Merge pull request #3771 from fidencio/wip/clh-tdx

clh: Add TDX support

src/runtime/config/configuration-clh.toml.in

@@ -15,6 +15,33 @@ path = "@CLHPATH@"
 kernel = "@KERNELPATH_CLH@"
 image = "@IMAGEPATH@"
 
+# Enable confidential guest support.
+# Toggling that setting may trigger different hardware features, ranging
+# from memory encryption to both memory and CPU-state encryption and integrity.
+# The Kata Containers runtime dynamically detects the available feature set and
+# aims at enabling the largest possible one.
+#
+# Known limitations:
+# * Does not work by design:
+#   - CPU Hotplug 
+#   - Device Hotplug
+#   - Memory Hotplug
+#   - NVDIMM devices
+#
+# Default false
+# confidential_guest = true
+
+# Path to the firmware.
+# If you want Cloud Hypervisor to use a specific firmware, set its path below.
+# This is option is only used when confidential_guest is enabled.
+#
+# For more information about firmwared that can be used with specific TEEs,
+# please, refer to:
+# * TDX:
+#   - td-shim: https://github.com/confidential-containers/td-shim
+#
+# firmware = "@FIRMWAREPATH@"
+
 # List of valid annotation names for the hypervisor
 # Each member of the list is a regular expression, which is the base name
 # of the annotation, e.g. "path" for io.katacontainers.config.hypervisor.path"

src/runtime/config/configuration-qemu.toml.in

@@ -21,6 +21,14 @@ machine_type = "@MACHINETYPE@"
 # from memory encryption to both memory and CPU-state encryption and integrity.
 # The Kata Containers runtime dynamically detects the available feature set and
 # aims at enabling the largest possible one.
+#
+# Known limitations:
+# * Does not work by design:
+#   - CPU Hotplug 
+#   - Device Hotplug
+#   - Memory Hotplug
+#   - NVDIMM devices
+#
 # Default false
 # confidential_guest = true
 
@@ -279,6 +287,9 @@ pflashes = []
 
 # If false and nvdimm is supported, use nvdimm device to plug guest image.
 # Otherwise virtio-block device is used.
+#
+# nvdimm is not supported when `confidential_guest = true`.
+#
 # Default is false
 #disable_image_nvdimm = true
 

src/runtime/pkg/katautils/config.go

@@ -877,6 +877,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		SGXEPCSize:              defaultSGXEPCSize,
 		EnableAnnotations:       h.EnableAnnotations,
 		DisableSeccomp:          h.DisableSeccomp,
+		ConfidentialGuest:       h.ConfidentialGuest,
 	}, nil
 }
 

src/runtime/virtcontainers/clh.go

@@ -171,12 +171,9 @@ type cloudHypervisor struct {
 }
 
 var clhKernelParams = []Param{
-	{"root", "/dev/pmem0p1"},
 	{"panic", "1"},         // upon kernel panic wait 1 second before reboot
 	{"no_timer_check", ""}, // do not Check broken timer IRQ resources
 	{"noreplace-smp", ""},  // do not replace SMP instructions
-	{"rootflags", "dax,data=ordered,errors=remount-ro ro"}, // mount the root filesystem as readonly
-	{"rootfstype", "ext4"},
 }
 
 var clhDebugKernelParams = []Param{
@@ -205,6 +202,34 @@ func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) {
 	return utils.BuildSocketPath(clh.config.VMStorePath, id, nydusdAPISock)
 }
 
+func (clh *cloudHypervisor) enableProtection() error {
+	protection, err := availableGuestProtection()
+	if err != nil {
+		return err
+	}
+
+	switch protection {
+	case tdxProtection:
+		firmwarePath, err := clh.config.FirmwareAssetPath()
+		if err != nil {
+			return err
+		}
+
+		if firmwarePath == "" {
+			return errors.New("Firmware path is not specified")
+		}
+
+		clh.vmconfig.Tdx = chclient.NewTdxConfig(firmwarePath)
+		return nil
+
+	case sevProtection:
+		return errors.New("SEV protection is not supported by Cloud Hypervisor")
+
+	default:
+		return errors.New("This system doesn't support Confidentian Computing (Guest Protection)")
+	}
+}
+
 // For cloudHypervisor this call only sets the internal structure up.
 // The VM will be created and started through StartVM().
 func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Network, hypervisorConfig *HypervisorConfig) error {
@@ -251,23 +276,35 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 	// Create the VM config via the constructor to ensure default values are properly assigned
 	clh.vmconfig = *chclient.NewVmConfig(*chclient.NewKernelConfig(kernelPath))
 
+	if clh.config.ConfidentialGuest {
+		if err := clh.enableProtection(); err != nil {
+			return err
+		}
+	}
+
 	// Create the VM memory config via the constructor to ensure default values are properly assigned
 	clh.vmconfig.Memory = chclient.NewMemoryConfig(int64((utils.MemUnit(clh.config.MemorySize) * utils.MiB).ToBytes()))
 	// shared memory should be enabled if using vhost-user(kata uses virtiofsd)
 	clh.vmconfig.Memory.Shared = func(b bool) *bool { return &b }(true)
 	// Enable hugepages if needed
 	clh.vmconfig.Memory.Hugepages = func(b bool) *bool { return &b }(clh.config.HugePages)
+	if !clh.config.ConfidentialGuest {
 		hostMemKb, err := GetHostMemorySizeKb(procMemInfo)
 		if err != nil {
 			return nil
 		}
 		// OpenAPI only supports int64 values
 		clh.vmconfig.Memory.HotplugSize = func(i int64) *int64 { return &i }(int64((utils.MemUnit(hostMemKb) * utils.KiB).ToBytes()))
+	}
 	// Set initial amount of cpu's for the virtual machine
 	clh.vmconfig.Cpus = chclient.NewCpusConfig(int32(clh.config.NumVCPUs), int32(clh.config.DefaultMaxVCPUs))
 
 	// First take the default parameters defined by this driver
-	params := clhKernelParams
+	params := commonNvdimmKernelRootParams
+	if clh.config.ConfidentialGuest {
+		params = commonVirtioblkKernelRootParams
+	}
+	params = append(params, clhKernelParams...)
 
 	// Followed by extra debug parameters if debug enabled in configuration file
 	if clh.config.Debug {
@@ -291,12 +328,17 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 		return err
 	}
 
-	initrdPath, err := clh.config.InitrdAssetPath()
-	if err != nil {
-		return err
-	}
-
 	if imagePath != "" {
+		if clh.config.ConfidentialGuest {
+			disk := chclient.NewDiskConfig(imagePath)
+			disk.SetReadonly(true)
+
+			if clh.vmconfig.Disks != nil {
+				*clh.vmconfig.Disks = append(*clh.vmconfig.Disks, *disk)
+			} else {
+				clh.vmconfig.Disks = &[]chclient.DiskConfig{*disk}
+			}
+		} else {
 			pmem := chclient.NewPmemConfig(imagePath)
 			*pmem.DiscardWrites = true
 
@@ -305,12 +347,16 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 			} else {
 				clh.vmconfig.Pmem = &[]chclient.PmemConfig{*pmem}
 			}
-	} else if initrdPath != "" {
+		}
+	} else {
+		initrdPath, err := clh.config.InitrdAssetPath()
+		if err != nil {
+			return err
+		}
+
 		initrd := chclient.NewInitramfsConfig(initrdPath)
 
 		clh.vmconfig.SetInitramfs(*initrd)
-	} else {
-		return errors.New("no image or initrd specified")
 	}
 
 	// Use serial port as the guest console only in debug mode,
@@ -589,6 +635,10 @@ func (clh *cloudHypervisor) HotplugAddDevice(ctx context.Context, devInfo interf
 	span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugAddDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id})
 	defer span.End()
 
