New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runtime: Allow no initrd path for IBM Z Secure Execution #8693
runtime: Allow no initrd path for IBM Z Secure Execution #8693
Conversation
5904d34
to
043f3b8
Compare
e1dc739
to
b9c2c00
Compare
src/runtime/pkg/govmm/qemu/qemu.go
Outdated
if config.Kernel.Path != "" { | ||
config.qemuParams = append(config.qemuParams, "-kernel") | ||
config.qemuParams = append(config.qemuParams, config.Kernel.Path) | ||
|
||
if config.Kernel.InitrdPath != "" { | ||
config.qemuParams = append(config.qemuParams, "-initrd") | ||
config.qemuParams = append(config.qemuParams, config.Kernel.InitrdPath) | ||
} else { | ||
if logger != nil { | ||
logger.Infof("initrd path is empty, assuming IBM Z Secure Execution") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will be logged even on non IBM z architectures right? I think this needs to go in the architecture specific qemu implementaion file. Similar comment for the code below as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there would be no such a case for other architectures due to conf.HypervisorMachineType == QemuCCWVirtio
below. This conditional is already s390x specific (s390-ccw-virtio
). Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm.. now I got your point. this will be logged for where kernel and image are set. I will change the code as you suggested. But others wouldn't be reached out because the conditional is located in where image and initrd are not set and a machine type is s390 specific. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update: I've removed the log for appendKernel()
because it should be architecture-agnostic and an error due to the misconfiguration of the parameters is unlikely to happen thanks to the validation code at a hypervisor level.
This is to reintroduce a configuration rule for IBM Z Secure Execution, where no initrd path should be configured. For the TEE of interest, only a kernel image should be specified with `confidential_guest=true`. Fixes: kata-containers#8692 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
b9c2c00
to
540a2a7
Compare
/test |
@amshinde I am looking forward to your follow-up feedback after my action to your comment. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks okay to me. Thanks!
This is to reintroduce a configuration rule for IBM Z Secure Execution, where no initrd path should be configured. For the TEE of interest, only a kernel image should be specified with
confidential_guest=true
.Fixes: #8692
Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com
Test result:
For a normal kata configuration with initrd, a qemu argument
-initrd
should be specified to run a container like: