From 5952d304d5336aa77fccc11ef468444d426f4273 Mon Sep 17 00:00:00 2001
From: Daniel Mihai <dmihai@microsoft.com>
Date: Thu, 1 Sep 2022 15:54:16 +0000
Subject: [PATCH 1/4] runtime: fix error when using the debug console

This fixes the below error when attempting to access the debug console when
all debug_console_enabled=true and all 3 enable_debug options are true:

level=error msg="error create pseudo tty" error="open /dev/ptmx: operation not
permitted"

Signed-off-by: Aurelien Bombo <abombo@microsoft.com>
---
 src/runtime/pkg/resourcecontrol/cgroups.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/runtime/pkg/resourcecontrol/cgroups.go b/src/runtime/pkg/resourcecontrol/cgroups.go
index be8e9dc97369..6d9257473277 100644
--- a/src/runtime/pkg/resourcecontrol/cgroups.go
+++ b/src/runtime/pkg/resourcecontrol/cgroups.go
@@ -60,6 +60,7 @@ func sandboxDevices() []specs.LinuxDeviceCgroup {
 		"/dev/zero",
 		"/dev/urandom",
 		"/dev/console",
+		"/dev/ptmx",
 	}
 
 	// Processes running in a device-cgroup are constrained, they have acccess

From fb4c88743c6fb6fccea5e99b9b264fd7330833d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= <abombo@microsoft.com>
Date: Tue, 23 Jan 2024 23:00:07 +0000
Subject: [PATCH 2/4] config: don't hardcode confidential_guest=true for clh
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Doesn't make sense for non-TEEs and was only a remnant of cc-msft-prototypes.
This will have to be taken into account in microsoft/CBL-Mariner#6942.

[upstream-merged] Already done this way upstream.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
---
 src/runtime/config/configuration-clh.toml.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/runtime/config/configuration-clh.toml.in b/src/runtime/config/configuration-clh.toml.in
index 0851bbaaa897..aa4324ef0ded 100644
--- a/src/runtime/config/configuration-clh.toml.in
+++ b/src/runtime/config/configuration-clh.toml.in
@@ -40,7 +40,7 @@ rootfs_type=@DEFROOTFSTYPE@
 # * Intel TDX
 #
 # Default false
-confidential_guest = true
+#confidential_guest = true
 
 # Enable running clh VMM as a non-root user.
 # By default clh VMM run as root. When this is set to true, clh VMM process runs as

From b4ab11d10b416e41f663f72076225de898b4563d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= <abombo@microsoft.com>
Date: Tue, 30 Jan 2024 17:08:01 +0000
Subject: [PATCH 3/4] rootfs-builder: only look for AGENT_POLICY_FILE if
 AGENT_POLICY=yes

When the rootfs is built with AGENT_POLICY=no, the build fails at
line 36 for us, since our package build does not have access to the
entire source at once. Rather, we only copy the directories that we
think we'll need (and we missed that one). TBA in a future packaging
change.

[upstream-not-needed] Upstream isn't affected as they build with
the whole code base.

Signed-off-by: Aurelien Bombo <abombo@microsoft.com>
---
 tools/osbuilder/rootfs-builder/rootfs.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index 9ee0149648eb..f57b8de9838d 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -33,7 +33,7 @@ AGENT_POLICY_FILE=${AGENT_POLICY_FILE:-"allow-all.rego"}
 lib_file="${script_dir}/../scripts/lib.sh"
 source "$lib_file"
 
-agent_policy_file="$(readlink -f "${script_dir}/../../../src/kata-opa/${AGENT_POLICY_FILE}")"
+[ "${AGENT_POLICY}" == "yes" ] && agent_policy_file="$(readlink -f "${script_dir}/../../../src/kata-opa/${AGENT_POLICY_FILE}")"
 
 #For cross build
 CROSS_BUILD=${CROSS_BUILD:-false}
@@ -330,7 +330,7 @@ check_env_variables()
 
 	[ -n "${KERNEL_MODULES_DIR}" ] && [ ! -d "${KERNEL_MODULES_DIR}" ] && die "KERNEL_MODULES_DIR defined but is not an existing directory"
 
-	[ ! -f "${agent_policy_file}" ] && die "agent policy file not found in '${agent_policy_file}'"
+	[ "${AGENT_POLICY}" == "yes" ] && [ ! -f "${agent_policy_file}" ] && die "agent policy file not found in '${agent_policy_file}'"
 
 	[ -n "${OSBUILDER_VERSION}" ] || die "need osbuilder version"
 }

From ca1b9a7ff6353da7d6cde4d15ad4b99ee9bfc541 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= <abombo@microsoft.com>
Date: Mon, 12 Feb 2024 21:11:40 +0000
Subject: [PATCH 4/4] runtime: make sev_snp_guest default to false

Fixes a remnant of cc-msft-prototypes. This will
require a change in the kata-containers-cc spec.

[upstream-not-needed]

Signed-off-by: Aurelien Bombo <abombo@microsfot.com>
---
 src/runtime/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/runtime/Makefile b/src/runtime/Makefile
index 6aaa11e072df..0761848c51dd 100644
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -275,7 +275,7 @@ DEFBINDMOUNTS := []
 DEFSERVICEOFFLOAD ?= false
 
 # SNP
-DEFSNPGUEST ?= true
+DEFSNPGUEST ?= false
 # Based on SEV Secure Nested Paging Firmware ABI Specification section 4.3
 # unspecified or == 0 --> 0x30000 i.e. Bit#17 is '1' and Bit#16 is '1' (SMT is allowed)
 DEFSNPGUESTPOLICY ?= 0x30000