kata: add patches for bare metal SNP

packages/by-name/kata/genpolicy/package.nix

@@ -50,7 +50,7 @@ rustPlatform.buildRustPackage rec {
   passthru = {
     settings = fetchurl {
       name = "${pname}-${version}-settings";
-      url = "https://raw.githubusercontent.com/kata-containers/kata-containers/${src.rev}/src/tools/genpolicy/genpolicy-settings.json";
+      url = "https://raw.githubusercontent.com/kata-containers/kata-containers/${version}/src/tools/genpolicy/genpolicy-settings.json";
       hash = "sha256-Rlm1BOo0/yNHBf17p2Mk7ta6VbaGcrgezCk8mraFPtU=";
       downloadToTemp = true;
       recursiveHash = true;
@@ -59,7 +59,7 @@ rustPlatform.buildRustPackage rec {
 
     rules = fetchurl {
       name = "${pname}-${version}-rules";
-      url = "https://raw.githubusercontent.com/kata-containers/kata-containers/${src.rev}/src/tools/genpolicy/rules.rego";
+      url = "https://raw.githubusercontent.com/kata-containers/kata-containers/${version}/src/tools/genpolicy/rules.rego";
       hash = "sha256-J4WIgEgCzm3vEji9f/0kF+gLdE8ziio4PAyRWUJjqZk=";
       downloadToTemp = true;
       recursiveHash = true;

packages/by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch

@@ -0,0 +1,28 @@
+From 2ba6a74a1c10c740540e572f3cab7dc2dd664cc8 Mon Sep 17 00:00:00 2001
+From: Tom Dohrmann <[email protected]>
+Date: Fri, 5 Jul 2024 08:43:13 +0000
+Subject: [PATCH 1/3] govmm: Directly pass the firwmare using -bios with SNP
+
+3e158001993cc2356d6ac084e6c82714210c9f24, but for SNP.
+---
+ src/runtime/pkg/govmm/qemu/qemu.go | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go
+index e752f8181..dadbe8b35 100644
+--- a/src/runtime/pkg/govmm/qemu/qemu.go
++++ b/src/runtime/pkg/govmm/qemu/qemu.go
+@@ -388,9 +388,7 @@ func (object Object) QemuParams(config *Config) []string {
+ 		objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos))
+ 		objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits))
+ 		objectParams = append(objectParams, "kernel-hashes=on")
+-
+-		driveParams = append(driveParams, "if=pflash,format=raw,readonly=on")
+-		driveParams = append(driveParams, fmt.Sprintf("file=%s", object.File))
++		config.Bios = object.File
+ 	case SecExecGuest:
+ 		objectParams = append(objectParams, string(object.Type))
+ 		objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID))
+-- 
+2.34.1
+

packages/by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch

@@ -0,0 +1,40 @@
+From 5f827c88c43c0e3143543d59f8b6f12a7b936832 Mon Sep 17 00:00:00 2001
+From: Tom Dohrmann <[email protected]>
+Date: Mon, 8 Jul 2024 07:35:54 +0000
+Subject: [PATCH 2/3] emulate CPU model that most closely matches the host
+
+QEMU's CPU model 'host' still doesn't support SNP, but by using the
+correct model, the guest is able to figure out the correct CPU model
+which is important for fetching the correct ARK/ASK certificates for
+attestation.
+---
+ src/runtime/virtcontainers/qemu_amd64.go | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go
+index ade7356eb..ca8f9998c 100644
+--- a/src/runtime/virtcontainers/qemu_amd64.go
++++ b/src/runtime/virtcontainers/qemu_amd64.go
+@@ -188,7 +188,18 @@ func (q *qemuAmd64) cpuModel() string {
+ 	protection, err := availableGuestProtection()
+ 	if err == nil {
+ 		if protection == snpProtection && q.snpGuest {
+-			cpuModel = "EPYC-v4"
++			// Decide which CPU model line to emulate based on the host CPU's
++			// model value.
++			switch cpuid.DisplayModel {
++			case 0x01:
++				cpuModel = "EPYC-Milan"
++			case 0x11:
++				cpuModel = "EPYC-Genoa"
++			default:
++				// Fall back to a generic CPU.
++				cpuModel = "EPYC-v4"
++			}
++
+ 		}
+ 	}
+
+-- 
+2.34.1
+