+	if clh.config.ConfidentialGuest {
+		return nil, errors.New("Device hotplug addition is not supported in confidential mode")
+	}
+
 	switch devType {
 	case BlockDev:
 		drive := devInfo.(*config.BlockDrive)
@@ -606,6 +656,10 @@ func (clh *cloudHypervisor) HotplugRemoveDevice(ctx context.Context, devInfo int
 	span, _ := katatrace.Trace(ctx, clh.Logger(), "HotplugRemoveDevice", clhTracingTags, map[string]string{"sandbox_id": clh.id})
 	defer span.End()
 
+	if clh.config.ConfidentialGuest {
+		return nil, errors.New("Device hotplug addition is not supported in confidential mode")
+	}
+
 	var deviceID string
 
 	switch devType {
@@ -860,7 +914,9 @@ func (clh *cloudHypervisor) Capabilities(ctx context.Context) types.Capabilities
 	clh.Logger().WithField("function", "Capabilities").Info("get Capabilities")
 	var caps types.Capabilities
 	caps.SetFsSharingSupport()
+	if !clh.config.ConfidentialGuest {
 		caps.SetBlockDeviceHotplugSupport()
+	}
 	return caps
 }
 

src/runtime/virtcontainers/hypervisor.go

@@ -564,6 +564,11 @@ func (conf *HypervisorConfig) Valid() error {
 		conf.DefaultMaxVCPUs = defaultMaxVCPUs
 	}
 
+	if conf.ConfidentialGuest && conf.NumVCPUs != conf.DefaultMaxVCPUs {
+		hvLogger.Warnf("Confidential guests do not support hotplugging of vCPUs. Setting DefaultMaxVCPUs to NumVCPUs (%d)", conf.NumVCPUs)
+		conf.DefaultMaxVCPUs = conf.NumVCPUs
+	}
+
 	if conf.Msize9p == 0 && conf.SharedFS != config.VirtioFS {
 		conf.Msize9p = defaultMsize9p
 	}

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml

@@ -181,6 +181,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
           description: The new device was successfully added to the VM instance.
+        "204":
+          description: The new device was successfully (cold) added to the VM instance.
         "404":
           description: The new device could not be added to the VM instance.
       summary: Add a new device to the VM
@@ -215,6 +217,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
           description: The new disk was successfully added to the VM instance.
+        "204":
+          description: The new disk was successfully (cold) added to the VM instance.
         "500":
           description: The new disk could not be added to the VM instance.
       summary: Add a new disk to the VM
@@ -234,6 +238,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
           description: The new device was successfully added to the VM instance.
+        "204":
+          description: The new device was successfully (cold) added to the VM instance.
         "500":
           description: The new device could not be added to the VM instance.
       summary: Add a new virtio-fs device to the VM
@@ -253,6 +259,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
           description: The new device was successfully added to the VM instance.
+        "204":
+          description: The new device was successfully (cold) added to the VM instance.
         "500":
           description: The new device could not be added to the VM instance.
       summary: Add a new pmem device to the VM
@@ -272,6 +280,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
           description: The new device was successfully added to the VM instance.
+        "204":
+          description: The new device was successfully (cold) added to the VM instance.
         "500":
           description: The new device could not be added to the VM instance.
       summary: Add a new network device to the VM
@@ -291,6 +301,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
           description: The new device was successfully added to the VM instance.
+        "204":
+          description: The new device was successfully (cold) added to the VM instance.
         "500":
           description: The new device could not be added to the VM instance.
       summary: Add a new vsock device to the VM
@@ -632,7 +644,7 @@ components:
             children:
             - children
             - children
-            pci_bdf: 3
+            pci_bdf: pci_bdf
             resources:
             - '{}'
             - '{}'
@@ -663,7 +675,7 @@ components:
         children:
         - children
         - children
-        pci_bdf: 3
+        pci_bdf: pci_bdf
         resources:
         - '{}'
         - '{}'
@@ -680,8 +692,7 @@ components:
             type: string
           type: array
         pci_bdf:
-          format: int32
+          type: string
-          type: integer
       type: object
     VmCounters:
       additionalProperties:
@@ -1757,6 +1768,8 @@ components:
       properties:
         receiver_url:
           type: string
+      required:
+      - receiver_url
       type: object
     SendMigrationData:
       example:
@@ -1767,4 +1780,6 @@ components:
           type: string
         local:
           type: boolean
+      required:
+      - destination_url
       type: object

