nodeinstaller: allow ID block related annotations in Kata

daniel-weisse · daniel-weisse · commit 3d68e55e9b3d · 2026-03-05T15:39:37.000+01:00
Signed-off-by: Daniel Weiße &lt;dw@edgeless.systems&gt;
diff --git a/nodeinstaller/internal/kataconfig/config.go b/nodeinstaller/internal/kataconfig/config.go
@@ -47,6 +47,7 @@ func KataRuntimeConfig(
 	imagepullerConfigPath string,
 	debug bool,
 ) (*Config, error) {
+	var customContrastAnnotations []string
 	var config Config
 	switch {
 	case platforms.IsTDX(platform):
@@ -59,6 +60,12 @@ func KataRuntimeConfig(
 			return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err)
 		}
 
+		for _, productLine := range []string{"_Milan", "_Genoa"} {
+			for _, annotationType := range []string{"snp_id_block", "snp_id_auth", "snp_guest_policy"} {
+				customContrastAnnotations = append(customContrastAnnotations, annotationType+productLine)
+			}
+		}
+
 		config.Hypervisor["qemu"]["firmware"] = filepath.Join(baseDir, "snp", "share", "OVMF.fd")
 		// Add SNP ID block to protect against migration attacks.
 		config.Hypervisor["qemu"]["snp_id_block"] = snpIDBlock.IDBlock
@@ -105,7 +112,7 @@ func KataRuntimeConfig(
 	config.Hypervisor["qemu"]["enable_debug"] = debug
 	// Disable all annotations, as we don't support these. Some will mess up measurements,
 	// others bypass things you can archive via correct resource declaration anyway.
-	config.Hypervisor["qemu"]["enable_annotations"] = []string{"cc_init_data"}
+	config.Hypervisor["qemu"]["enable_annotations"] = append(customContrastAnnotations, "cc_init_data")
 	// Fix and align guest memory calculation.
 	config.Hypervisor["qemu"]["default_memory"] = platforms.DefaultMemoryInMebiBytes(platform)
 	config.Runtime["sandbox_cgroup_only"] = true
diff --git a/nodeinstaller/internal/kataconfig/testdata/expected-configuration-qemu-snp-gpu.toml b/nodeinstaller/internal/kataconfig/testdata/expected-configuration-qemu-snp-gpu.toml
@@ -20,7 +20,7 @@ disable_image_nvdimm = true
 disable_nesting_checks = true
 disable_selinux = false
 disable_vhost_net = false
-enable_annotations = ['cc_init_data']
+enable_annotations = ['snp_id_block_Milan', 'snp_id_auth_Milan', 'snp_guest_policy_Milan', 'snp_id_block_Genoa', 'snp_id_auth_Genoa', 'snp_guest_policy_Genoa', 'cc_init_data']
 enable_debug = false
 enable_guest_swap = false
 enable_hugepages = false
diff --git a/nodeinstaller/internal/kataconfig/testdata/expected-configuration-qemu-snp.toml b/nodeinstaller/internal/kataconfig/testdata/expected-configuration-qemu-snp.toml
@@ -19,7 +19,7 @@ disable_image_nvdimm = true
 disable_nesting_checks = true
 disable_selinux = false
 disable_vhost_net = false
-enable_annotations = ['cc_init_data']
+enable_annotations = ['snp_id_block_Milan', 'snp_id_auth_Milan', 'snp_guest_policy_Milan', 'snp_id_block_Genoa', 'snp_id_auth_Genoa', 'snp_guest_policy_Genoa', 'cc_init_data']
 enable_debug = false
 enable_guest_swap = false
 enable_hugepages = false
