Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime: disable protection check #141

Merged
merged 1 commit into from
Jan 16, 2024
Merged

runtime: disable protection check #141

merged 1 commit into from
Jan 16, 2024

Conversation

sprt
Copy link
Collaborator

@sprt sprt commented Jan 12, 2024
edited
Loading

Merge Checklist
  • Followed patch format from upstream recommendation: https://github.com/kata-containers/community/blob/main/CONTRIBUTING.md#patch-format
  • Included a single commit in a given PR - at least unless there are related commits and each makes sense as a change on its own.
  • Aware about the PR to be merged using "create a merge commit" rather than "squash and merge" (or similar)
  • genPolicy only: Ensured the tool still builds on Windows
  • genPolicy only: Updated sample YAMLs' policy annotations, if applicable
Summary

microsoft/azurelinux#6942 introduces a debug config file with confidential_guest=true and sev_snp_guest=false. This PR enables that config file to be used. See commit message for more info.

Test Methodology

Local testing

@sprt
runtime: disable protection check
dcdc39a 
enableProtection() is called when confidential_guest=true, so we
disable this check to allow us to test running with
confidential_guest=true and sev_snp_guest=false.

Note this was already done by Wedson previously to allow testing on
non-SNP CPUs, but the purpose here is different.

Signed-off-by: Aurelien Bombo <[email protected]>
@sprt sprt force-pushed the sprt/debug-conf-guest branch from 23e3dba to dcdc39a Compare January 12, 2024 17:43
@sprt sprt marked this pull request as ready for review January 12, 2024 17:44
dallasd1
dallasd1 reviewed Jan 12, 2024
View reviewed changes
src/runtime/virtcontainers/clh.go
@@ -474,7 +474,8 @@ func (clh *cloudHypervisor) enableProtection() error {
return nil

default:
return errors.New("This system doesn't support Confidential Computing (Guest Protection)")
// Allow running with no hardware protection for testing.
return nil
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nit] would it be useful to add a log here saying there's no hardware protection?

@dallasd1
Copy link

Is there a pointer to the new debug file with these options?

@sprt
Copy link
Collaborator Author

sprt commented Jan 12, 2024

Is there a pointer to the new debug file with these options?

Yep I linked the spec PR in the description 🙂

@sprt sprt merged commit 74a9b96 into msft-main Jan 16, 2024
38 of 62 checks passed
@sprt sprt added the upstream/missing PRs that are yet to be upstreamed label Jan 22, 2024
@sprt sprt mentioned this pull request Jan 22, 2024
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dallasd1 dallasd1 dallasd1 approved these changes

@danmihai1 danmihai1 danmihai1 approved these changes

Assignees
No one assigned
Labels
upstream/missing PRs that are yet to be upstreamed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sprt @dallasd1 @danmihai1