Commit Graph

1365 Commits

Author SHA1 Message Date
Saul Paredes
cdfc9fd2d9 agent: add feature flag to secure_mount method
This method is not used when guest-pull is not used.
Add a flag that prevents a compile error when building with rust version > 1.84.0 and not using guest-pull

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-06-13 11:25:58 -07:00
dependabot[bot]
1e6962e4a8 build(deps): bump the tracing group across 7 directories with 1 update
Bumps the tracing group with 1 update in the /src/dragonball directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/libs directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/agent-ctl directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/genpolicy directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/kata-ctl directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/runk directory: [tracing](https://github.com/tokio-rs/tracing).
Bumps the tracing group with 1 update in the /src/tools/trace-forwarder directory: [tracing](https://github.com/tokio-rs/tracing).


Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.34 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.37 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.40 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.40 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

Updates `tracing` from 0.1.29 to 0.1.41
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-0.1.37...tracing-0.1.41)

---
updated-dependencies:
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
- dependency-name: tracing
  dependency-version: 0.1.41
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: tracing
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-06-12 15:45:35 +00:00
Ruoqing He
26c7f941aa versions: Bump rust to 1.85.1
As discussed in 2025-05-22's AC call, bump rust toolchian to 1.85.1.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 13:50:10 +00:00
Ruoqing He
bd4d9cf67c agent: Fix clippy empty_line_after_doc_comments
Manually fix `empty_line_after_doc_comments` clippy warning reported by
rust 1.85.1.

```console
error: empty line after doc comment
  --> src/linux_abi.rs:8:1
   |
8  | / /// Linux ABI related constants.
9  | |
   | |_^
10 |   #[cfg(target_arch = "aarch64")]
11 |   use std::fs;
   |       ------- the comment documents this import
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#empty_line_after_doc_comments
   = note: `-D clippy::empty-line-after-doc-comments` implied by `-D warnings`
   = help: to override `-D warnings` add `#[allow(clippy::empty_line_after_doc_comments)]`
   = help: if the empty line is unintentional remove it
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 13:50:10 +00:00
Ruoqing He
2ccb306c0b agent: Fix clippy precedence
Fix `precedence` clippy warning as suggested by rust 1.85.1.

```console
warning: operator precedence can trip the unwary
  --> src/pci.rs:54:19
   |
54 |         Ok(SlotFn(ss8 << FUNCTION_BITS | f8))
   |                   ^^^^^^^^^^^^^^^^^^^^^^^^^ help: consider parenthesizing your expression: `(ss8 << FUNCTION_BITS) | f8`
   |
   = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#precedence
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 07:18:09 +00:00
Ruoqing He
048178bc5e agent: Fix clippy unnecessary_get_then_check
Manually fix `unnecessary_get_then_check` clippy warning as suggested by
rust 1.85.1.

```console
warning: unnecessary use of `get(&shared_mount.src_ctr).is_none()`
   --> src/sandbox.rs:431:25
    |
431 |             if src_ctrs.get(&shared_mount.src_ctr).is_none() {
    |                ---------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |                |
    |                help: replace it with: `!src_ctrs.contains_key(&shared_mount.src_ctr)`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_get_then_check
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 07:18:09 +00:00
Ruoqing He
54ec432178 agent: Fix clippy partialeq_to_none
Fix `partialeq_to_none` clippy warning as suggested by rust 1.85.1.

```console
warning: binary comparison to literal `Option::None`
   --> src/sandbox.rs:431:16
    |
431 |             if src_ctrs.get(&shared_mount.src_ctr) == None {
    |                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ help: use `Option::is_none()` instead: `src_ctrs.get(&shared_mount.src_ctr).is_none()`
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#partialeq_to_none
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 07:18:09 +00:00
Ruoqing He
95dca31ecc agent: Fix clippy question_mark
Fix `question_mark` clippy warning as suggested by rust 1.85.1.

```console
warning: this `match` expression can be replaced with `?`
    --> rustjail/src/cgroups/fs/mod.rs:1327:20
     |
1327 |       let dev_type = match DeviceType::from_char(d.typ().as_str().chars().next()) {
     |  ____________________^
1328 | |         Some(t) => t,
1329 | |         None => return None,
1330 | |     };
     | |_____^ help: try instead: `DeviceType::from_char(d.typ().as_str().chars().next())?`
     |
     = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#question_mark
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 07:18:09 +00:00
Ruoqing He
5a95a65604 agent: Fix clippy unnecessary_map_or
Fix `unnecessary_map_or` clippy warning as suggested by rust 1.85.1.