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md

@@ -1071,7 +1071,7 @@ import (
 )
 
 func main() {
-    receiveMigrationData := *openapiclient.NewReceiveMigrationData() // ReceiveMigrationData | The URL for the reception of migration state
+    receiveMigrationData := *openapiclient.NewReceiveMigrationData("ReceiverUrl_example") // ReceiveMigrationData | The URL for the reception of migration state
 
     configuration := openapiclient.NewConfiguration()
     api_client := openapiclient.NewAPIClient(configuration)
@@ -1381,7 +1381,7 @@ import (
 )
 
 func main() {
-    sendMigrationData := *openapiclient.NewSendMigrationData() // SendMigrationData | The URL for sending the migration state
+    sendMigrationData := *openapiclient.NewSendMigrationData("DestinationUrl_example") // SendMigrationData | The URL for sending the migration state
 
     configuration := openapiclient.NewConfiguration()
     api_client := openapiclient.NewAPIClient(configuration)

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DeviceNode.md

@@ -7,7 +7,7 @@ Name | Type | Description | Notes
 **Id** | Pointer to **string** |  | [optional] 
 **Resources** | Pointer to **[]map[string]interface{}** |  | [optional] 
 **Children** | Pointer to **[]string** |  | [optional] 
-**PciBdf** | Pointer to **int32** |  | [optional] 
+**PciBdf** | Pointer to **string** |  | [optional] 
 
 ## Methods
 
@@ -105,20 +105,20 @@ HasChildren returns a boolean if a field has been set.
 
 ### GetPciBdf
 
-`func (o *DeviceNode) GetPciBdf() int32`
+`func (o *DeviceNode) GetPciBdf() string`
 
 GetPciBdf returns the PciBdf field if non-nil, zero value otherwise.
 
 ### GetPciBdfOk
 
-`func (o *DeviceNode) GetPciBdfOk() (*int32, bool)`
+`func (o *DeviceNode) GetPciBdfOk() (*string, bool)`
 
 GetPciBdfOk returns a tuple with the PciBdf field if it's non-nil, zero value otherwise
 and a boolean to check if the value has been set.
 
 ### SetPciBdf
 
-`func (o *DeviceNode) SetPciBdf(v int32)`
+`func (o *DeviceNode) SetPciBdf(v string)`
 
 SetPciBdf sets PciBdf field to given value.
 

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/ReceiveMigrationData.md

@@ -4,13 +4,13 @@
 
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
-**ReceiverUrl** | Pointer to **string** |  | [optional] 
+**ReceiverUrl** | **string** |  | 
 
 ## Methods
 
 ### NewReceiveMigrationData
 
-`func NewReceiveMigrationData() *ReceiveMigrationData`
+`func NewReceiveMigrationData(receiverUrl string, ) *ReceiveMigrationData`
 
 NewReceiveMigrationData instantiates a new ReceiveMigrationData object
 This constructor will assign default values to properties that have it defined,
@@ -44,11 +44,6 @@ and a boolean to check if the value has been set.
 
 SetReceiverUrl sets ReceiverUrl field to given value.
 
-### HasReceiverUrl
-
-`func (o *ReceiveMigrationData) HasReceiverUrl() bool`
-
-HasReceiverUrl returns a boolean if a field has been set.
 
