hypervisors: Confidential Guests do not support VCPUs hotplug

As confidential guests do not support VCPUs hotplug, let's set the
"DefaultMaxVCPUs" value to "NumVCPUs".

The reason to do this is to ensure that guests will be started with the
correct amount of VCPUs, without giving to the guest with all the
possible VCPUs the host could provide.

One clear side effect of this limitation is that workloads that would
require more VCPUs on their yaml definition will not run on this
scenario.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>

src/runtime/config/configuration-clh.toml.in

@@ -20,6 +20,11 @@ image = "@IMAGEPATH@"
 # from memory encryption to both memory and CPU-state encryption and integrity.
 # The Kata Containers runtime dynamically detects the available feature set and
 # aims at enabling the largest possible one.
+#
+# Known limitations:
+# * Does not work by design:
+#   - CPU Hotplug 
+#
 # Default false
 # confidential_guest = true
 

src/runtime/config/configuration-qemu.toml.in

@@ -21,6 +21,11 @@ machine_type = "@MACHINETYPE@"
 # from memory encryption to both memory and CPU-state encryption and integrity.
 # The Kata Containers runtime dynamically detects the available feature set and
 # aims at enabling the largest possible one.
+#
+# Known limitations:
+# * Does not work by design:
+#   - CPU Hotplug 
+#
 # Default false
 # confidential_guest = true
 

src/runtime/virtcontainers/hypervisor.go

@@ -564,6 +564,11 @@ func (conf *HypervisorConfig) Valid() error {
 		conf.DefaultMaxVCPUs = defaultMaxVCPUs
 	}
 
+	if conf.ConfidentialGuest && conf.NumVCPUs != conf.DefaultMaxVCPUs {
+		hvLogger.Warnf("Confidential guests do not support hotplugging of vCPUs. Setting DefaultMaxVCPUs to NumVCPUs (%d)", conf.NumVCPUs)
+		conf.DefaultMaxVCPUs = conf.NumVCPUs
+	}
+
 	if conf.Msize9p == 0 && conf.SharedFS != config.VirtioFS {
 		conf.Msize9p = defaultMsize9p
 	}