/src/runtime/config/configuration-qemu.toml.in index 59753db5d6..804849a132 100644 --- a/src/runtime/config/configuration-qemu.toml.in +++ b/src/runtime/config/configuration-qemu.toml.in @@ -21,6 +21,14 @@ machine_type = "@MACHINETYPE@" # from memory encryption to both memory and CPU-state encryption and integrity. # The Kata Containers runtime dynamically detects the available feature set and # aims at enabling the largest possible one. +# +# Known limitations: +# * Does not work by design: +# - CPU Hotplug +# - Device Hotplug +# - Memory Hotplug +# - NVDIMM devices +# # Default false # confidential_guest = true @@ -279,6 +287,9 @@ pflashes = [] # If false and nvdimm is supported, use nvdimm device to plug guest image. # Otherwise virtio-block device is used. +# +# nvdimm is not supported when `confidential_guest = true`. +# # Default is false #disable_image_nvdimm = true diff --git a/src/runtime/pkg/katautils/config.go b/src/runtime/pkg/katautils/config.go index ed67bad13d..e623559339 100644 --- a/src/runtime/pkg/katautils/config.go +++ b/src/runtime/pkg/katautils/config.go @@ -877,6 +877,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) { SGXEPCSize: defaultSGXEPCSize, EnableAnnotations: h.EnableAnnotations, DisableSeccomp: h.DisableSeccomp, + ConfidentialGuest: h.ConfidentialGuest, }, nil } diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go index 79a976abff..11c1f7e353 100644 --- a/src/runtime/virtcontainers/clh.go +++ b/src/runtime/virtcontainers/clh.go @@ -171,12 +171,9 @@ type cloudHypervisor struct { } var clhKernelParams = []Param{ - {"root", "/dev/pmem0p1"}, {"panic", "1"}, // upon kernel panic wait 1 second before reboot {"no_timer_check", ""}, // do not Check broken timer IRQ resources {"noreplace-smp", ""}, // do not replace SMP instructions - {"rootflags", "dax,data=ordered,errors=remount-ro ro"}, // mount the root filesystem as readonly - {"rootfstype", "ext4"}, } var clhDebugKernelParams = []Param{ @@ -205,6 +202,34 @@ func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) { return utils.BuildSocketPath(clh.config.VMStorePath, id, nydusdAPISock) } +func (clh *cloudHypervisor) enableProtection() error { + protection, err := availableGuestProtection() + if err != nil { + return err + } + + switch protection { + case tdxProtection: + firmwarePath, err := clh.config.FirmwareAssetPath() + if err != nil { + return err + } + + if firmwarePath == "" { + return errors.New("Firmware path is not specified") + } + + clh.vmconfig.Tdx = chclient.NewTdxConfig(firmwarePath) + return nil + + case sevProtection: + return errors.New("SEV protection is not supported by Cloud Hypervisor") + + default: + return errors.New("This system doesn't support Confidentian Computing (Guest Protection)") + } +} + // For cloudHypervisor this call only sets the internal structure up. // The VM will be created and started through StartVM(). func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Network, hypervisorConfig *HypervisorConfig) error { @@ -251,23 +276,35 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net // Create the VM config via the constructor to ensure default values are properly assigned clh.vmconfig = *chclient.NewVmConfig(*chclient.NewKernelConfig(kernelPath)) + if clh.config.ConfidentialGuest { + if err := clh.enableProtection(); err != nil { + return err + } + } + // Create the VM memory config via the constructor to ensure default values are properly assigned clh.vmconfig.Memory = chclient.NewMemoryConfig(int64((utils.MemUnit(clh.config.MemorySize) * utils.MiB).ToBytes())) // shared memory should be enabled if using vhost-user(kata uses virtiofsd) clh.vmconfig.Memory.Shared = func(b bool) *bool { return &b }(true) // Enable hugepages if needed clh.vmconfig.Memory.Hugepages = func(b bool) *bool { return &b }(clh.config.HugePages) - hostMemKb, err := GetHostMemorySizeKb(procMemInfo) - if err != nil { - return nil + if !clh.config.ConfidentialGuest { + hostMemKb, err := GetHostMemorySizeKb(procMemInfo) + if err != nil { + return nil + } + // OpenAPI only supports int64 values + clh.vmconfig.Memory.HotplugSize = func(i int64) *int64 { return &i }(int64((utils.MemUnit(hostMemKb) * utils.KiB).ToBytes())) } - // OpenAPI only supports int64 values - clh.vmconfig.Memory.HotplugSize = func(i int64) *int64 { return &i }(int64((utils.MemUnit(hostMemKb) * utils.KiB).ToBytes())) // Set initial amount of cpu's for the virtual machine clh.vmconfig.Cpus = chclient.NewCpusConfig(int32(clh.config.NumVCPUs), int32(clh.config.DefaultMaxVCPUs)) // First take the default parameters defined by this driver - params := clhKernelParams + params := commonNvdimmKernelRootParams + if clh.config.ConfidentialGuest { + params = commonVirtioblkKernelRootParams + } + params = append(params, clhKernelParams...) // Followed by extra debug parameters if debug enabled in configuration file if clh.config.Debug { @@ -291,26 +328,35 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net return err } - initrdPath, err := clh.config.InitrdAssetPath() - if err != nil { - return err - } - if imagePath != "" { - pmem := chclient.NewPmemConfig(imagePath) - *pmem.DiscardWrites = true + if clh.config.ConfidentialGuest { + disk := chclient.NewDiskConfig(imagePath) + disk.SetReadonly(true) - if clh.vmconfig.Pmem != nil { - *clh.vmconfig.Pmem = append(*clh.vmconfig.Pmem, *pmem) + if clh.vmconfig.Disks != nil { + *clh.vmconfig.Disks = append(*clh.vmconfig.Disks, *disk) + } else { + clh.vmconfig.Disks = &[]chclient.DiskConfig{*disk} + } } else { - clh.vmconfig.Pmem = &[]chclient.PmemConfig{*pmem} + pmem := chclient.NewPmemConfig(imagePath) + *pmem.DiscardWrites = true + + if clh.vmconfig.Pmem != nil { + *clh.vmconfig.Pmem = append(*clh.vmconfig.Pmem, *pmem) + } else { + clh.vmconfig.Pmem = &[]chclient.PmemConfig{*pmem} + } } - } else if initrdPath != "" { + } else { + initrdPath, err := clh.config.InitrdAssetPath() + if err != nil { + return err + } + initrd := chclient.NewInitramfsConfig(initrdPath) clh.vmconfig.SetInitramfs(*initrd) - } else { - return errors.New("no image or initrd specified") } // Use serial port as the guest console only in debug mode, @@ -589,6 +635,10 @@ func (clh *cloudHypervisor) HotplugAddDevice(ctx context.Context, devInfo interf span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugAddDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id}) defer span.End() + if clh.config.ConfidentialGuest { + return nil, errors.New("Device hotplug addition is not supported in confidential mode") + } + switch devType { case BlockDev: drive := devInfo.(*config.BlockDrive) @@ -606,6 +656,10 @@ func (clh *cloudHypervisor) HotplugRemoveDevice(ctx context.Context, devInfo int span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugRemoveDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id}) defer span.End() + if clh.config.ConfidentialGuest { + return nil, errors.New("Device hotplug addition is not supported in confidential mode") + } + var deviceID string switch devType { @@ -860,7 +914,9 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities clh.Logger().WithField("function", "Capabilities").Info("get Capabilities") var caps types.Capabilities caps.SetFsSharingSupport() - caps.SetBlockDeviceHotplugSupport() + if !clh.config.ConfidentialGuest { + caps.SetBlockDeviceHotplugSupport() + } return caps } diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index 713280be72..26f33f5d6b 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -564,6 +564,11 @@ func (conf *HypervisorConfig) Valid() error { conf.DefaultMaxVCPUs = defaultMaxVCPUs } + if conf.ConfidentialGuest && conf.NumVCPUs != conf.DefaultMaxVCPUs { + hvLogger.Warnf("Confidential guests do not support hotplugging of vCPUs. Setting DefaultMaxVCPUs to NumVCPUs (%d)", conf.NumVCPUs) + conf.DefaultMaxVCPUs = conf.NumVCPUs + } + if conf.Msize9p == 0 && conf.SharedFS != config.VirtioFS { conf.Msize9p = defaultMsize9p } diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml index b820e01cc8..4a168e53e5 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml @@ -181,6 +181,8 @@ paths: schema: $ref: '#/components/schemas/PciDeviceInfo' description: The new device was successfully added to the VM instance. + "204": + description: The new device was successfully (cold) added to the VM instance. "404": description: The new device could not be added to the VM instance. summary: Add a new device to the VM @@ -215,6 +217,8 @@ paths: schema: $ref: '#/components/schemas/PciDeviceInfo' description: The new disk was successfully added to the VM instance. + "204": + description: The new disk was successfully (cold) added to the VM