From 540a2a7fb1875fa36b7f87c709d762ad79c30d06 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Mon, 18 Dec 2023 16:17:09 +0100 Subject: [PATCH] runtime: Allow no initrd path for IBM Z Secure Execution This is to reintroduce a configuration rule for IBM Z Secure Execution, where no initrd path should be configured. For the TEE of interest, only a kernel image should be specified with `confidential_guest=true`. Fixes: #8692 Signed-off-by: Hyounggyu Choi --- src/runtime/virtcontainers/hypervisor.go | 6 ++++++ src/runtime/virtcontainers/qemu.go | 6 +++++- src/runtime/virtcontainers/types/asset.go | 4 ++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go index 7c16064e1f..fa307bbbb8 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -747,6 +747,12 @@ func (conf *HypervisorConfig) ImageOrInitrdAssetPath() (string, types.AssetType, return initrd, types.InitrdAsset, nil } + // Even if neither image nor initrd are set, we still need to return + // if we are running a confidential guest on QemuCCWVirtio. (IBM Z Secure Execution) + if conf.ConfidentialGuest && conf.HypervisorMachineType == QemuCCWVirtio { + return "", types.SecureBootAsset, nil + } + return "", types.UnkownAsset, fmt.Errorf("one of image and initrd must be set") } diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index 57c529058f..96b004533e 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -422,9 +422,13 @@ func (q *qemu) buildDevices(ctx context.Context, kernelPath string) ([]govmmQemu if err != nil { return nil, nil, nil, err } - } else { + } else if assetType == types.InitrdAsset { // InitrdAsset, need to set kernel initrd path kernel.InitrdPath = assetPath + } else if assetType == types.SecureBootAsset { + // SecureBootAsset, no need to set image or initrd path + q.Logger().Info("For IBM Z Secure Execution, initrd path should not be set") + kernel.InitrdPath = "" } if q.config.IOMMU { diff --git a/src/runtime/virtcontainers/types/asset.go b/src/runtime/virtcontainers/types/asset.go index 6cad7dd335..8aae9785bf 100644 --- a/src/runtime/virtcontainers/types/asset.go +++ b/src/runtime/virtcontainers/types/asset.go @@ -28,6 +28,10 @@ const ( // InitrdAsset is an initrd asset. InitrdAsset AssetType = "initrd" + // SecureBootAsset is a secure boot asset. + // (IBM Z Secure Execution only) + SecureBootAsset AssetType = "secure_boot" + // HypervisorAsset is an hypervisor asset. HypervisorAsset AssetType = "hypervisor"