From 836563d5a8e98e0ddfb08d87cf5770337f12c812 Mon Sep 17 00:00:00 2001 From: Moritz Sanft <58110325+msanft@users.noreply.github.com> Date: Wed, 17 Jul 2024 15:17:03 +0200 Subject: [PATCH] packages: drop faulty TDX hunk This removes a hunk from a patch of ours in the kata shim causing a faulty QEMU command line. --- ...e-agent-verify-the-agent-policy-hash.patch | 168 ++++++++---------- 1 file changed, 76 insertions(+), 92 deletions(-) diff --git a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch index 322ed3eef1..61bf7484e3 100644 --- a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch +++ b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch @@ -48,7 +48,7 @@ index 911bca114..fef34b648 100644 @@ -465,6 +465,12 @@ version = "0.6.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" - + +[[package]] +name = "bitfield" +version = "0.13.2" @@ -61,7 +61,7 @@ index 911bca114..fef34b648 100644 @@ -802,6 +808,12 @@ dependencies = [ "os_str_bytes", ] - + +[[package]] +name = "codicon" +version = "3.0.0" @@ -74,7 +74,7 @@ index 911bca114..fef34b648 100644 @@ -1201,6 +1213,15 @@ dependencies = [ "subtle", ] - + +[[package]] +name = "dirs" +version = "5.0.1" @@ -90,7 +90,7 @@ index 911bca114..fef34b648 100644 @@ -1211,6 +1232,18 @@ dependencies = [ "dirs-sys-next", ] - + +[[package]] +name = "dirs-sys" +version = "0.4.1" @@ -109,7 +109,7 @@ index 911bca114..fef34b648 100644 @@ -1995,6 +2028,12 @@ dependencies = [ "windows-sys 0.48.0", ] - + +[[package]] +name = "iocuddle" +version = "0.1.1" @@ -139,7 +139,7 @@ index 911bca114..fef34b648 100644 @@ -3013,6 +3055,12 @@ dependencies = [ "tokio-stream", ] - + +[[package]] +name = "option-ext" +version = "0.2.0" @@ -152,7 +152,7 @@ index 911bca114..fef34b648 100644 @@ -4354,6 +4402,15 @@ dependencies = [ "syn 1.0.109", ] - + +[[package]] +name = "serde-big-array" +version = "0.5.1" @@ -168,7 +168,7 @@ index 911bca114..fef34b648 100644 @@ -4373,6 +4430,15 @@ version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "794e44574226fc701e3be5c651feb7939038fc67fb73f6f4dd5c4ba90fd3be70" - + +[[package]] +name = "serde_bytes" +version = "0.11.10" @@ -184,7 +184,7 @@ index 911bca114..fef34b648 100644 @@ -4470,6 +4536,28 @@ dependencies = [ "syn 1.0.109", ] - + +[[package]] +name = "sev" +version = "2.0.2" @@ -217,13 +217,13 @@ index 911bca114..fef34b648 100644 +dependencies = [ + "serde", +] - + [[package]] name = "valuable" @@ -5495,6 +5586,16 @@ version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" - + +[[package]] +name = "vmm-sys-util" +version = "0.11.2" @@ -244,7 +244,7 @@ index 0ab98b3e3..37263149d 100644 @@ -90,6 +90,11 @@ regorus = { version = "0.1.4", default-features = false, features = [ "regex", ], optional = true } - + +# Policy validation +sha2 = { version = "0.10.6", optional = true } +sev = { version = "2.0.2", default-features = false, features = ["snp"], optional = true } @@ -260,21 +260,21 @@ index 0ab98b3e3..37263149d 100644 -agent-policy = ["regorus"] +agent-policy = ["regorus", "sev", "sha2", "vmm-sys-util"] guest-pull = ["image-rs", "openssl"] - + [[bin]] diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 0450b1bcc..87cb18101 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -85,6 +85,10 @@ mod tracer; - + #[cfg(feature = "agent-policy")] mod policy; +#[cfg(feature = "agent-policy")] +mod sev; +#[cfg(feature = "agent-policy")] +mod tdx; - + cfg_if! { if #[cfg(target_arch = "s390x")] { diff --git a/src/agent/src/policy.rs b/src/agent/src/policy.rs @@ -284,22 +284,22 @@ index d709515ff..fe1461e5c 100644 @@ -3,12 +3,15 @@ // SPDX-License-Identifier: Apache-2.0 // - + -use anyhow::Result; +use anyhow::{Result, bail}; use protobuf::MessageDyn; +use sha2::{Digest, Sha256, Sha384}; use slog::Drain; use tokio::io::AsyncWriteExt; - + use crate::rpc::ttrpc_error; +use crate::sev::get_snp_host_data; +use crate::tdx::get_tdx_mrconfigid; use crate::AGENT_POLICY; - + static POLICY_LOG_FILE: &str = "/tmp/policy.txt"; @@ -131,6 +134,7 @@ impl AgentPolicy { - + /// Replace the Policy in regorus. pub async fn set_policy(&mut self, policy: &str) -> Result<()> { + verify_policy_digest(policy)?; @@ -602,7 +602,7 @@ index dadbe8b35..d85f207b7 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -316,6 +316,11 @@ type Object struct { - + // QgsPort defines Intel Quote Generation Service port exposed from the host QgsPort uint32 + @@ -611,24 +611,8 @@ index dadbe8b35..d85f207b7 100644 + // objects and is encoded in the format expected by QEMU for each TEE type. + TEEConfigData string } - + // Valid returns true if the Object structure is valid and complete. -@@ -373,6 +378,15 @@ func (object Object) QemuParams(config *Config) []string { - - case TDXGuest: - objectParams = append(objectParams, prepareObjectWithTdxQgs(object)) -+ objectParams = append(objectParams, string(object.Type)) -+ objectParams = append(objectParams, "sept-ve-disable=on") -+ objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) -+ if object.Debug { -+ objectParams = append(objectParams, "debug=on") -+ } -+ if len(object.TEEConfigData) > 0 { -+ objectParams = append(objectParams, fmt.Sprintf("mrconfigid=%s", object.TEEConfigData)) -+ } - config.Bios = object.File - case SEVGuest: - objectParams = append(objectParams, string(object.Type)) @@ -388,6 +402,9 @@ func (object Object) QemuParams(config *Config) []string { objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos)) objectParams = append(objectParams, fmt.Sprintf("reduced-phys-bits=%d", object.ReducedPhysBits)) @@ -644,15 +628,15 @@ index aa3082324..2fa88c11f 100644 --- a/src/runtime/virtcontainers/hypervisor.go +++ b/src/runtime/virtcontainers/hypervisor.go @@ -680,6 +680,10 @@ type HypervisorConfig struct { - + // QgsPort defines Intel Quote Generation Service port exposed from the host QgsPort uint32 -+ ++ + // Policy text, for sandboxes created using a valid io.katacontainers.config.agent.policy + // annotation + AgentPolicy string } - + // vcpu mapping from vcpu number to thread number diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index 7a189bb91..509f74a3c 100644 @@ -661,7 +645,7 @@ index 7a189bb91..509f74a3c 100644 @@ -681,7 +681,7 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi Debug: hypervisorConfig.Debug, } - + - qemuConfig.Devices, qemuConfig.Bios, err = q.arch.appendProtectionDevice(qemuConfig.Devices, firmwarePath, firmwareVolumePath) + qemuConfig.Devices, qemuConfig.Bios, err = q.arch.appendProtectionDevice(qemuConfig.Devices, firmwarePath, firmwareVolumePath, q.config.AgentPolicy) if err != nil { @@ -672,7 +656,7 @@ index ca8f9998c..0a6612736 100644 --- a/src/runtime/virtcontainers/qemu_amd64.go +++ b/src/runtime/virtcontainers/qemu_amd64.go @@ -9,6 +9,10 @@ package virtcontainers - + import ( "context" + "crypto/sha256" @@ -681,10 +665,10 @@ index ca8f9998c..0a6612736 100644 + "encoding/hex" "fmt" "time" - + @@ -277,7 +281,7 @@ func (q *qemuAmd64) enableProtection() error { } - + // append protection device -func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string) ([]govmmQemu.Device, string, error) { +func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, agentPolicy string) ([]govmmQemu.Device, string, error) { @@ -706,7 +690,7 @@ index ca8f9998c..0a6612736 100644 + TEEConfigData: snpHostData(agentPolicy), }), "", nil case noneProtection: - + @@ -331,3 +337,33 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware, return devices, "", fmt.Errorf("Unsupported guest protection technology: %v", q.protection) } @@ -746,7 +730,7 @@ index 1425cb38c..f0a9c691a 100644 --- a/src/runtime/virtcontainers/qemu_amd64_test.go +++ b/src/runtime/virtcontainers/qemu_amd64_test.go @@ -9,6 +9,10 @@ package virtcontainers - + import ( "context" + "crypto/sha256" @@ -759,7 +743,7 @@ index 1425cb38c..f0a9c691a 100644 @@ -247,6 +251,34 @@ func TestQemuAmd64Microvm(t *testing.T) { assert.False(amd64.supportGuestMemoryHotplug()) } - + +// return the policy hash in the host-data format expected by QEMU for SEV-SNP. +func testSnpHostData(policy string) string { + if len(policy) == 0 { @@ -792,7 +776,7 @@ index 1425cb38c..f0a9c691a 100644 var devices []govmmQemu.Device assert := assert.New(t) @@ -255,30 +287,48 @@ func TestQemuAmd64AppendProtectionDevice(t *testing.T) { - + id := amd64.