-
Notifications
You must be signed in to change notification settings - Fork 19
Expand file tree
/
Copy pathconfig.go
More file actions
117 lines (98 loc) · 4.75 KB
/
config.go
File metadata and controls
117 lines (98 loc) · 4.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
// Copyright 2024 Edgeless Systems GmbH
// SPDX-License-Identifier: BUSL-1.1
package kataconfig
import (
"fmt"
"path/filepath"
"github.com/edgelesssys/contrast/internal/platforms"
"github.com/pelletier/go-toml/v2"
)
// RuntimeNamePlaceholder is the placeholder for the per-runtime path (i.e. /opt/edgeless/contrast-cc...) in the target file paths.
var RuntimeNamePlaceholder = "@@runtimeName@@"
// KataRuntimeConfig returns the Kata runtime configuration.
func KataRuntimeConfig(
baseDir string,
platform platforms.Platform,
qemuExtraKernelParams string,
imagepullerConfigPath string,
debug bool,
) (*Config, error) {
var customContrastAnnotations []string
var config Config
switch {
case platforms.IsTDX(platform):
if err := toml.Unmarshal([]byte(kataBareMetalQEMUTDXBaseConfig), &config); err != nil {
return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err)
}
config.Hypervisor["qemu"]["firmware"] = filepath.Join(baseDir, "tdx", "share", "OVMF.fd")
// We set up dm_verity in the system NixOS config.
// Doing so again here prevents VM boots.
config.Hypervisor["qemu"]["kernel_verity_params"] = ""
case platforms.IsSNP(platform):
if err := toml.Unmarshal([]byte(kataBareMetalQEMUSNPBaseConfig), &config); err != nil {
return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err)
}
for _, productLine := range []string{"_Milan", "_Genoa"} {
for _, annotationType := range []string{"snp_id_block", "snp_id_auth", "snp_guest_policy"} {
customContrastAnnotations = append(customContrastAnnotations, annotationType+productLine)
}
}
config.Hypervisor["qemu"]["firmware"] = filepath.Join(baseDir, "snp", "share", "OVMF.fd")
default:
return nil, fmt.Errorf("unsupported platform: %s", platform)
}
if debug {
config.Agent["kata"]["enable_debug"] = true
config.Agent["kata"]["debug_console_enabled"] = true
config.Runtime["enable_debug"] = true
}
// Use the resources installed by Contrast node-installer.
config.Hypervisor["qemu"]["initrd"] = filepath.Join(baseDir, "share", "kata-initrd.zst")
config.Hypervisor["qemu"]["kernel"] = filepath.Join(baseDir, "share", "kata-kernel")
config.Hypervisor["qemu"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img")
config.Hypervisor["qemu"]["rootfs_type"] = "erofs"
config.Hypervisor["qemu"]["path"] = filepath.Join(baseDir, "bin", "qemu-system-x86_64")
config.Hypervisor["qemu"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "bin", "qemu-system-x86_64")}
config.Hypervisor["qemu"]["contrast_imagepuller_config"] = imagepullerConfigPath
// TODO(katexochen): Remove after https://github.com/kata-containers/kata-containers/pull/12472 is merged.
config.Hypervisor["qemu"]["disable_image_nvdimm"] = true
// Replace the kernel params entirely (and don't append) since that's
// also what we do when calculating the launch measurement.
config.Hypervisor["qemu"]["kernel_params"] = qemuExtraKernelParams
// Conditionally enable debug mode.
config.Hypervisor["qemu"]["enable_debug"] = debug
// Disable all annotations, as we don't support these. Some will mess up measurements,
// others bypass things you can archive via correct resource declaration anyway.
config.Hypervisor["qemu"]["enable_annotations"] = append(customContrastAnnotations, "cc_init_data")
// Fix and align guest memory calculation.
config.Hypervisor["qemu"]["default_memory"] = platforms.DefaultMemoryInMebiBytes(platform)
config.Runtime["sandbox_cgroup_only"] = true
// TODO: Check again why we need this and how we can avoid it.
config.Hypervisor["qemu"]["block_device_aio"] = "threads"
config = extraRuntimeConfig(config, platform)
return &config, nil
}
// Config is the configuration for the Kata runtime.
// Source: https://github.com/kata-containers/kata-containers/blob/4029d154ba0c26fcf4a8f9371275f802e3ef522c/src/runtime/pkg/katautils/Config.go
// This is a simplified version of the actual configuration.
type Config struct {
Hypervisor map[string]hypervisorConfig `toml:"hypervisor"`
Agent map[string]agentConfig `toml:"agent"`
Image imageConfig `toml:"image"`
Factory factoryConfig `toml:"factory"`
Runtime runtimeConfig `toml:"runtime"`
}
// Marshal encodes the configuration as TOML.
func (k *Config) Marshal() ([]byte, error) {
return toml.Marshal(k)
}
// imageConfig is the configuration for the image.
type imageConfig map[string]any
// factoryConfig is the configuration for the factory.
type factoryConfig map[string]any
// hypervisorConfig is the configuration for the hypervisor.
type hypervisorConfig map[string]any
// runtimeConfig is the configuration for the Kata runtime.
type runtimeConfig map[string]any
// agentConfig is the configuration for the agent.
type agentConfig map[string]any