instance. "500": description: The new disk could not be added to the VM instance. summary: Add a new disk to the VM @@ -234,6 +238,8 @@ paths: schema: $ref: '#/components/schemas/PciDeviceInfo' description: The new device was successfully added to the VM instance. + "204": + description: The new device was successfully (cold) added to the VM instance. "500": description: The new device could not be added to the VM instance. summary: Add a new virtio-fs device to the VM @@ -253,6 +259,8 @@ paths: schema: $ref: '#/components/schemas/PciDeviceInfo' description: The new device was successfully added to the VM instance. + "204": + description: The new device was successfully (cold) added to the VM instance. "500": description: The new device could not be added to the VM instance. summary: Add a new pmem device to the VM @@ -272,6 +280,8 @@ paths: schema: $ref: '#/components/schemas/PciDeviceInfo' description: The new device was successfully added to the VM instance. + "204": + description: The new device was successfully (cold) added to the VM instance. "500": description: The new device could not be added to the VM instance. summary: Add a new network device to the VM @@ -291,6 +301,8 @@ paths: schema: $ref: '#/components/schemas/PciDeviceInfo' description: The new device was successfully added to the VM instance. + "204": + description: The new device was successfully (cold) added to the VM instance. "500": description: The new device could not be added to the VM instance. summary: Add a new vsock device to the VM @@ -632,7 +644,7 @@ components: children: - children - children - pci_bdf: 3 + pci_bdf: pci_bdf resources: - '{}' - '{}' @@ -663,7 +675,7 @@ components: children: - children - children - pci_bdf: 3 + pci_bdf: pci_bdf resources: - '{}' - '{}' @@ -680,8 +692,7 @@ components: type: string type: array pci_bdf: - format: int32 - type: integer + type: string type: object VmCounters: additionalProperties: @@ -1757,6 +1768,8 @@ components: properties: receiver_url: type: string + required: + - receiver_url type: object SendMigrationData: example: @@ -1767,4 +1780,6 @@ components: type: string local: type: boolean + required: + - destination_url type: object diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md index 3c2c8821d9..c5ca050b60 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md @@ -1071,7 +1071,7 @@ import ( ) func main() { - receiveMigrationData := *openapiclient.NewReceiveMigrationData() // ReceiveMigrationData | The URL for the reception of migration state + receiveMigrationData := *openapiclient.NewReceiveMigrationData("ReceiverUrl_example") // ReceiveMigrationData | The URL for the reception of migration state configuration := openapiclient.NewConfiguration() api_client := openapiclient.NewAPIClient(configuration) @@ -1381,7 +1381,7 @@ import ( ) func main() { - sendMigrationData := *openapiclient.NewSendMigrationData() // SendMigrationData | The URL for sending the migration state + sendMigrationData := *openapiclient.NewSendMigrationData("DestinationUrl_example") // SendMigrationData | The URL for sending the migration state configuration := openapiclient.NewConfiguration() api_client := openapiclient.NewAPIClient(configuration) diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DeviceNode.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DeviceNode.md index 5755470551..02863e513d 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DeviceNode.md +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DeviceNode.md @@ -7,7 +7,7 @@ Name | Type | Description | Notes **Id** | Pointer to **string** | | [optional] **Resources** | Pointer to **[]map[string]interface{}** | | [optional] **Children** | Pointer to **[]string** | | [optional] -**PciBdf** | Pointer to **int32** | | [optional] +**PciBdf** | Pointer to **string** | | [optional] ## Methods @@ -105,20 +105,20 @@ HasChildren returns a boolean if a field has been set. ### GetPciBdf -`func (o *DeviceNode) GetPciBdf() int32` +`func (o *DeviceNode) GetPciBdf() string` GetPciBdf returns the PciBdf field if non-nil, zero value otherwise. ### GetPciBdfOk -`func (o *DeviceNode) GetPciBdfOk() (*int32, bool)` +`func (o *DeviceNode) GetPciBdfOk() (*string, bool)` GetPciBdfOk returns a tuple with the PciBdf field if it's non-nil, zero value otherwise and a boolean to check if the value has been set. ### SetPciBdf -`func (o *DeviceNode) SetPciBdf(v int32)` +`func (o *DeviceNode) SetPciBdf(v string)` SetPciBdf sets PciBdf field to given value. diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/ReceiveMigrationData.