From 20b37603bb66b607203d6c4e95d1fd82f5a0b650 Mon Sep 17 00:00:00 2001 From: Maksim An Date: Tue, 28 Feb 2023 16:34:24 -0800 Subject: [PATCH 1/2] sev-snp: add SEV device when security policy is present This change adds SEV device to linux container spec whenever security policy isn't empty. Signed-off-by: Maksim An --- internal/guest/runtime/hcsv2/spec.go | 18 ++++++++++++++++++ internal/guest/runtime/hcsv2/uvm.go | 10 ++++++++++ 2 files changed, 28 insertions(+) diff --git a/internal/guest/runtime/hcsv2/spec.go b/internal/guest/runtime/hcsv2/spec.go index efb2f492e3..700cf3967a 100644 --- a/internal/guest/runtime/hcsv2/spec.go +++ b/internal/guest/runtime/hcsv2/spec.go @@ -239,6 +239,24 @@ func applyAnnotationsToSpec(ctx context.Context, spec *oci.Spec) error { return nil } +// addDevSev adds SEV device to container spec. On 5.x kernel the device is /dev/sev, +// however this changed in 6.x where the device is /dev/sev-guest. +func addDevSev(ctx context.Context, spec *oci.Spec) error { + // try adding /dev/sev, which should be present for 5.x kernel + devSev, err := devices.DeviceFromPath("/dev/sev", "rwm") + if err != nil { + // try adding /dev/guest-sev, which should be present for 6.x kernel + sevErr := fmt.Errorf("failed to add SEV device to spec: %w", err) + var errSevGuest error + devSev, errSevGuest = devices.DeviceFromPath("/dev/sev-guest", "rwm") + if err != nil { + return fmt.Errorf("%s: %w", sevErr, errSevGuest) + } + } + addLinuxDeviceToSpec(ctx, devSev, spec, true) + return nil +} + // devShmMountWithSize returns a /dev/shm device mount with size set to // `sizeString` if it represents a valid size in KB, returns error otherwise. func devShmMountWithSize(sizeString string) (*oci.Mount, error) { diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index 25064df3e8..5221dba612 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -360,6 +360,16 @@ func (h *Host) CreateContainer(ctx context.Context, id string, settings *prot.VM if err := setupWorkloadContainerSpec(ctx, sid, id, settings.OCISpecification); err != nil { return nil, err } + + // Add SEV device when security policy is not empty, except when privileged annotation is + // set to "true", in which case all UVMs devices are added. + if len(h.securityPolicyEnforcer.EncodedSecurityPolicy()) > 0 && !oci.ParseAnnotationsBool(ctx, + settings.OCISpecification.Annotations, annotations.LCOWPrivileged, false) { + if err := addDevSev(ctx, settings.OCISpecification); err != nil { + log.G(ctx).WithError(err).Debug("failed to add SEV device") + } + } + defer func() { if err != nil { _ = os.RemoveAll(settings.OCIBundlePath) From a5db872d22f0b6c0c05990830ad4ba71ef25afa6 Mon Sep 17 00:00:00 2001 From: Maksim An Date: Fri, 31 Mar 2023 10:13:45 -0700 Subject: [PATCH 2/2] pr feedback: wrong err check Signed-off-by: Maksim An --- internal/guest/runtime/hcsv2/spec.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/guest/runtime/hcsv2/spec.go b/internal/guest/runtime/hcsv2/spec.go index 700cf3967a..e3be53f3f8 100644 --- a/internal/guest/runtime/hcsv2/spec.go +++ b/internal/guest/runtime/hcsv2/spec.go @@ -249,7 +249,7 @@ func addDevSev(ctx context.Context, spec *oci.Spec) error { sevErr := fmt.Errorf("failed to add SEV device to spec: %w", err) var errSevGuest error devSev, errSevGuest = devices.DeviceFromPath("/dev/sev-guest", "rwm") - if err != nil { + if errSevGuest != nil { return fmt.Errorf("%s: %w", sevErr, errSevGuest) } }