 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/SendMigrationData.md

@@ -4,14 +4,14 @@
 
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
-**DestinationUrl** | Pointer to **string** |  | [optional] 
+**DestinationUrl** | **string** |  | 
 **Local** | Pointer to **bool** |  | [optional] 
 
 ## Methods
 
 ### NewSendMigrationData
 
-`func NewSendMigrationData() *SendMigrationData`
+`func NewSendMigrationData(destinationUrl string, ) *SendMigrationData`
 
 NewSendMigrationData instantiates a new SendMigrationData object
 This constructor will assign default values to properties that have it defined,
@@ -45,11 +45,6 @@ and a boolean to check if the value has been set.
 
 SetDestinationUrl sets DestinationUrl field to given value.
 
-### HasDestinationUrl
-
-`func (o *SendMigrationData) HasDestinationUrl() bool`
-
-HasDestinationUrl returns a boolean if a field has been set.
 
 ### GetLocal
 

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_device_node.go

@@ -19,7 +19,7 @@ type DeviceNode struct {
 	Id        *string                   `json:"id,omitempty"`
 	Resources *[]map[string]interface{} `json:"resources,omitempty"`
 	Children  *[]string                 `json:"children,omitempty"`
-	PciBdf    *int32                    `json:"pci_bdf,omitempty"`
+	PciBdf    *string                   `json:"pci_bdf,omitempty"`
 }
 
 // NewDeviceNode instantiates a new DeviceNode object
@@ -136,9 +136,9 @@ func (o *DeviceNode) SetChildren(v []string) {
 }
 
 // GetPciBdf returns the PciBdf field value if set, zero value otherwise.
-func (o *DeviceNode) GetPciBdf() int32 {
+func (o *DeviceNode) GetPciBdf() string {
 	if o == nil || o.PciBdf == nil {
-		var ret int32
+		var ret string
 		return ret
 	}
 	return *o.PciBdf
@@ -146,7 +146,7 @@ func (o *DeviceNode) GetPciBdf() int32 {
 
 // GetPciBdfOk returns a tuple with the PciBdf field value if set, nil otherwise
 // and a boolean to check if the value has been set.
-func (o *DeviceNode) GetPciBdfOk() (*int32, bool) {
+func (o *DeviceNode) GetPciBdfOk() (*string, bool) {
 	if o == nil || o.PciBdf == nil {
 		return nil, false
 	}
@@ -162,8 +162,8 @@ func (o *DeviceNode) HasPciBdf() bool {
 	return false
 }
 
-// SetPciBdf gets a reference to the given int32 and assigns it to the PciBdf field.
+// SetPciBdf gets a reference to the given string and assigns it to the PciBdf field.
-func (o *DeviceNode) SetPciBdf(v int32) {
+func (o *DeviceNode) SetPciBdf(v string) {
 	o.PciBdf = &v
 }
 

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_receive_migration_data.go

@@ -16,15 +16,16 @@ import (
 
 // ReceiveMigrationData struct for ReceiveMigrationData
 type ReceiveMigrationData struct {
-	ReceiverUrl *string `json:"receiver_url,omitempty"`
+	ReceiverUrl string `json:"receiver_url"`
 }
 
 // NewReceiveMigrationData instantiates a new ReceiveMigrationData object
 // This constructor will assign default values to properties that have it defined,
 // and makes sure properties required by API are set, but the set of arguments
 // will change when the set of required properties is changed
-func NewReceiveMigrationData() *ReceiveMigrationData {
+func NewReceiveMigrationData(receiverUrl string) *ReceiveMigrationData {
 	this := ReceiveMigrationData{}
+	this.ReceiverUrl = receiverUrl
 	return &this
 }
 
@@ -36,41 +37,33 @@ func NewReceiveMigrationDataWithDefaults() *ReceiveMigrationData {
 	return &this
 }
 
-// GetReceiverUrl returns the ReceiverUrl field value if set, zero value otherwise.
+// GetReceiverUrl returns the ReceiverUrl field value
 func (o *ReceiveMigrationData) GetReceiverUrl() string {
-	if o == nil || o.ReceiverUrl == nil {
+	if o == nil {
 		var ret string
 		return ret
 	}
-	return *o.ReceiverUrl
+
+	return o.ReceiverUrl
 }
 
