runtime: Allow no initrd path for IBM Z Secure Execution

This is to reintroduce a configuration rule for IBM Z Secure Execution,
where no initrd path should be configured. For the TEE of interest,
only a kernel image should be specified with `confidential_guest=true`.

Fixes: #8692

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>

src/runtime/virtcontainers/hypervisor.go

@@ -747,6 +747,12 @@ func (conf *HypervisorConfig) ImageOrInitrdAssetPath() (string, types.AssetType,
 			return initrd, types.InitrdAsset, nil
 		}
 
+		// Even if neither image nor initrd are set, we still need to return
+		// if we are running a confidential guest on QemuCCWVirtio. (IBM Z Secure Execution)
+		if conf.ConfidentialGuest && conf.HypervisorMachineType == QemuCCWVirtio {
+			return "", types.SecureBootAsset, nil
+		}
+
 		return "", types.UnkownAsset, fmt.Errorf("one of image and initrd must be set")
 	}
 

src/runtime/virtcontainers/qemu.go

@@ -422,9 +422,13 @@ func (q *qemu) buildDevices(ctx context.Context, kernelPath string) ([]govmmQemu
 		if err != nil {
 			return nil, nil, nil, err
 		}
-	} else {
+	} else if assetType == types.InitrdAsset {
 		// InitrdAsset, need to set kernel initrd path
 		kernel.InitrdPath = assetPath
+	} else if assetType == types.SecureBootAsset {
+		// SecureBootAsset, no need to set image or initrd path
+		q.Logger().Info("For IBM Z Secure Execution, initrd path should not be set")
+		kernel.InitrdPath = ""
 	}
 
 	if q.config.IOMMU {

src/runtime/virtcontainers/types/asset.go

@@ -28,6 +28,10 @@ const (
 	// InitrdAsset is an initrd asset.
 	InitrdAsset AssetType = "initrd"
 
+	// SecureBootAsset is a secure boot asset.
+	// (IBM Z Secure Execution only)
+	SecureBootAsset AssetType = "secure_boot"
+
 	// HypervisorAsset is an hypervisor asset.
 	HypervisorAsset AssetType = "hypervisor"