```console

warning: this `map_or` can be simplified
    --> rustjail/src/container.rs:1424:20
     |
1424 |                   if namespace
     |  ____________________^
1425 | |                     .path()
1426 | |                     .as_ref()
1427 | |                     .map_or(true, |p| p.as_os_str().is_empty())
     | |_______________________________________________________________^
     |
     = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#unnecessary_map_or
help: use is_none_or instead
     |
1424 ~                 if namespace
1425 +                     .path()
1426 +                     .as_ref().is_none_or(|p| p.as_os_str().is_empty())
     |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 07:18:09 +00:00
Ruoqing He
f9c76edd23 agent: Fix clippy manual_inspect
Manually fix `manual_inspect` clippy warning reported by rust 1.85.1.

```console
warning: using `map_err` over `inspect_err`
   --> rustjail/src/mount.rs:881:6
    |
881 |     .map_err(|e| {
    |      ^^^^^^^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#manual_inspect
help: try
    |
881 ~     .inspect_err(|&e| {
882 ~         log_child!(cfd_log, "mount error: {:?}", e);
    |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 07:18:09 +00:00
Ruoqing He
7ff34f00c2 agent: Fix clippy single_match
Fix `single_match` clippy warning as suggested by rust 1.85.1.

```console
warning: you seem to be trying to use `match` for destructuring a single pattern. Consider using `if let`
   --> src/image.rs:241:9
    |
241 | /         match oci.annotations() {
242 | |             Some(a) => {
243 | |                 if ImageService::is_sandbox(a) {
244 | |                     return ImageService::get_pause_image_process();
...   |
247 | |             None => {}
248 | |         }
    | |_________^
    |
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#single_match
help: try
    |
241 ~         if let Some(a) = oci.annotations() {
242 +             if ImageService::is_sandbox(a) {
243 +                 return ImageService::get_pause_image_process();
244 +             }
245 +         }
    |
```

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 07:18:09 +00:00
Ruoqing He
77e68b164e agent: Upgrade ttrpc-codegen to 0.5.0
Propagate `ttrpc-codegen` upgrade from `libs/protocols` to `agent`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-04 01:16:46 +00:00
Ryan Savino
1e686dbca7 agent: Remove casting and fix Arc declaration
Removed unnecessary dynamic dispatch for services. Properly dereferenced
service Box values and stored in Arc.

Co-authored-by: Ruoqing He <heruoqing@iscas.ac.cn>
Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
2025-06-04 01:16:46 +00:00
RuoqingHe
51cc960cdd Merge pull request #11346 from fidencio/topic/bump-cgroups-rs
rust: Update cgroups-rs to its v0.3.5 release
2025-05-31 04:13:05 +02:00
Fabiano Fidêncio
02c46471fd rust: Update cgroups-rs to its v0.3.5 release
We're switching to using a rev as it may take some time for the package
to be updated on crates.io.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-05-30 21:49:50 +02:00
Champ-Goblem
f4007e5dc1 agent: increase LimitNOFILE in the systemd service
Increase the NOFILE limit in the systemd service, this helps with
running databases in the Kata runtime.

Signed-off-by: Champ-Goblem <cameron@northflank.com>
2025-05-30 17:49:29 +02:00
Fabiano Fidêncio
d3f81ec337 Merge pull request #11240 from Apokleos/copydir
runtime-rs: Propagate k8s configs correctly when sharedfs is disabled
2025-05-27 12:41:21 +02:00
Steve Horsman
f8c5aa6df6 Merge pull request #11259 from fitzthum/bump-gc-0140
Update Trustee and Guest Components for CoCo v0.14.0
2025-05-20 18:05:17 +01:00
alex.lyn
6fa409df1a kata-agent: Improve file sync handling and address symlink issues
When synchronizing file changes on the host, a "symlink AlreadyExists"
issue occurs, primarily due to improper handling of symbolic links
(symlinks). Additionally, there are other related problems.

This patch will try to address these problems.
(1) Handle symlink target existence (files, dirs, symlinks) during host file
    sync. Use appropriate removal methods (unlink, remove_file, remove_dir_all).
(2) Enhance temporary file handling for safer operations and implement truncate
    only at offset 0 for resume support.
