diff --git a/internal/guest/runtime/hcsv2/spec.go b/internal/guest/runtime/hcsv2/spec.go index efb2f492e3..e3be53f3f8 100644 --- a/internal/guest/runtime/hcsv2/spec.go +++ b/internal/guest/runtime/hcsv2/spec.go @@ -239,6 +239,24 @@ func applyAnnotationsToSpec(ctx context.Context, spec *oci.Spec) error { return nil } +// addDevSev adds SEV device to container spec. On 5.x kernel the device is /dev/sev, +// however this changed in 6.x where the device is /dev/sev-guest. +func addDevSev(ctx context.Context, spec *oci.Spec) error { + // try adding /dev/sev, which should be present for 5.x kernel + devSev, err := devices.DeviceFromPath("/dev/sev", "rwm") + if err != nil { + // try adding /dev/guest-sev, which should be present for 6.x kernel + sevErr := fmt.Errorf("failed to add SEV device to spec: %w", err) + var errSevGuest error + devSev, errSevGuest = devices.DeviceFromPath("/dev/sev-guest", "rwm") + if errSevGuest != nil { + return fmt.Errorf("%s: %w", sevErr, errSevGuest) + } + } + addLinuxDeviceToSpec(ctx, devSev, spec, true) + return nil +} + // devShmMountWithSize returns a /dev/shm device mount with size set to // `sizeString` if it represents a valid size in KB, returns error otherwise. func devShmMountWithSize(sizeString string) (*oci.Mount, error) { diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index 25064df3e8..5221dba612 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -360,6 +360,16 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM if err := setupWorkloadContainerSpec(ctx, sid, id, settings.OCISpecification); err != nil { return nil, err } + + // Add SEV device when security policy is not empty, except when privileged annotation is + // set to "true", in which case all UVMs devices are added. + if len(h.securityPolicyEnforcer.EncodedSecurityPolicy()) > 0 && !oci.ParseAnnotationsBool(ctx, + settings.OCISpecification.Annotations, annotations.LCOWPrivileged, false) { + if err := addDevSev(ctx, settings.OCISpecification); err != nil { + log.G(ctx).WithError(err).Debug("failed to add SEV device") + } + } + defer func() { if err != nil { _ = os.RemoveAll(settings.OCIBundlePath)