runtime: Allow no initrd path for IBM Z Secure Execution

This is to reintroduce a configuration rule for IBM Z Secure Execution,
where no initrd path should be configured. For the TEE of interest,
only a kernel image should be specified with `confidential_guest=true`.

Fixes: #8692

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>

src/runtime/pkg/govmm/qemu/qemu.go

@@ -2999,14 +2999,18 @@ func (config *Config) appendVGA() {
 	}
 }
 
-func (config *Config) appendKernel() {
+func (config *Config) appendKernel(logger QMPLog) {
 	if config.Kernel.Path != "" {
 		config.qemuParams = append(config.qemuParams, "-kernel")
 		config.qemuParams = append(config.qemuParams, config.Kernel.Path)
 
 		if config.Kernel.InitrdPath != "" {
 			config.qemuParams = append(config.qemuParams, "-initrd")
 			config.qemuParams = append(config.qemuParams, config.Kernel.InitrdPath)
+		} else {
+			if logger != nil {
+				logger.Infof("initrd path is empty, assuming IBM Z Secure Execution")
+			}
 		}
 
 		if config.Kernel.Params != "" {
@@ -3163,7 +3167,7 @@ func LaunchQemu(config Config, logger QMPLog) (*exec.Cmd, io.ReadCloser, error)
 	config.appendPFlashParam()
 	config.appendVGA()
 	config.appendKnobs()
-	config.appendKernel()
+	config.appendKernel(logger)
 	config.appendBios()
 	config.appendIOThreads()
 	config.appendIncoming()

src/runtime/pkg/govmm/qemu/qemu_test.go

@@ -42,7 +42,7 @@ func testConfigAppend(config *Config, structure interface{}, expected string, t
 
 	case Kernel:
 		config.Kernel = s
-		config.appendKernel()
+		config.appendKernel(nil)
 
 	case Memory:
 		config.Memory = s
@@ -668,7 +668,7 @@ func TestNoRebootKnob(t *testing.T) {
 
 var kernelString = "-kernel /opt/vmlinux.container -initrd /opt/initrd.container -append root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro rw rootfstype=ext4 tsc=reliable"
 
-func TestAppendKernel(t *testing.T) {
+func TestAppendKernelWithInitrd(t *testing.T) {
 	kernel := Kernel{
 		Path:       "/opt/vmlinux.container",
 		InitrdPath: "/opt/initrd.container",
@@ -678,6 +678,16 @@ func TestAppendKernel(t *testing.T) {
 	testAppend(kernel, kernelString, t)
 }
 
+func TestAppendKernelWithoutInitrd(t *testing.T) {
+	kernel := Kernel{
+		Path:       "/opt/vmlinux.container",
+		InitrdPath: "",
+		Params:     "root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro rw rootfstype=ext4 tsc=reliable",
+	}
+
+	testAppend(kernel, kernelString, t)
+}
+
 var memoryString = "-m 2G,slots=2,maxmem=3G"
 
 func TestAppendMemory(t *testing.T) {
@@ -1077,7 +1087,7 @@ func TestBadVGA(t *testing.T) {
 
 func TestBadKernel(t *testing.T) {
 	c := &Config{}
-	c.appendKernel()
+	c.appendKernel(nil)
 	if len(c.qemuParams) != 0 {
 		t.Errorf("Expected empty qemuParams, found %s", c.qemuParams)
 	}

src/runtime/virtcontainers/hypervisor.go

@@ -758,6 +758,10 @@ func (conf *HypervisorConfig) ImageOrInitrdAssetPath() (string, types.AssetType,
 		initrd = a.Path()
 	}
 
+	if conf.ConfidentialGuest && conf.HypervisorMachineType == QemuCCWVirtio {
+		return "", types.SecureBootAsset, nil
+	}
+
 	path, assetType, err := checkAndReturn(image, initrd)
 	if assetType != types.UnkownAsset {
 		return path, assetType, nil

src/runtime/virtcontainers/qemu.go

@@ -422,9 +422,13 @@ func (q *qemu) buildDevices(ctx context.Context, kernelPath string) ([]govmmQemu
 		if err != nil {
 			return nil, nil, nil, err
 		}
-	} else {
+	} else if assetType == types.InitrdAsset {
 		// InitrdAsset, need to set kernel initrd path
 		kernel.InitrdPath = assetPath
+	} else if assetType == types.SecureBootAsset {
+		// SecureBootAsset, no need to set image or initrd path
+		q.Logger().Info("Neither image nor initrd is set, secure boot for IBM Z is enabled")
+		kernel.InitrdPath = ""
 	}
 
 	if q.config.IOMMU {

src/runtime/virtcontainers/types/asset.go

@@ -28,6 +28,10 @@ const (
 	// InitrdAsset is an initrd asset.
 	InitrdAsset AssetType = "initrd"
 
+	// SecureBootAsset is a secure boot asset.
+	// (IBM Z Secure Execution only)
+	SecureBootAsset AssetType = "secure_boot"
+
 	// HypervisorAsset is an hypervisor asset.
 	HypervisorAsset AssetType = "hypervisor"