(*qemuAmd64).devLoadersCount firmware := "tdvf.fd" + policy := "package test1" @@ -802,7 +786,7 @@ index 1425cb38c..f0a9c691a 100644 var err error - devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "") - assert.NoError(err) - + // non-protection + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", "") + assert.NoError(err) @@ -811,7 +795,7 @@ index 1425cb38c..f0a9c691a 100644 + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", policy) + assert.NoError(err) assert.NotEmpty(bios) - + // pef protection amd64.(*qemuAmd64).protection = pefProtection - devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "") @@ -824,7 +808,7 @@ index 1425cb38c..f0a9c691a 100644 + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", policy) assert.Error(err) assert.Empty(bios) - + // Secure Execution protection amd64.(*qemuAmd64).protection = seProtection - devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "") @@ -836,19 +820,19 @@ index 1425cb38c..f0a9c691a 100644 + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", policy) assert.Error(err) assert.Empty(bios) - + // sev protection amd64.(*qemuAmd64).protection = sevProtection - + - devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "") + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", "") assert.NoError(err) assert.Empty(bios) - + @@ -295,10 +345,42 @@ func TestQemuAmd64AppendProtectionDevice(t *testing.T) { - + assert.Equal(expectedOut, devices) - + + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", policy) + assert.NoError(err) + assert.Empty(bios) @@ -868,7 +852,7 @@ index 1425cb38c..f0a9c691a 100644 + // snp protection amd64.(*qemuAmd64).protection = snpProtection - + - devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "") + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", "") + assert.NoError(err) @@ -888,7 +872,7 @@ index 1425cb38c..f0a9c691a 100644 + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", policy) assert.NoError(err) assert.Empty(bios) - + @@ -310,6 +392,7 @@ func TestQemuAmd64AppendProtectionDevice(t *testing.T) { File: firmware, CBitPos: cpuid.AMDMemEncrypt.CBitPosition, @@ -896,19 +880,19 @@ index 1425cb38c..f0a9c691a 100644 + TEEConfigData: hostData, }, ) - + @@ -318,7 +401,7 @@ func TestQemuAmd64AppendProtectionDevice(t *testing.T) { // tdxProtection amd64.(*qemuAmd64).protection = tdxProtection - + - devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "") + devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "", "") assert.NoError(err) assert.Empty(bios) - + @@ -334,4 +417,23 @@ func TestQemuAmd64AppendProtectionDevice(t *testing.T) { ) - + assert.Equal(expectedOut, devices) + + id += 1 @@ -940,12 +924,12 @@ index fd92be772..662466f58 100644 // be used with the -bios option, ommit -bios option if the path is empty. - appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string) ([]govmmQemu.Device, string, error) + appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, agentPolicy string) ([]govmmQemu.Device, string, error) - + // scans the PCIe space and returns the biggest BAR sizes for 32-bit // and 64-bit addressable memory @@ -897,7 +897,7 @@ func (q *qemuArchBase) setPFlash(p []string) { } - + // append protection device -func (q *qemuArchBase) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string) ([]govmmQemu.Device, string, error) { +func (q *qemuArchBase) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, agentPolicy string) ([]govmmQemu.Device, string, error) { @@ -959,7 +943,7 @@ index a9b803f73..112fe358e 100644 @@ -154,7 +154,7 @@ func (q *qemuArm64) enableProtection() error { return nil } - + -func (q *qemuArm64) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string) ([]govmmQemu.Device, string, error) { +func (q *qemuArm64) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, agentPolicy string) ([]govmmQemu.Device, string, error) { err := q.enableProtection() @@ -971,7 +955,7 @@ index 07e67ac8c..8b6bd03eb 100644 +++ b/src/runtime/virtcontainers/qemu_arm64_test.go @@ -182,42 +182,77 @@ func TestQemuArm64AppendProtectionDevice(t *testing.T) { var err error - + // no protection - devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "") + devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "", "") @@ -983,7 +967,7 @@ index 07e67ac8c..8b6bd03eb 100644 assert.Empty(devices) assert.Empty(bios) assert.NoError(err) - + // PEF protection arm64.(*qemuArm64).protection = pefProtection - devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "") @@ -997,7 +981,7 @@ index 07e67ac8c..8b6bd03eb 100644 assert.Empty(devices) assert.Empty(bios) assert.NoError(err) - + // Secure Execution protection arm64.(*qemuArm64).protection = seProtection - devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "") @@ -1011,7 +995,7 @@ index 07e67ac8c..8b6bd03eb 100644 assert.Empty(devices) assert.Empty(bios) assert.NoError(err) - + // SEV protection arm64.(*qemuArm64).protection = sevProtection - devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "") @@ -1025,7 +1009,7 @@ index 07e67ac8c..8b6bd03eb 100644 assert.Empty(devices) assert.Empty(bios) assert.NoError(err) - + // SNP protection arm64.(*qemuArm64).protection = snpProtection - devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "") @@ -1039,7 +1023,7 @@ index 07e67ac8c..8b6bd03eb 100644 assert.Empty(devices) assert.Empty(bios) assert.NoError(err) - + // TDX protection arm64.(*qemuArm64).protection = tdxProtection - devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "") @@ -1059,7 +1043,7 @@ index d2e0228c8..ed7a14c4d 100644 +++ b/src/runtime/virtcontainers/qemu_ppc64le.go @@ -157,7 +157,7 @@ func (q *qemuPPC64le) enableProtection() error { } - + // append protection device -func (q *qemuPPC64le) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string) ([]govmmQemu.Device, string, error) { +func (q *qemuPPC64le) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string, agentPolicy string) ([]govmmQemu.Device, string, error) { @@ -1076,7 +1060,7 @@ index 85e1dfe80..0c2f4b923 100644 var err error - devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "") - assert.NoError(err) - + //no protection + devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "", "") + assert.NoError(err) @@ -1085,7 +1069,7 @@ index 85e1dfe80..0c2f4b923 100644 + devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "", "FOObar") + assert.NoError(err) assert.Empty(bios) - + //Secure Execution protection ppc64le.(*qemuPPC64le).protection = seProtection - devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "") @@ -1097,7 +1081,7 @@ index 85e1dfe80..0c2f4b923 100644 + devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "", "adasawdq") assert.Error(err) assert.Empty(bios) - + //SEV protection ppc64le.(*qemuPPC64le).protection = sevProtection - devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "") @@ -1109,7 +1093,7 @@ index 85e1dfe80..0c2f4b923 100644 + devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "", "Fc+jr0/5HZMfG0uu54bbUsYuu8K0G7PXH8WNc4idAT8=") assert.Error(err) assert.Empty(bios) - + //SNP protection ppc64le.(*qemuPPC64le).protection = snpProtection - devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "") @@ -1121,7 +1105,7 @@ index 85e1dfe80..0c2f4b923 100644 + devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "", "Fc+jr0/5HZMfG0uu54bbUsYuu8K0G7PXH8WNc4idAT8=") assert.Error(err) assert.Empty(bios) - + //TDX protection ppc64le.