sev-snp: add SEV device when security policy is present

This change adds SEV device to linux container spec whenever security policy isn't empty. Signed-off-by: Maksim An <maksiman@microsoft.com>
microsoft · Mar 28, 2023 · 20b3760 · 20b3760
1 parent 5871d0c
commit 20b3760
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/internal/guest/runtime/hcsv2/spec.go b/internal/guest/runtime/hcsv2/spec.go
@@ -239,6 +239,24 @@ func applyAnnotationsToSpec(ctx context.Context, spec *oci.Spec) error {
 	return nil
 }
 
+// addDevSev adds SEV device to container spec. On 5.x kernel the device is /dev/sev,
+// however this changed in 6.x where the device is /dev/sev-guest.
+func addDevSev(ctx context.Context, spec *oci.Spec) error {
+	// try adding /dev/sev, which should be present for 5.x kernel
+	devSev, err := devices.DeviceFromPath("/dev/sev", "rwm")
+	if err != nil {
+		// try adding /dev/guest-sev, which should be present for 6.x kernel
+		sevErr := fmt.Errorf("failed to add SEV device to spec: %w", err)
+		var errSevGuest error
+		devSev, errSevGuest = devices.DeviceFromPath("/dev/sev-guest", "rwm")
+		if err != nil {
+			return fmt.Errorf("%s: %w", sevErr, errSevGuest)
+		}
+	}
+	addLinuxDeviceToSpec(ctx, devSev, spec, true)
+	return nil
+}
+
 // devShmMountWithSize returns a /dev/shm device mount with size set to
 // `sizeString` if it represents a valid size in KB, returns error otherwise.
 func devShmMountWithSize(sizeString string) (*oci.Mount, error) {

diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go
@@ -360,6 +360,16 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM
 			if err := setupWorkloadContainerSpec(ctx, sid, id, settings.OCISpecification); err != nil {
 				return nil, err
 			}
+
+			// Add SEV device when security policy is not empty, except when privileged annotation is
+			// set to "true", in which case all UVMs devices are added.
+			if len(h.securityPolicyEnforcer.EncodedSecurityPolicy()) > 0 && !oci.ParseAnnotationsBool(ctx,
+				settings.OCISpecification.Annotations, annotations.LCOWPrivileged, false) {
+				if err := addDevSev(ctx, settings.OCISpecification); err != nil {
+					log.G(ctx).WithError(err).Debug("failed to add SEV device")
+				}
+			}
+
 			defer func() {
 				if err != nil {
 					_ = os.RemoveAll(settings.OCIBundlePath)