From db803c360ef2532fe734f9cf98fb8fa3dddf0db5 Mon Sep 17 00:00:00 2001 From: HuijingHei Date: Wed, 11 Sep 2024 09:28:34 +0800 Subject: [PATCH] mantle: Support `AMD SEV-SNP` confidential instances on GCP Fix https://github.com/coreos/coreos-assembler/issues/3556 --- mantle/cmd/kola/options.go | 6 +++--- mantle/platform/api/gcloud/api.go | 20 ++++++++++---------- mantle/platform/api/gcloud/compute.go | 9 +++++++-- 3 files changed, 20 insertions(+), 15 deletions(-) diff --git a/mantle/cmd/kola/options.go b/mantle/cmd/kola/options.go index a7e445d1a8..2220a38829 100644 --- a/mantle/cmd/kola/options.go +++ b/mantle/cmd/kola/options.go @@ -125,7 +125,7 @@ func init() { sv(&kola.GCPOptions.ServiceAcct, "gcp-service-account", "", "GCP service account to attach to instance (default project default)") bv(&kola.GCPOptions.ServiceAuth, "gcp-service-auth", false, "for non-interactive auth when running within GCP") sv(&kola.GCPOptions.JSONKeyFile, "gcp-json-key", "", "use a service account's JSON key for authentication (default \"~/"+auth.GCPConfigPath+"\")") - bv(&kola.GCPOptions.Confidential, "gcp-confidential-vm", false, "create confidential instances") + sv(&kola.GCPOptions.ConfidentialType, "gcp-confidential-type", "", "create confidential instances: sev, sev_snp") // openstack-specific options sv(&kola.OpenStackOptions.ConfigPath, "openstack-config-file", "", "Path to a clouds.yaml formatted OpenStack config file. The underlying library defaults to ./clouds.yaml") @@ -245,9 +245,9 @@ func syncOptionsImpl(useCosa bool) error { if kolaPlatform == "gcp" && kola.GCPOptions.MachineType == "" { switch kola.Options.CosaBuildArch { case "x86_64": - if kola.GCPOptions.Confidential { + if kola.GCPOptions.ConfidentialType != "" { // https://cloud.google.com/compute/confidential-vm/docs/locations - fmt.Print("Setting instance type for confidential computing") + fmt.Printf("Setting instance type for confidential computing\n") kola.GCPOptions.MachineType = "n2d-standard-2" } else { kola.GCPOptions.MachineType = "n1-standard-1" diff --git a/mantle/platform/api/gcloud/api.go b/mantle/platform/api/gcloud/api.go index 134b8149f1..cd2f699fd5 100644 --- a/mantle/platform/api/gcloud/api.go +++ b/mantle/platform/api/gcloud/api.go @@ -33,16 +33,16 @@ var ( ) type Options struct { - Image string - Project string - Zone string - MachineType string - DiskType string - Network string - ServiceAcct string - JSONKeyFile string - ServiceAuth bool - Confidential bool + Image string + Project string + Zone string + MachineType string + DiskType string + Network string + ServiceAcct string + JSONKeyFile string + ServiceAuth bool + ConfidentialType string *platform.Options } diff --git a/mantle/platform/api/gcloud/compute.go b/mantle/platform/api/gcloud/compute.go index 9e8e16434f..baa86ff6c1 100644 --- a/mantle/platform/api/gcloud/compute.go +++ b/mantle/platform/api/gcloud/compute.go @@ -147,13 +147,18 @@ func (a *API) mkinstance(userdata, name string, keys []*agent.Key, opts platform }) } // create confidential instance - if a.options.Confidential { + ConfidentialType := strings.ToUpper(a.options.ConfidentialType) + ConfidentialType = strings.Replace(ConfidentialType, "-", "_", -1) + if ConfidentialType == "SEV" || ConfidentialType == "SEV_SNP" { + fmt.Printf("Using confidential type for confidential computing %s\n", ConfidentialType) instance.ConfidentialInstanceConfig = &compute.ConfidentialInstanceConfig{ - EnableConfidentialCompute: true, + ConfidentialInstanceType: ConfidentialType, } instance.Scheduling = &compute.Scheduling{ OnHostMaintenance: "TERMINATE", } + } else { + return nil, fmt.Errorf("Does not support confidential type %s, should be: sev, sev_snp\n", a.options.ConfidentialType) } // attach aditional disk for _, spec := range opts.AdditionalDisks {