-// GetReceiverUrlOk returns a tuple with the ReceiverUrl field value if set, nil otherwise
+// GetReceiverUrlOk returns a tuple with the ReceiverUrl field value
 // and a boolean to check if the value has been set.
 func (o *ReceiveMigrationData) GetReceiverUrlOk() (*string, bool) {
-	if o == nil || o.ReceiverUrl == nil {
+	if o == nil {
 		return nil, false
 	}
-	return o.ReceiverUrl, true
+	return &o.ReceiverUrl, true
 }
 
-// HasReceiverUrl returns a boolean if a field has been set.
+// SetReceiverUrl sets field value
-func (o *ReceiveMigrationData) HasReceiverUrl() bool {
-	if o != nil && o.ReceiverUrl != nil {
-		return true
-	}
-
-	return false
-}
-
-// SetReceiverUrl gets a reference to the given string and assigns it to the ReceiverUrl field.
 func (o *ReceiveMigrationData) SetReceiverUrl(v string) {
-	o.ReceiverUrl = &v
+	o.ReceiverUrl = v
 }
 
 func (o ReceiveMigrationData) MarshalJSON() ([]byte, error) {
 	toSerialize := map[string]interface{}{}
-	if o.ReceiverUrl != nil {
+	if true {
 		toSerialize["receiver_url"] = o.ReceiverUrl
 	}
 	return json.Marshal(toSerialize)

src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_send_migration_data.go

@@ -16,7 +16,7 @@ import (
 
 // SendMigrationData struct for SendMigrationData
 type SendMigrationData struct {
-	DestinationUrl *string `json:"destination_url,omitempty"`
+	DestinationUrl string `json:"destination_url"`
 	Local          *bool  `json:"local,omitempty"`
 }
 
@@ -24,8 +24,9 @@ type SendMigrationData struct {
 // This constructor will assign default values to properties that have it defined,
 // and makes sure properties required by API are set, but the set of arguments
 // will change when the set of required properties is changed
-func NewSendMigrationData() *SendMigrationData {
+func NewSendMigrationData(destinationUrl string) *SendMigrationData {
 	this := SendMigrationData{}
+	this.DestinationUrl = destinationUrl
 	return &this
 }
 
@@ -37,36 +38,28 @@ func NewSendMigrationDataWithDefaults() *SendMigrationData {
 	return &this
 }
 
-// GetDestinationUrl returns the DestinationUrl field value if set, zero value otherwise.
+// GetDestinationUrl returns the DestinationUrl field value
 func (o *SendMigrationData) GetDestinationUrl() string {
-	if o == nil || o.DestinationUrl == nil {
+	if o == nil {
 		var ret string
 		return ret
 	}
-	return *o.DestinationUrl
+
+	return o.DestinationUrl
 }
 
-// GetDestinationUrlOk returns a tuple with the DestinationUrl field value if set, nil otherwise
+// GetDestinationUrlOk returns a tuple with the DestinationUrl field value
 // and a boolean to check if the value has been set.
 func (o *SendMigrationData) GetDestinationUrlOk() (*string, bool) {
-	if o == nil || o.DestinationUrl == nil {
+	if o == nil {
 		return nil, false
 	}
-	return o.DestinationUrl, true
+	return &o.DestinationUrl, true
 }
 
-// HasDestinationUrl returns a boolean if a field has been set.
+// SetDestinationUrl sets field value
-func (o *SendMigrationData) HasDestinationUrl() bool {
-	if o != nil && o.DestinationUrl != nil {
-		return true
-	}
-
-	return false
-}
-
-// SetDestinationUrl gets a reference to the given string and assigns it to the DestinationUrl field.
 func (o *SendMigrationData) SetDestinationUrl(v string) {
-	o.DestinationUrl = &v
+	o.DestinationUrl = v
 }
 
 // GetLocal returns the Local field value if set, zero value otherwise.
@@ -103,7 +96,7 @@ func (o *SendMigrationData) SetLocal(v bool) {
 
 func (o SendMigrationData) MarshalJSON() ([]byte, error) {
 	toSerialize := map[string]interface{}{}
-	if o.DestinationUrl != nil {
+	if true {
 		toSerialize["destination_url"] = o.DestinationUrl
 	}
 	if o.Local != nil {

src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml

@@ -195,6 +195,8 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
+        204:
+          description: The new device was successfully (cold) added to the VM instance.
         404:
           description: The new device could not be added to the VM instance.
 
