microsoft · manuelh-dev · Aug 22, 2023 · Aug 1, 2023 · Aug 1, 2023 · Aug 1, 2023
@@ -14,9 +14,6 @@
 [hypervisor.clh]
 path = "@CLHSNPPATH@"
 igvm = "@IGVMPATH@"
-#kernel = "@KERNELPATH_CLH@"
-#image = "@IMAGEPATH@"
-#initrd = "@INITRDSEVPATH@"
 
 # rootfs filesystem type:
 #   - ext4 (default)
@@ -33,7 +30,7 @@ rootfs_type=@DEFROOTFSTYPE@
 #
 # Known limitations:
 # * Does not work by design:
-#   - CPU Hotplug 
+#   - CPU Hotplug
 #   - Memory Hotplug
 #   - NVDIMM devices
 #
@@ -43,7 +40,10 @@ rootfs_type=@DEFROOTFSTYPE@
 # Default false
 confidential_guest = true
 
-# enable SEV SNP VMs. This is not currently used by CLH
+# enable SEV SNP VMs.
+# This is used in the CLH code path to request SEV SNP encryption. The function availableGuestProtection (see hypervisor_linux_amd64.go)
+# that detects guest protection features hypervisor_linux_amd64.go only supports QEMU/KVM platforms, and currently there is no way to
+# detect SEV SNP support with CLH/MSHV.
 sev_snp_guest = @DEFSNPGUEST@
 
 # SNP guest policy
@@ -86,8 +86,8 @@ enable_annotations = @DEFENABLEANNOTATIONS@
 # List of valid annotations values for the hypervisor
 # Each member of the list is a path pattern as described by glob(3).
 # The default if not set is empty (all annotations rejected.)
-# Your distribution recommends: @CLHVALIDHYPERVISORPATHS@
-valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@
+# Your distribution recommends: @CLHSNPVALIDHYPERVISORPATHS@
+valid_hypervisor_paths = @CLHSNPVALIDHYPERVISORPATHS@
 
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
@@ -192,7 +192,8 @@ block_device_driver = "virtio-blk"
 #enable_hugepages = true
 
 # Disable the 'seccomp' feature from Cloud Hypervisor, default false
-# disable_seccomp = true
+# TODO - to be re-enabled with next CH-SNP release. This is fixed but the fix is not yet released
+disable_seccomp = true
 
 # This option changes the default hypervisor and kernel parameters
 # to enable debug output where available.
@@ -222,9 +223,9 @@ block_device_driver = "virtio-blk"
 # and we strongly advise users to refer the Cloud Hypervisor official
 # documentation for a better understanding of its internals:
 # https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/io_throttling.md
-# 
+#
 # Bandwidth rate limiter options
-# 
+#
 # net_rate_limiter_bw_max_rate controls network I/O bandwidth (size in bits/sec
 # for SB/VM).
 # The same value is used for inbound and outbound bandwidth.
@@ -258,9 +259,9 @@ block_device_driver = "virtio-blk"
 # and we strongly advise users to refer the Cloud Hypervisor official
 # documentation for a better understanding of its internals:
 # https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/io_throttling.md
-# 
+#
 # Bandwidth rate limiter options
-# 
+#
 # disk_rate_limiter_bw_max_rate controls disk I/O bandwidth (size in bits/sec
 # for SB/VM).
 # The same value is used for inbound and outbound bandwidth.

@@ -15,6 +15,7 @@
 path = "@CLHPATH@"
 kernel = "@KERNELPATH_CLH@"
 image = "@IMAGEPATH@"
+#initrd = "@INITRDPATH@"
 
 # rootfs filesystem type:
 #   - ext4 (default)
@@ -31,7 +32,7 @@ rootfs_type=@DEFROOTFSTYPE@
 #
 # Known limitations:
 # * Does not work by design:
-#   - CPU Hotplug 
+#   - CPU Hotplug
 #   - Memory Hotplug
 #   - NVDIMM devices
 #
@@ -211,9 +212,9 @@ block_device_driver = "virtio-blk"
 # and we strongly advise users to refer the Cloud Hypervisor official
 # documentation for a better understanding of its internals:
 # https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/io_throttling.md
-# 
+#
 # Bandwidth rate limiter options
-# 
+#
 # net_rate_limiter_bw_max_rate controls network I/O bandwidth (size in bits/sec
 # for SB/VM).
 # The same value is used for inbound and outbound bandwidth.
@@ -247,9 +248,9 @@ block_device_driver = "virtio-blk"
 # and we strongly advise users to refer the Cloud Hypervisor official
 # documentation for a better understanding of its internals:
 # https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/io_throttling.md
-# 
+#
 # Bandwidth rate limiter options
-# 
+#
 # disk_rate_limiter_bw_max_rate controls disk I/O bandwidth (size in bits/sec
 # for SB/VM).
 # The same value is used for inbound and outbound bandwidth.