(3) Set permissions and ownership for parent directories.
(4) Check and clean target path for regular files before rename.

Fixes #11237

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2025-05-20 16:55:49 +08:00
Steve Horsman
711fcd8f51 Merge pull request #11251 from stevenhorsman/rust-vulns-9th-may-2025
Rust vulns 9th may 2025
2025-05-14 09:58:12 +01:00
Zvonko Kaiser
5cc098ae43 Merge pull request #11242 from houstar/qing/safe-path
agent: use safe-path to replace secure_join
2025-05-12 10:58:19 -04:00
Qingyuan Hou
c0ceaf661a agent: use safe-path to replace secure_join
This patch use safe-path library to safely handle filesystem paths.

Signed-off-by: Qingyuan Hou <qingyuan.hou@linux.alibaba.com>
2025-05-12 09:06:55 +00:00
Tobin Feldman-Fitzthum
d714eb2472 agent: update image-rs for CoCo v0.14.0
We might be able to eliminate this dependency soon, but for now let's
update image-rs.

I massaged the dependencies with:

cargo update idna_adapter@1.2.1 --precise 1.2.0
cargo update litemap@0.7.5 --precise 0.7.4
cargo update zerofrom@0.1.6 --precise 0.1.5
cargo update astral-tokio-tar@0.5.2 --precise 0.5.1
cargo update base64ct@1.7.3 --precise 1.6.0
cargo update generic-array@1.2.0 --precise 1.1.1

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2025-05-09 13:39:52 -05:00
stevenhorsman
7807e6c29a versions: Bump byte-unit and rust_decimal
Bump the crates to update them and pull in a
newer version of borsh to remediate RUSTSEC-2023-0033

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-09 16:09:22 +01:00
stevenhorsman
787198f8bb versions: Update tempfile crate
Update the tempfile crate to resolve security issue
[WS-2023-0045](7247a8b6ee)
that came with the remove_dir_all dependency in prior versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-09 09:57:28 +01:00
Hyounggyu Choi
a286a5aee8 Merge pull request #11076 from Jakob-Naucke/ap-bind-assoc
Bind/associate for VFIO-AP
2025-05-09 09:32:46 +02:00
RuoqingHe
d4d737a73e Merge pull request #10512 from ncppd/riscv64-agent
agent: Support RISC-V 64-bit architecture
2025-05-07 10:56:10 +08:00
RuoqingHe
4f97e5fed3 Merge pull request #11226 from kata-containers/dependabot/cargo/src/agent/tokio-1.44.2
build(deps): bump tokio from 1.44.0 to 1.44.2
2025-05-06 21:55:18 +08:00
Fabiano Fidêncio
78bf9d7500 Merge pull request #11232 from lifupan/mtu
runtime: add the mtu support for updating routes
2025-05-06 15:55:04 +02:00
stevenhorsman
6030a64f0c build(deps): bump tokio to 1.44.2
Bumps [tokio](https://github.com/tokio-rs/tokio) from to 1.44.2
in all components to resolve the security vuln throughout our repo

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-05-06 11:38:52 +01:00
Nikos Ch. Papadopoulos
0f2c0d38f5 agent: Create pci_root_bus_path for riscv64
`create_pci_root_bus_path` needs to be enabled on riscv64 for agent to
compile and work on those platforms.

Signed-off-by: Nikos Ch. Papadopoulos <ncpapad@cslab.ece.ntua.gr>
2025-05-06 01:48:37 +00:00
ChengyuZhu6
d07b279bf1 agent:storage: Add directory creation support
Implementing directory creation logic in the OverlayfsHandler to process
driver options with the KATA_VOLUME_OVERLAYFS_CREATE_DIR prefix

Signed-off-by: ChengyuZhu6 <hudson@cyzhu.com>
2025-05-05 23:51:44 +02:00
Fupan Li
492329fc02 runtime: add the mtu support for updating routes
Some cni plugins will set the MTU of some routes, such as cilium will
modify the MTU of the default route. If the mtu of the route is not set
correctly, it may cause excessive fragmentation or even packet loss of
network packets. Therefore, this PR adds the setting of the MTU of the
route. First, when obtaining the route, if the MTU is set, the MTU will
also be obtained and set to the route in the guest.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-05-04 23:12:57 +02:00
Fabiano Fidêncio
4ce00ea434 agent: netlink: Only add an ipv6 address if ipv6 is enabled
When running Kata Containers on CSPs, the CSPs may enforce their
clusters to be IPv4-only.

Checking the OCI spec passed down to container, on a GKE cluster, we can
see:
```
    "sysctl": {
      ...
      "net.ipv6.conf.all.disable_ipv6": "1",
      "net.ipv6.conf.default.disable_ipv6": "1",
      ...
    },
```

Even with ipv6 being explicitly disabled (behind our back ;-)), we've
noticed that IPv6 addresses would be received, but then as IPv6 was
disabled we'd break on CreatePodSandbox with the following error:
```
Warning  FailedCreatePodSandBox  4s    kubelet            Failed to
create pod sandbox: rpc error: code = Unknown desc = failed to create
containerd task: failed to create shim task: "update interface: Failed
to add address fe80::c44c:1cff:fe84:f6b7: NetlinkError(ErrorMessage {
code: Some(-13), header: [64, 0, 0, 0, 20, 0, 5, 5, 19, 0, 0, 0, 0, 0,
0, 0, 10, 64, 0, 0, 2, 0, 0, 0, 20, 0, 1, 0, 254, 128, 0, 0, 0, 0, 0, 0,
196, 76, 28, 255, 254, 132, 246, 183, 20, 0, 2, 0, 254, 128, 0, 0, 0, 0,
0, 0, 196, 76, 28, 255, 254, 132, 246, 183] })\n\nStack backtrace:\n
0: <unknown>\n   1: <unknown>\n   2: <unknown>\n   3: <unknown>\n   4:
<unknown>\n   5: <unknown>\n   6: <unknown>\n   7: <unknown>\n   8:
<unknown>\n   9: <unknown>\n  10: <unknown>": unknown
```

A huge shoutout to Fupan Li for helping with the debug on this one!

Fixes: #11200

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-05-02 09:10:45 +02:00
Fabiano Fidêncio
e5cc9acab8 Merge pull request #11175 from kata-containers/dependabot/cargo/src/agent/crossbeam-channel-0.5.15
build(deps): bump crossbeam-channel from 0.5.14 to 0.5.15 in /src/agent
2025-04-29 14:13:25 +02:00
Alex Lyn
8b49564c01 Merge pull request #10610 from Xynnn007/faet-initdata-rbd
Feat | Implement initdata for bare-metal/qemu hypervisor
2025-04-24 09:59:14 +08:00
dependabot[bot]
463fd4eda4 build(deps): bump crossbeam-channel from 0.5.14 to 0.5.15 in /src/agent
Bumps [crossbeam-channel](https://github.com/crossbeam-rs/crossbeam) from 0.5.14 to 0.5.15.
- [Release notes](https://github.com/crossbeam-rs/crossbeam/releases)
- [Changelog](https://github.com/crossbeam-rs/crossbeam/blob/master/CHANGELOG.md)
- [Commits](https://github.com/crossbeam-rs/crossbeam/compare/crossbeam-channel-0.5.14...crossbeam-channel-0.5.15)

---
updated-dependencies:
- dependency-name: crossbeam-channel
  dependency-version: 0.5.15
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2025-04-23 11:34:14 +00:00
Xynnn007
17d0db9865 agent: add initdata parse logic
Kata-agent now will check if a device /dev/vd* with 'initdata' magic
number exists. If it exists, kata-agent will try to read it. Bytes 9~16
are the length of the compressed initdata toml in little endine.
Bytes starting from 17 is the compressed initdata.

The initdata image device layout looks like

0        8      16    16+length ...         EOF
'initdata'  length gzip(initdata toml) paddings

The initdata will be parsed and put as aa.toml, cdh.toml and
policy.rego to /run/confidential-containers/initdata.

When AgentPolicy is initialized, the default policy will be overwritten
by that.

When AA is to be launched, if initdata is once processed, the launch arg
will include --initdata parameter.

Also, if
/run/confidential-containers/initdata/aa.toml exists, the launch args
will include -c /run/confidential-containers/initdata/aa.toml.

When CDH is to be launched, if initdata is once processed, the launch
args will include -c /run/confidential-containers/initdata/cdh.toml

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-04-10 13:09:51 +08:00
stevenhorsman
6603cf7872 agent: Update vsock-exporter to use workspace settings
To reduce duplication, we could update
the vsock-exporter crate to use settings and versions
 from the agent, where applicable.
> [!NOTE]
> In order to use the workspace, this has bumped some crate versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-09 12:02:43 +01:00
stevenhorsman
2cb9fd3c69 agent: Update rustjail to use workspace settings
- To reduce duplication, we could update
the rustjail crate to use settings and versions
from the agent, where applicable.
- Also switch to using the derive feature in serde crate
rather than the separate serde_derive to avoid keeping
both versions in sync

> [!NOTE]
> In order to use the workspace, this has bumped
some crate versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-09 12:02:43 +01:00
stevenhorsman
655255b50c agent: Update policy to use workspace settings
To reduce duplication, we could update
the policy crate to use settings and versions
from the agent, where applicable.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-09 11:42:05 +01:00
stevenhorsman
1bec432ffa agent: Create workspace package and dependencies
- Create agent workspace dependencies and packge info
so that the packages in the workspace can use them
- Group the local dependencies together for clarity
(like in #11129)

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-09 11:42:00 +01:00
Fabiano Fidêncio
e3c98a5ac7 agent: Allow users to build without guest-pull
For those not interested in CoCo, let's at least allow them to easily
build the agent without the guest-pull feature.

This reduces the binary size (already stripped) from 25M to 18M.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-04-04 22:58:43 +01:00
Zvonko Kaiser
e5c4cfb8a1 Merge pull request #11081 from BbolroC/unsealed-secret-fix
tests: Enable sealed secrets for all TEEs
2025-03-31 11:19:52 -04:00
Hyounggyu Choi
423ad8341d agent: Call cdh_handler for sealed secrets after add_storage()
As reported in #11011, mounted secrets are available after
a container image is pulled by add_storage() for IBM SE.
But secure mount should be handled before the `add_storage()`.
Therefore, this commit divides cdh_handler() into:

- cdh_handler_trusted_storage()
- cdh_handler_sealed_secrets()

and calls cdh_handler_sealed_secrets() after add_storage()
while keeping cdh_handler_trusted_storage() unchanged.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-03-26 17:50:41 +01:00
Jakob Naucke
d808cef2fb agent: AP bind-associate for Secure Execution
Kata Containers has support for both the IBM Secure Execution trusted
execution environment and the IBM Crypto Express hardware security
module (used via the Adjunct Processor bus), but using them together
requires specific steps.

In Secure Execution, the Acceleration and Enterprise PKCS11 modes of
Crypto Express are supported. Both modes require the domain to be
_bound_ in the guest, and the latter also requires the domain to be
_associated_ with a _guest secret_. Guest secrets must be submitted to
the ultravisor from within the guest.

Each EP11 domain has a master key verification pattern (MKVP) that can
be established at HSM setup time. The guest secret and its ID are to
be provided at `/vfio_ap/{mkvp}/secret` and
`/vfio_ap/{mkvp}/secret_id` via a key broker service respectively.

Bind each domain, and for each EP11 domain,
- get the secret and secret ID from the addresses above,
- submit the secret to the ultravisor,
- find the index of the secret corresponding to the ID, and
- associate the domain to the index of this secret.

To bind, add the secret, parse the info about the domain, and
associate, the s390_pv_core crate is used. The code from this crate
also does the AP online check, which can be removed from here.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2025-03-26 16:37:23 +01:00
Jakob Naucke
683a482d64 protos: Add CDH GetResourceService
Add service to get arbitrary data from Confidential Data Hub. Taken from
https://github.com/confidential-containers/guest-components/tree/main/api-server-rest.
Marked as `#[allow(dead_code)]` because planned use is
architecture-specific at this time.

Signed-off-by: Jakob Naucke <jakob.naucke@ibm.com>
2025-03-24 15:46:40 +00:00
Fupan Li
4b93176225 runtime-rs: update the protobuf to 3.7.1
Since some files generated by protobuf were share between
runtime-rs and kata agent, and the kata agent's dependency
image-rs dependened protobuf@3.7.1, thus we'd better to keep
the protobuf version aligned between runtime-rs and agent,
otherwise, we couldn't compile the runtime-rs and agent
at the same time.

Fixes: https://github.com/kata-containers/kata-containers/issues/10650

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-03-21 17:46:12 +08:00
Tobin Feldman-Fitzthum
b7786fbcf0 agent: update image-rs for coco v0.13.0
image-rs has gotten a number of significant updates, eliminating corner
cases with obscure containers, improving support for local certs, and
more.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2025-03-14 10:44:10 -05:00
Hui Zhu
93cd30862d libs: Add AddSwapPath to service AgentService
AddSwap send the pci path to guest kernel to let it add swap device.
But some mmio device doesn't have pci path.  To support it add
AddSwapPath send virt_path to guest kernel as swap device.

Fixes: #10988

Signed-off-by: Hui Zhu <teawater@antgroup.com>
2025-03-11 16:02:48 +08:00