@@ -231,6 +233,8 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
+        204:
+          description: The new disk was successfully (cold) added to the VM instance.
         500:
           description: The new disk could not be added to the VM instance.
 
@@ -251,6 +255,8 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
+        204:
+          description: The new device was successfully (cold) added to the VM instance.
         500:
           description: The new device could not be added to the VM instance.
 
@@ -271,6 +277,8 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
+        204:
+          description: The new device was successfully (cold) added to the VM instance.
         500:
           description: The new device could not be added to the VM instance.
 
@@ -291,6 +299,8 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
+        204:
+          description: The new device was successfully (cold) added to the VM instance.
         500:
           description: The new device could not be added to the VM instance.
 
@@ -311,6 +321,8 @@ paths:
             application/json:
               schema:
                 $ref: '#/components/schemas/PciDeviceInfo'
+        204:
+          description: The new device was successfully (cold) added to the VM instance.
         500:
           description: The new device could not be added to the VM instance.
 
@@ -428,8 +440,7 @@ components:
           items:
             type: string
         pci_bdf:
-          type: integer
+          type: string
-          format: int32
 
     VmCounters:
       type: object
@@ -1055,12 +1066,16 @@ components:
           type: boolean
 
     ReceiveMigrationData:
+      required:
+      - receiver_url
       type: object
       properties:
         receiver_url:
           type: string
 
     SendMigrationData:
+      required:
+      - destination_url
       type: object
       properties:
         destination_url:

src/runtime/virtcontainers/qemu_amd64.go

@@ -132,6 +132,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 		if err := q.enableProtection(); err != nil {
 			return nil, err
 		}
+
+		if !q.qemuArchBase.disableNvdimm {
+			hvLogger.WithField("subsystem", "qemuAmd64").Warn("Nvdimm is not supported with confidential guest, disabling it.")
+			q.qemuArchBase.disableNvdimm = true
+		}
 	}
 
 	if config.SGXEPCSize != 0 {
@@ -153,8 +158,9 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 func (q *qemuAmd64) capabilities() types.Capabilities {
 	var caps types.Capabilities
 
-	if q.qemuMachine.Type == QemuQ35 ||
+	if (q.qemuMachine.Type == QemuQ35 ||
-		q.qemuMachine.Type == QemuVirt {
+		q.qemuMachine.Type == QemuVirt) &&
+		q.protection == noneProtection {
 		caps.SetBlockDeviceHotplugSupport()
 	}
 
@@ -188,7 +194,11 @@ func (q *qemuAmd64) memoryTopology(memoryMb, hostMemoryMb uint64, slots uint8) g
 // Is Memory Hotplug supported by this architecture/machine type combination?
 func (q *qemuAmd64) supportGuestMemoryHotplug() bool {
 	// true for all amd64 machine types except for microvm.
-	return q.qemuMachine.Type != govmmQemu.MachineTypeMicrovm
+	if q.qemuMachine.Type == govmmQemu.MachineTypeMicrovm {
+		return false
+	}
+
+	return q.protection == noneProtection
 }
 
 func (q *qemuAmd64) appendImage(ctx context.Context, devices []govmmQemu.Device, path string) ([]govmmQemu.Device, error) {

src/runtime/virtcontainers/qemu_arch_base.go

@@ -277,7 +277,9 @@ func (q *qemuArchBase) kernelParameters(debug bool) []Param {
 