@@ -1113,6 +1113,7 @@ func newClhHypervisorConfig(h hypervisor) (vc.HypervisorConfig, error) {
 		EnableAnnotations:              h.EnableAnnotations,
 		DisableSeccomp:                 h.DisableSeccomp,
 		ConfidentialGuest:              h.ConfidentialGuest,
+		SevSnpGuest:                    h.SevSnpGuest,
 		Rootless:                       h.Rootless,
 		DisableSeLinux:                 h.DisableSeLinux,
 		DisableGuestSeLinux:            h.DisableGuestSeLinux,

@@ -73,7 +73,7 @@ const (
 	// Values based on:
 	clhTimeout                     = 10
 	clhAPITimeout                  = 1
-	clhAPITimeoutConfidentialGuest = 40
+	clhAPITimeoutConfidentialGuest = 60
 	// Timeout for hot-plug - hotplug devices can take more time, than usual API calls
 	// Use longer time timeout for it.
 	clhHotPlugAPITimeout                   = 5
@@ -83,6 +83,7 @@ const (
 	clhAPISocket                           = "clh-api.sock"
 	virtioFsSocket                         = "virtiofsd.sock"
 	defaultClhPath                         = "/usr/local/bin/cloud-hypervisor"
+	snpHostDataDummy                       = "0123456789012345678901234567890123456789012345678901234567890123"
 )
 
 // Interface that hides the implementation of openAPI client
@@ -405,9 +406,19 @@ func (clh *cloudHypervisor) nydusdAPISocketPath(id string) (string, error) {
 }
 
 func (clh *cloudHypervisor) enableProtection() error {
-	protection, err := availableGuestProtection()
-	if err != nil {
-		return err
+
+	protection := noneProtection
+
+	// SNP protection explicitly requested by config
+	if clh.config.SevSnpGuest {
+		protection = snpProtection
+	} else {
+		// protection method not explicitly requested, using available method
+		availableProtection, err := availableGuestProtection()
+		if err != nil {
+			return err
+		}
+		protection = availableProtection
 	}
 
 	switch protection {
@@ -432,8 +443,16 @@ func (clh *cloudHypervisor) enableProtection() error {
 
 	case sevProtection:
 		return errors.New("SEV protection is not supported by Cloud Hypervisor")
+
 	case snpProtection:
-		return errors.New("SEV-SNP protection is not supported by Cloud Hypervisor")
+		if clh.vmconfig.Platform == nil {
+			clh.vmconfig.Platform = chclient.NewPlatformConfig()
+		}
+		clh.vmconfig.Platform.SetSnp(true)
+
+		clh.vmconfig.Payload.SetHostData(snpHostDataDummy)
+
+		return nil
 
 	default:
 		return nil
@@ -485,24 +504,28 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 	if err != nil {
 		return err
 	}
-	clh.vmconfig.Payload.SetIgvm(igvmPath)
 
 	// Make sure the kernel path is valid if no igvm set
 	if igvmPath == "" {
+		if clh.config.ConfidentialGuest {
+			return errors.New("igvm must be set with confidential_guest")
+		}
 		kernelPath, err := clh.config.KernelAssetPath()
 		if err != nil {
 			return err
 		}
 		clh.vmconfig.Payload.SetKernel(kernelPath)
+	} else {
+		if !clh.config.ConfidentialGuest {
+			return errors.New("igvm can only be set with confidential_guest")
+		}
+		clh.vmconfig.Payload.SetIgvm(igvmPath)
 	}
 
 	if clh.config.ConfidentialGuest {
 		if err := clh.enableProtection(); err != nil {
 			return err
 		}
-		if igvmPath == "" {
-			return errors.New("igvm must be set with confidential_guest")
-		}
 	}
 