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/ReceiveMigrationData.md index 652bf96bc2..394d47cebc 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/ReceiveMigrationData.md +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/ReceiveMigrationData.md @@ -4,13 +4,13 @@ Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- -**ReceiverUrl** | Pointer to **string** | | [optional] +**ReceiverUrl** | **string** | | ## Methods ### NewReceiveMigrationData -`func NewReceiveMigrationData() *ReceiveMigrationData` +`func NewReceiveMigrationData(receiverUrl string, ) *ReceiveMigrationData` NewReceiveMigrationData instantiates a new ReceiveMigrationData object This constructor will assign default values to properties that have it defined, @@ -44,11 +44,6 @@ and a boolean to check if the value has been set. SetReceiverUrl sets ReceiverUrl field to given value. -### HasReceiverUrl - -`func (o *ReceiveMigrationData) HasReceiverUrl() bool` - -HasReceiverUrl returns a boolean if a field has been set. [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md) diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/SendMigrationData.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/SendMigrationData.md index 03edd489e8..d3b6a5c1bd 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/SendMigrationData.md +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/SendMigrationData.md @@ -4,14 +4,14 @@ Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- -**DestinationUrl** | Pointer to **string** | | [optional] +**DestinationUrl** | **string** | | **Local** | Pointer to **bool** | | [optional] ## Methods ### NewSendMigrationData -`func NewSendMigrationData() *SendMigrationData` +`func NewSendMigrationData(destinationUrl string, ) *SendMigrationData` NewSendMigrationData instantiates a new SendMigrationData object This constructor will assign default values to properties that have it defined, @@ -45,11 +45,6 @@ and a boolean to check if the value has been set. SetDestinationUrl sets DestinationUrl field to given value. -### HasDestinationUrl - -`func (o *SendMigrationData) HasDestinationUrl() bool` - -HasDestinationUrl returns a boolean if a field has been set. ### GetLocal diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_device_node.go b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_device_node.go index ef6aab589d..012f971967 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_device_node.go +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_device_node.go @@ -19,7 +19,7 @@ type DeviceNode struct { Id *string `json:"id,omitempty"` Resources *[]map[string]interface{} `json:"resources,omitempty"` Children *[]string `json:"children,omitempty"` - PciBdf *int32 `json:"pci_bdf,omitempty"` + PciBdf *string `json:"pci_bdf,omitempty"` } // NewDeviceNode instantiates a new DeviceNode object @@ -136,9 +136,9 @@ func (o *DeviceNode) SetChildren(v []string) { } // GetPciBdf returns the PciBdf field value if set, zero value otherwise. -func (o *DeviceNode) GetPciBdf() int32 { +func (o *DeviceNode) GetPciBdf() string { if o == nil || o.PciBdf == nil { - var ret int32 + var ret string return ret } return *o.PciBdf @@ -146,7 +146,7 @@ func (o *DeviceNode) GetPciBdf() int32 { // GetPciBdfOk returns a tuple with the PciBdf field value if set, nil otherwise // and a boolean to check if the value has been set. -func (o *DeviceNode) GetPciBdfOk() (*int32, bool) { +func (o *DeviceNode) GetPciBdfOk() (*string, bool) { if o == nil || o.PciBdf == nil { return nil, false } @@ -162,8 +162,8 @@ func (o *DeviceNode) HasPciBdf() bool { return false } -// SetPciBdf gets a reference to the given int32 and assigns it to the PciBdf field. -func (o *DeviceNode) SetPciBdf(v int32) { +// SetPciBdf gets a reference to the given string and assigns it to the PciBdf field. +func (o *DeviceNode) SetPciBdf(v string) { o.PciBdf = &v } diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_receive_migration_data.go b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_receive_migration_data.go index fd7e6eff79..7549055d55 