 func (q *qemuArchBase) capabilities() types.Capabilities {
 	var caps types.Capabilities
+	if q.protection == noneProtection {
 		caps.SetBlockDeviceHotplugSupport()
+	}
 	caps.SetMultiQueueSupport()
 	caps.SetFsSharingSupport()
 	return caps
@@ -690,7 +692,7 @@ func (q *qemuArchBase) handleImagePath(config HypervisorConfig) {
 }
 
 func (q *qemuArchBase) supportGuestMemoryHotplug() bool {
-	return true
+	return q.protection == noneProtection
 }
 
 func (q *qemuArchBase) setIgnoreSharedMemoryMigrationCaps(ctx context.Context, qmp *govmmQemu.QMP) error {

src/runtime/virtcontainers/qemu_ppc64le.go

@@ -83,6 +83,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 		if err := q.enableProtection(); err != nil {
 			return nil, err
 		}
+
+		if !q.qemuArchBase.disableNvdimm {
+			hvLogger.WithField("subsystem", "qemuPPC64le").Warn("Nvdimm is not supported with confidential guest, disabling it.")
+			q.qemuArchBase.disableNvdimm = true
+		}
 	}
 
 	q.handleImagePath(config)
@@ -96,7 +101,8 @@ func (q *qemuPPC64le) capabilities() types.Capabilities {
 	var caps types.Capabilities
 
 	// pseries machine type supports hotplugging drives
-	if q.qemuMachine.Type == QemuPseries {
+	if q.qemuMachine.Type == QemuPseries &&
+		q.protection == noneProtection {
 		caps.SetBlockDeviceHotplugSupport()
 	}
 

src/runtime/virtcontainers/qemu_s390x.go

@@ -77,6 +77,11 @@ func newQemuArch(config HypervisorConfig) (qemuArch, error) {
 		if err := q.enableProtection(); err != nil {
 			return nil, err
 		}
+
+		if !q.qemuArchBase.disableNvdimm {
+			hvLogger.WithField("subsystem", "qemuS390x").Warn("Nvdimm is not supported with confidential guest, disabling it.")
+			q.qemuArchBase.disableNvdimm = true
+		}
 	}
 
 	if config.ImagePath != "" {

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -28,6 +28,8 @@ readonly shimv2_builder="${static_build_dir}/shim-v2/build.sh"
 
 readonly rootfs_builder="${repo_root_dir}/tools/packaging/guest-image/build_image.sh"
 
+ARCH=$(uname -m)
+
 workdir="${WORKDIR:-$PWD}"
 
 destdir="${workdir}/kata-static"
@@ -125,7 +127,9 @@ install_firecracker() {
 
 # Install static cloud-hypervisor asset
 install_clh() {
-	export extra_build_args="--features tdx"
+	if [[ "${ARCH}" == "x86_64" ]]; then
+		export features="tdx"
+	fi
 
 	info "build static cloud-hypervisor"
 	"${clh_builder}"

tools/packaging/static-build/cloud-hypervisor/build-static-clh.sh

@@ -52,9 +52,9 @@ build_clh_from_source() {
     pushd "${repo_dir}"
     git fetch || true
     git checkout "${cloud_hypervisor_version}"
-    if [ -n "${extra_build_args}" ]; then
+    if [ -n "${features}" ]; then
-        info "Build cloud-hypervisor with extra args: ${extra_build_args}"
+        info "Build cloud-hypervisor enabling the following features: ${features}"
-        ./scripts/dev_cli.sh build --release --libc musl -- ${extra_build_args}
+        ./scripts/dev_cli.sh build --release --libc musl --features "${features}"
     else
         ./scripts/dev_cli.sh build --release --libc musl
     fi

versions.yaml

@@ -75,7 +75,7 @@ assets:
       url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
       uscan-url: >-
         https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
-      version: "55479a64d237d4c757dba19a696abefd27ec74fd"
+      version: "5343e09e7b8dbd5dd8ac0d90a3ad52037490dd86"
 
     firecracker:
       description: "Firecracker micro-VMM"