Open wainersm opened 1 year ago
hi @bpradipt,
I was investigating on how this issue could be implemented and I will need your help :)
I've using the Secure Execution Support for Peer Pods on IBM Cloud as an "inspiration" to guide my thoughts. IIUC, for IBM SE the confidential VM is enabled by passing the bz2e-2x8
profile (from https://github.com/confidential-containers/cloud-api-adaptor/blob/main/install/overlays/ibmcloud/kustomization.yaml#L24 install property down to the cloud-api-adaptor command line arguments) and cooking a special peer pod VM image.
Similarly, we could have instance types other than the default for Libvirt (e.g. LibvirtVmTypeDefault, LibvirtVmTypeSEVSNP, LibvirtTypeVmTDX). The LibvirtVmTypeSEVSNP would configure the domain/VM as explained in https://libvirt.org/kbase/launch_security_sev.html . I don't want to get in implementation details at this point but just check if this is more or less what you had in mind.
Do we want to boot an podvm image with disk encrypted (LUKS)?
Another point that I am still not sure, is if we want to enable guest attestation at this point.
FYI @esposem , please advise :)
hi @bpradipt,
I was investigating on how this issue could be implemented and I will need your help :)
I've using the Secure Execution Support for Peer Pods on IBM Cloud as an "inspiration" to guide my thoughts. IIUC, for IBM SE the confidential VM is enabled by passing the
bz2e-2x8
profile (from https://github.com/confidential-containers/cloud-api-adaptor/blob/main/install/overlays/ibmcloud/kustomization.yaml#L24 install property down to the cloud-api-adaptor command line arguments) and cooking a special peer pod VM image.Similarly, we could have instance types other than the default for Libvirt (e.g. LibvirtVmTypeDefault, LibvirtVmTypeSEVSNP, LibvirtTypeVmTDX). The LibvirtVmTypeSEVSNP would configure the domain/VM as explained in https://libvirt.org/kbase/launch_security_sev.html . I don't want to get in implementation details at this point but just check if this is more or less what you had in mind.
Do we want to boot an podvm image with disk encrypted (LUKS)?
Another point that I am still not sure, is if we want to enable guest attestation at this point.
FYI @esposem , please advise :)
@wainersm, if we can have a way to simulate different VM profiles in libvirt then it'll be great. I don't think libvirt supports VM profiles (or flavours) by default? or does it ?
If VM profiles are not possible, then we can simply use a boolean flag in the CLI (eg disablecvm
like in Azure) to decide whether to spin up regular VMs or CVMs.
hi @bpradipt, I was investigating on how this issue could be implemented and I will need your help :) I've using the Secure Execution Support for Peer Pods on IBM Cloud as an "inspiration" to guide my thoughts. IIUC, for IBM SE the confidential VM is enabled by passing the
bz2e-2x8
profile (from https://github.com/confidential-containers/cloud-api-adaptor/blob/main/install/overlays/ibmcloud/kustomization.yaml#L24 install property down to the cloud-api-adaptor command line arguments) and cooking a special peer pod VM image. Similarly, we could have instance types other than the default for Libvirt (e.g. LibvirtVmTypeDefault, LibvirtVmTypeSEVSNP, LibvirtTypeVmTDX). The LibvirtVmTypeSEVSNP would configure the domain/VM as explained in https://libvirt.org/kbase/launch_security_sev.html . I don't want to get in implementation details at this point but just check if this is more or less what you had in mind. Do we want to boot an podvm image with disk encrypted (LUKS)? Another point that I am still not sure, is if we want to enable guest attestation at this point. FYI @esposem , please advise :)@wainersm, if we can have a way to simulate different VM profiles in libvirt then it'll be great. I don't think libvirt supports VM profiles (or flavours) by default? or does it ?
AFAIK libvirt does not have the concept of profiles (or flavors ), the closest that I can think of is to launch VMs from snapshot.
At first I thought in simulate the VM profiles within CAA code but then I changed my mind, I now think that we should stick to the existing concepts withing Libvirt otherwise we will end up with a new cloud provider.
If VM profiles are not possible, then we can simply use a boolean flag in the CLI (eg
disablecvm
like in Azure) to decide whether to spin up regular VMs or CVMs.
Above said, I thought on the following implementation. I'm breaking in two phase because I didn't have time to investigate with boot measurement, so the idea is to create something basic on phase 1) then add measurement on 2) if needed.
Phase 1 - Basic Confidential VM
Add new fields to vmConfig struct
:
q35
for sev and ?? for s390x-pv Adapt CreateDomain
to create the CVM domain based on the value of vmConfig.LaunchSecurityType
cloud-api-adaptor CLI gets new arguments (e.g. --launchsecurity and --firmware) or read from environment (e.g. LIBVIRT_LAUNCH_SECURITY, LIBVIRT_FIRMWARE)
Implement unit tests
Change the libvirt's installation overlay to export the new environment variables
Add e2e test
Phase 2 - Add boot measurement
As SNP is not currently supported, merging my work in #1395 and #1396
Similarly to https://github.com/confidential-containers/cloud-api-adaptor/issues/957, we would like allow the Libvirt adaptor to spin up SEV-SNP instances so that developers are able to develop features and fix bugs on common CoCo stack on their workspaces (as long as AMD SEV-SNP) and so avoiding all the complexities of preparing an environment on the cloud.