(*qemuPPC64le).protection = tdxProtection - devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "") @@ -1133,18 +1117,18 @@ index 85e1dfe80..0c2f4b923 100644 + devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "", "123456789012345678901234567890123456789012345678") assert.Error(err) assert.Empty(bios) - + //PEF protection ppc64le.(*qemuPPC64le).protection = pefProtection - devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "") + devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "", "") assert.NoError(err) assert.Empty(bios) - + @@ -107,4 +131,19 @@ func TestQemuPPC64leAppendProtectionDevice(t *testing.T) { } assert.Equal(expectedOut, devices) - + + devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "", "abc") + assert.NoError(err) + assert.Empty(bios) @@ -1166,7 +1150,7 @@ index 29eaafe5b..787a0e589 100644 --- a/src/runtime/virtcontainers/qemu_s390x.go +++ b/src/runtime/virtcontainers/qemu_s390x.go @@ -337,7 +337,7 @@ func (q *qemuS390x) enableProtection() error { - + // appendProtectionDevice appends a QEMU object for Secure Execution. // Takes devices and returns updated version. Takes BIOS and returns it (no modification on s390x). -func (q *qemuS390x) appendProtectionDevice(devices []govmmQemu.Device, firmware, firmwareVolume string) ([]govmmQemu.Device, string, error) { @@ -1184,7 +1168,7 @@ index 24a67bdd9..3f5f84aff 100644 var err error - devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "") - assert.NoError(err) - + // no protection + devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", "") + assert.NoError(err) @@ -1193,7 +1177,7 @@ index 24a67bdd9..3f5f84aff 100644 + devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", "s390x_test") + assert.NoError(err) assert.Empty(bios) - + // PEF protection s390x.(*qemuS390x).protection = pefProtection - devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "") @@ -1205,7 +1189,7 @@ index 24a67bdd9..3f5f84aff 100644 + devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", "1234") assert.Error(err) assert.Empty(bios) - + // TDX protection s390x.(*qemuS390x).protection = tdxProtection - devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "") @@ -1217,7 +1201,7 @@ index 24a67bdd9..3f5f84aff 100644 + devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", "123456789012345678901234567890123456789012345678") assert.Error(err) assert.Empty(bios) - + // SEV protection s390x.(*qemuS390x).protection = sevProtection - devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "") @@ -1229,7 +1213,7 @@ index 24a67bdd9..3f5f84aff 100644 + devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", "Fc+jr0/5HZMfG0uu54bbUsYuu8K0G7PXH8WNc4idAT8=") assert.Error(err) assert.Empty(bios) - + // SNP protection s390x.(*qemuS390x).protection = snpProtection - devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "") @@ -1241,15 +1225,15 @@ index 24a67bdd9..3f5f84aff 100644 + devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", "Fc+jr0/5HZMfG0uu54bbUsYuu8K0G7PXH8WNc4idAT8=") assert.Error(err) assert.Empty(bios) - + // Secure Execution protection s390x.(*qemuS390x).protection = seProtection - + - devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "") + devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "", "") assert.NoError(err) assert.Empty(bios) - + @@ -155,4 +179,17 @@ func TestQemuS390xAppendProtectionDevice(t *testing.T) { }, } @@ -1273,13 +1257,13 @@ index b58daccaa..af35af12e 100644 --- a/src/runtime/virtcontainers/sandbox.go +++ b/src/runtime/virtcontainers/sandbox.go @@ -596,6 +596,7 @@ func newSandbox(ctx context.Context, sandboxConfig SandboxConfig, factory Factor - + sandboxConfig.HypervisorConfig.VMStorePath = s.store.RunVMStoragePath() sandboxConfig.HypervisorConfig.RunStorePath = s.store.RunStoragePath() + sandboxConfig.HypervisorConfig.AgentPolicy = sandboxConfig.AgentConfig.Policy - + spec := s.GetPatchedOCISpec() if spec != nil && spec.Process.SelinuxLabel != "" { --- +-- 2.34.1