github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-13 15:14:08 +00:00
Code Issues Projects Releases Wiki Activity

kernel: disable virtio RNG for confidential guests

Browse Source 
Linux CoCo x86 guest is hardened to ensure RDRAND provides enough
entropy to initialize Linux RNG. A failure will panic the guest.

For confidential guests any other RNG source is untrusted so disable
them.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
This commit is contained in:
Mikko Ylinen 2025-05-09 16:10:07 +03:00
parent 96d922fc27
commit eb326477fc
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
tools/packaging/kernel/configs/fragments/common/virtio-extras.conf Normal file
View File

@ -0,0 +1,4 @@
# !confidential
# This is used by the s390 arch at least. Leave it on globally.
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_VIRTIO=y

4
tools/packaging/kernel/configs/fragments/common/virtio.conf
View File

@ -10,10 +10,6 @@ CONFIG_VIRTIO_PCI=y
# Without this nested-VM Kata does not work (we have not worked out exactly why) # Without this nested-VM Kata does not work (we have not worked out exactly why)
CONFIG_VIRTIO_PCI_LEGACY=y CONFIG_VIRTIO_PCI_LEGACY=y
# This is used by the s390 arch at least. Leave it on globally.
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_VIRTIO=y
# FIXME - are we moving away from/choosing between SCSI and BLK support? # FIXME - are we moving away from/choosing between SCSI and BLK support?
# https://github.com/kata-containers/packaging/issues/483 # https://github.com/kata-containers/packaging/issues/483
CONFIG_SCSI=y CONFIG_SCSI=y