 	// Create the VM memory config via the constructor to ensure default values are properly assigned
@@ -580,8 +603,8 @@ func (clh *cloudHypervisor) CreateVM(ctx context.Context, id string, network Net
 				clh.vmconfig.Pmem = &[]chclient.PmemConfig{*pmem}
 			}
 		}
-	} 
-	
+	}
+
 	initrdPath, err := clh.config.InitrdAssetPath()
 	if err != nil {
 		return err

@@ -626,6 +626,7 @@ components:
             - oem_strings
             - oem_strings
             tdx: false
+            snp: false
             serial_number: serial_number
             uuid: uuid
           tpm:
@@ -650,6 +651,7 @@ components:
             kernel: kernel
             initramfs: initramfs
             igvm: igvm
+            host_data: host_data
             firmware: firmware
           serial:
             mode: "false"
@@ -785,6 +787,7 @@ components:
         kernel: kernel
         initramfs: initramfs
         igvm: igvm
+        host_data: host_data
         firmware: firmware
       properties:
         firmware:
@@ -797,6 +800,8 @@ components:
           type: string
         igvm:
           type: string
+        host_data:
+          type: string
       type: object
     VmConfig:
       description: Virtual machine configuration
@@ -992,6 +997,7 @@ components:
           - oem_strings
           - oem_strings
           tdx: false
+          snp: false
           serial_number: serial_number
           uuid: uuid
         tpm:
@@ -1016,6 +1022,7 @@ components:
           kernel: kernel
           initramfs: initramfs
           igvm: igvm
+          host_data: host_data
           firmware: firmware
         serial:
           mode: "false"
@@ -1225,6 +1232,7 @@ components:
         - oem_strings
         - oem_strings
         tdx: false
+        snp: false
         serial_number: serial_number
         uuid: uuid
       properties:
@@ -1247,6 +1255,9 @@ components:
         tdx:
           default: false
           type: boolean
+        snp:
+          default: false
+          type: boolean
       type: object
     MemoryZoneConfig:
       example:

@@ -4,10 +4,12 @@
 
 Name | Type | Description | Notes
 ------------ | ------------- | ------------- | -------------
-**Firmware** | Pointer to **string** |  | [optional] 
-**Kernel** | Pointer to **string** |  | [optional] 
-**Cmdline** | Pointer to **string** |  | [optional] 
-**Initramfs** | Pointer to **string** |  | [optional] 
+**Firmware** | Pointer to **string** |  | [optional]
+**Kernel** | Pointer to **string** |  | [optional]
+**Cmdline** | Pointer to **string** |  | [optional]
+**Initramfs** | Pointer to **string** |  | [optional]
+**Igvm** | Pointer to **string** |  | [optional]
+**HostData** | Pointer to **string** |  | [optional]
 
 ## Methods
 
@@ -128,6 +130,55 @@ SetInitramfs sets Initramfs field to given value.
 
 HasInitramfs returns a boolean if a field has been set.
 
+### GetIgvm
+
+`func (o *PayloadConfig) GetIgvm() string`
+
+GetIgvm returns the Igvm field if non-nil, zero value otherwise.
+
+### GetIgvmOk
+
+`func (o *PayloadConfig) GetIgvmOk() (*string, bool)`
+
+GetIgvmOk returns a tuple with the Igvm field if it's non-nil, zero value otherwise
+and a boolean to check if the value has been set.
+
+### SetIgvm
+
+`func (o *PayloadConfig) SetIgvm(v string)`
+
+SetIgvm sets Igvm field to given value.
+
+### HasIgvm
+
+`func (o *PayloadConfig) HasIgvm() bool`
+
+HasIgvm returns a boolean if a field has been set.
+
+### GetHostData
+
+`func (o *PayloadConfig) GetHostData() string`
+
+GetHostData returns the HostData field if non-nil, zero value otherwise.
+
+### GetHostDataOk
+
+`func (o *PayloadConfig) GetHostDataOk() (*string, bool)`
+
+GetHostDataOk returns a tuple with the HostData field if it's non-nil, zero value otherwise
+and a boolean to check if the value has been set.
+
+### SetHostData
+
+`func (o *PayloadConfig) SetHostData(v string)`
+
+SetHostData sets HostData field to given value.
+
+### HasHostData
+
+`func (o *PayloadConfig) HasHostData() bool`
+
+HasHostData returns a boolean if a field has been set.
 
 [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)