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_receive_migration_data.go +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_receive_migration_data.go @@ -16,15 +16,16 @@ import ( // ReceiveMigrationData struct for ReceiveMigrationData type ReceiveMigrationData struct { - ReceiverUrl *string `json:"receiver_url,omitempty"` + ReceiverUrl string `json:"receiver_url"` } // NewReceiveMigrationData instantiates a new ReceiveMigrationData object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewReceiveMigrationData() *ReceiveMigrationData { +func NewReceiveMigrationData(receiverUrl string) *ReceiveMigrationData { this := ReceiveMigrationData{} + this.ReceiverUrl = receiverUrl return &this } @@ -36,41 +37,33 @@ func NewReceiveMigrationDataWithDefaults() *ReceiveMigrationData { return &this } -// GetReceiverUrl returns the ReceiverUrl field value if set, zero value otherwise. +// GetReceiverUrl returns the ReceiverUrl field value func (o *ReceiveMigrationData) GetReceiverUrl() string { - if o == nil || o.ReceiverUrl == nil { + if o == nil { var ret string return ret } - return *o.ReceiverUrl + + return o.ReceiverUrl } -// GetReceiverUrlOk returns a tuple with the ReceiverUrl field value if set, nil otherwise +// GetReceiverUrlOk returns a tuple with the ReceiverUrl field value // and a boolean to check if the value has been set. func (o *ReceiveMigrationData) GetReceiverUrlOk() (*string, bool) { - if o == nil || o.ReceiverUrl == nil { + if o == nil { return nil, false } - return o.ReceiverUrl, true + return &o.ReceiverUrl, true } -// HasReceiverUrl returns a boolean if a field has been set. -func (o *ReceiveMigrationData) HasReceiverUrl() bool { - if o != nil && o.ReceiverUrl != nil { - return true - } - - return false -} - -// SetReceiverUrl gets a reference to the given string and assigns it to the ReceiverUrl field. +// SetReceiverUrl sets field value func (o *ReceiveMigrationData) SetReceiverUrl(v string) { - o.ReceiverUrl = &v + o.ReceiverUrl = v } func (o ReceiveMigrationData) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if o.ReceiverUrl != nil { + if true { toSerialize["receiver_url"] = o.ReceiverUrl } return json.Marshal(toSerialize) diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_send_migration_data.go b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_send_migration_data.go index 11f913bf02..6ceeedb7e7 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_send_migration_data.go +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_send_migration_data.go @@ -16,16 +16,17 @@ import ( // SendMigrationData struct for SendMigrationData type SendMigrationData struct { - DestinationUrl *string `json:"destination_url,omitempty"` - Local *bool `json:"local,omitempty"` + DestinationUrl string `json:"destination_url"` + Local *bool `json:"local,omitempty"` } // NewSendMigrationData instantiates a new SendMigrationData object // This constructor will assign default values to properties that have it defined, // and makes sure properties required by API are set, but the set of arguments // will change when the set of required properties is changed -func NewSendMigrationData() *SendMigrationData { +func NewSendMigrationData(destinationUrl string) *SendMigrationData { this := SendMigrationData{} + this.DestinationUrl = destinationUrl return &this } @@ -37,36 +38,28 @@ func NewSendMigrationDataWithDefaults() *SendMigrationData { return &this } -// GetDestinationUrl returns the DestinationUrl field value if set, zero value otherwise. +// GetDestinationUrl returns the DestinationUrl field value func (o *SendMigrationData) GetDestinationUrl() string { - if o == nil || o.DestinationUrl == nil { + if o == nil { var ret string return ret } - return *o.DestinationUrl + + return o.DestinationUrl } -// GetDestinationUrlOk returns a tuple with the DestinationUrl field value if set, nil otherwise +// GetDestinationUrlOk returns a tuple with the DestinationUrl field value // and a boolean to check if the value has been set. func (o *SendMigrationData) GetDestinationUrlOk() (*string, bool) { - if o == nil || o.DestinationUrl == nil { + if o == nil { return nil, false } - return o.DestinationUrl, true + return &o.DestinationUrl, true } -// HasDestinationUrl returns a boolean if a field has been set. -func (o *SendMigrationData) HasDestinationUrl() bool { - if o != nil && o.DestinationUrl != nil { - return true - } - - return false -} - -// SetDestinationUrl gets a reference to the given string and assigns it to the DestinationUrl field. +// SetDestinationUrl sets field value func (o *SendMigrationData) SetDestinationUrl(v string) { - o.DestinationUrl = &v + o.DestinationUrl = v } // GetLocal returns the Local field value if set, zero value otherwise. @@ -103,7 +96,7 @@ func (o *SendMigrationData) SetLocal(v bool) { func (o SendMigrationData) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} - if o.DestinationUrl != nil { + if true { toSerialize["destination_url"] = o.DestinationUrl } if o.Local != nil { diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml b/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml index c4dcae04c2..c9ecd399e6 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml @@ -195,6 +195,8 @@ paths: application/json: schema: $ref: '#/components/schemas/PciDeviceInfo' + 204: + description: The new device was successfully (cold) added to the VM instance. 404: description: The new device could not be added to the VM instance. @@ -231,6 +233,8 @@ paths: application/json: schema: $ref: '#/components/schemas/PciDeviceInfo' + 204: + description: The new disk was successfully (cold) added to the VM instance. 500: description: The new disk could not be added to the VM instance. @@ -251,6 +255,8 @@ paths: application/json: schema: $ref: '#/components/schemas/PciDeviceInfo' + 204: + description: The new device was successfully (cold) added to the VM instance. 500: description: The new device could not be added to the VM instance. @@ -271,6 +277,8 @@ paths: application/json: schema: $ref: '#/components/schemas/PciDeviceInfo' + 204: + description: The new device was successfully (cold) added to the VM instance. 500: description: The new device could not be added to the VM instance. @@ -291,6 +299,8 @@ paths: application/json: schema: $ref: '#/components/schemas/PciDeviceInfo' + 204: + description: The new device was successfully (cold) added to the VM instance. 500: description: The new device could not be added to the VM instance. @@ -311,6 +321,8 @@ paths: application/json: schema: $ref: '#/components/schemas/PciDeviceInfo' + 204: + description: The new device was successfully (cold) added to the VM instance. 500: description: The new device could not be added to the VM instance. @@ -428,8 +440,7 @@ components: items: type: string pci_bdf: - type: integer - format: int32 + type: string VmCounters: type: object @@ -1055,12 +1066,16 @@ components: type: boolean ReceiveMigrationData: + required: + - receiver_url type: object properties: receiver_url: type: string SendMigrationData: + required: + - destination_url type: object properties: destination_url: diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go index f3ae89b59c..ef1e16adbf 100644 --- a/src/runtime/virtcontainers/qemu_amd64.go +++ b/src/runtime/virtcontainers/qemu_amd64.go @@ -132,6 +132,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) { if err := q.enableProtection(); err != nil { return nil, err } + + if !q.qemuArchBase.disableNvdimm { + hvLogger.WithField("subsystem", "qemuAmd64").Warn("Nvdimm is not supported with confidential guest, disabling it.") + q.qemuArchBase.disableNvdimm = true + } } if config.SGXEPCSize != 0 { @@ -153,8 +158,9 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) { func (q *qemuAmd64) capabilities() types.Capabilities { var caps types.Capabilities - if q.qemuMachine.Type == QemuQ35 || - q.qemuMachine.Type == QemuVirt { + if (q.qemuMachine.Type == QemuQ35 || + q.qemuMachine.Type == QemuVirt) && + q.protection == noneProtection { caps.SetBlockDeviceHotplugSupport() } @@ -188,7 +194,11 @@ func (q *qemuAmd64) memoryTopology(memoryMb, hostMemoryMb uint64, slots uint8) g // Is Memory Hotplug supported by this architecture/machine type combination? func (q *qemuAmd64) supportGuestMemoryHotplug() bool { // true for all amd64 machine types except for microvm. - return q.qemuMachine.Type != govmmQemu.MachineTypeMicrovm + if q.qemuMachine.Type == govmmQemu.MachineTypeMicrovm { + return false + } + + return q.protection == noneProtection } func (q *qemuAmd64) appendImage(ctx context.Context, devices []govmmQemu.Device, path string) ([]govmmQemu.Device, error) { diff --git a/src/runtime/virtcontainers/qemu_arch_base.go b/src/runtime/virtcontainers/qemu_arch_base.go index b65cb61e3d..8820fd655e 100644 --- a/src/runtime/virtcontainers/qemu_arch_base.go +++ b/src/runtime/virtcontainers/qemu_arch_base.go @@ -277,7 +277,9 @@ func (q *qemuArchBase) kernelParameters(debug bool) []Param { func (q *qemuArchBase) capabilities() types.Capabilities { var caps types.Capabilities - caps.SetBlockDeviceHotplugSupport() + if q.protection == noneProtection { + caps.SetBlockDeviceHotplugSupport() + } caps.SetMultiQueueSupport() caps.SetFsSharingSupport() return caps @@ -690,7 +692,7 @@ func (q *qemuArchBase) handleImagePath(config HypervisorConfig) { } func (q *qemuArchBase) supportGuestMemoryHotplug() bool { - return true + return q.protection == noneProtection } func (q *qemuArchBase) setIgnoreSharedMemoryMigrationCaps(ctx context.Context, qmp *govmmQemu.QMP) error { diff --git a/src/runtime/virtcontainers/qemu_ppc64le.go b/src/runtime/virtcontainers/qemu_ppc64le.go index f78ed24297..93c11416ce 100644 --- a/src/runtime/virtcontainers/qemu_ppc64le.go +++ b/src/runtime/virtcontainers/qemu_ppc64le.go @@ -83,6 +83,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) { if err := q.enableProtection(); err != nil { return nil, err } + + if !q.qemuArchBase.disableNvdimm { + hvLogger.WithField("subsystem", "qemuPPC64le").Warn("Nvdimm is not supported with confidential guest, disabling it.") + q.qemuArchBase.disableNvdimm = true + } } q.handleImagePath(config) @@ -96,7 +101,8 @@ func (q *qemuPPC64le) capabilities() types.Capabilities { var caps types.Capabilities // pseries machine type supports hotplugging drives - if q.qemuMachine.Type == QemuPseries { + if q.qemuMachine.Type == QemuPseries && + q.protection == noneProtection { caps.SetBlockDeviceHotplugSupport() } diff --git a/src/runtime/virtcontainers/qemu_s390x.go b/src/runtime/virtcontainers/qemu_s390x.go index aeddb982af..77b6f440b1 100644 --- a/src/runtime/virtcontainers/qemu_s390x.go +++ b/src/runtime/virtcontainers/qemu_s390x.go @@ -77,6 +77,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) { if err := q.enableProtection(); err != nil { return nil, err } + + if !q.qemuArchBase.disableNvdimm { + hvLogger.WithField("subsystem", "qemuS390x").Warn("Nvdimm is not supported with confidential guest, disabling it.") + q.qemuArchBase.disableNvdimm = true + } } if config.ImagePath != "" { diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 1864140e1e..2a215726b9 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -28,6 +28,8 @@ readonly shimv2_builder="${static_build_dir}/shim-v2/build.sh" readonly rootfs_builder="${repo_root_dir}/tools/packaging/guest-image/build_image.sh" +ARCH=$(uname -m) + workdir="${WORKDIR:-$PWD}" destdir="${workdir}/kata-static" @@ -125,7 +127,9 @@ install_firecracker() { # Install static cloud-hypervisor asset install_clh() { - export extra_build_args="--features tdx" + if [[ "${ARCH}" == "x86_64" ]]; then + export features="tdx" + fi info "build static cloud-hypervisor" "${clh_builder}" diff --git a/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh b/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh index 61a0824ebb..1f49abcaa4 100755 --- a/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh +++ b/tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh @@ -52,9 +52,9 @@ build_clh_from_source() { pushd "${repo_dir}" git fetch || true git checkout "${cloud_hypervisor_version}" - if [ -n "${extra_build_args}" ]; then - info "Build cloud-hypervisor with extra args: ${extra_build_args}" - ./scripts/dev_cli.sh build --release --libc musl -- ${extra_build_args} + if [ -n "${features}" ]; then + info "Build cloud-hypervisor enabling the following features: ${features}" + ./scripts/dev_cli.sh build --release --libc musl --features "${features}" else ./scripts/dev_cli.sh build --release --libc musl fi diff --git a/versions.yaml b/versions.yaml index 84463db8ef..c1b10ce893 100644 --- a/versions.yaml +++ b/versions.yaml @@ -75,7 +75,7 @@ assets: url: "https://github.com/cloud-hypervisor/cloud-hypervisor" uscan-url: >- https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz - version: "55479a64d237d4c757dba19a696abefd27ec74fd" + version: "5343e09e7b8dbd5dd8ac0d90a3ad52037490dd86" firecracker: description: "Firecracker micro-VMM"