microsoft · anmaxvl · Nov 2, 2021 · Oct 22, 2021 · Nov 2, 2021
diff --git a/internal/hcs/schema2/guest_state.go b/internal/hcs/schema2/guest_state.go
@@ -14,6 +14,9 @@ type GuestState struct {
 	//  The path to an existing file uses for persistent guest state storage.  An empty string indicates the system should initialize new transient, in-memory guest state.
 	GuestStateFilePath string `json:"GuestStateFilePath,omitempty"`
 
+	//  The guest state file type affected by different guest isolation modes - whether a file or block storage.
+	GuestStateFileType string `json:"GuestStateFileType,omitempty"`
+
 	//  The path to an existing file for persistent runtime state storage.  An empty string indicates the system should initialize new transient, in-memory runtime state.
 	RuntimeStateFilePath string `json:"RuntimeStateFilePath,omitempty"`
 

diff --git a/internal/hcs/schema2/isolation_settings.go b/internal/hcs/schema2/isolation_settings.go
@@ -0,0 +1,20 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type IsolationSettings struct {
+	// Guest isolation type options to decide virtual trust levels of virtual machine
+	IsolationType string `json:"IsolationType,omitempty"`
+	// Configuration to debug HCL layer for HCS VM TODO: Task 31102306: Miss the way to prevent the exposure of private debug configuration in HCS TODO: Think about the secret configurations which are private in VMMS VM (only edit by hvsedit)
+	DebugHost string `json:"DebugHost,omitempty"`
+	DebugPort int64  `json:"DebugPort,omitempty"`
+	// Optional data passed by host on isolated virtual machine start
+	LaunchData string `json:"LaunchData,omitempty"`
+}
diff --git a/internal/hcs/schema2/security_settings.go b/internal/hcs/schema2/security_settings.go
@@ -0,0 +1,16 @@
+/*
+ * HCS API
+ *
+ * No description provided (generated by Swagger Codegen https://github.com/swagger-api/swagger-codegen)
+ *
+ * API version: 2.4
+ * Generated by: Swagger Codegen (https://github.com/swagger-api/swagger-codegen.git)
+ */
+
+package hcsschema
+
+type SecuritySettings struct {
+	// Enablement of Trusted Platform Module on the computer system
+	EnableTpm bool               `json:"EnableTpm,omitempty"`
+	Isolation *IsolationSettings `json:"Isolation,omitempty"`
+}
diff --git a/internal/hcs/schema2/uefi.go b/internal/hcs/schema2/uefi.go
@@ -12,6 +12,8 @@ package hcsschema
 type Uefi struct {
 	EnableDebugger bool `json:"EnableDebugger,omitempty"`
 
+	ApplySecureBootTemplate string `json:"ApplySecureBootTemplate,omitempty"`
+
 	SecureBootTemplateId string `json:"SecureBootTemplateId,omitempty"`
 
 	BootThis *UefiBootEntry `json:"BootThis,omitempty"`

diff --git a/internal/hcs/schema2/virtual_machine.go b/internal/hcs/schema2/virtual_machine.go
@@ -29,4 +29,6 @@ type VirtualMachine struct {
 	StorageQoS *StorageQoS `json:"StorageQoS,omitempty"`
 
 	GuestConnection *GuestConnection `json:"GuestConnection,omitempty"`
+
+	SecuritySettings *SecuritySettings `json:"SecuritySettings,omitempty"`
 }
diff --git a/internal/oci/uvm.go b/internal/oci/uvm.go
@@ -303,6 +303,30 @@ func handleCloneAnnotations(ctx context.Context, a map[string]string, wopts *uvm
 	return nil
 }
 
+// handleSecurityPolicy handles parsing SecurityPolicy and NoSecurityHardware and setting
+// implied options from the results. Both LCOW only, not WCOW
+func handleSecurityPolicy(ctx context.Context, a map[string]string, lopts *uvm.OptionsLCOW) {
+	lopts.SecurityPolicy = parseAnnotationsString(a, annotations.SecurityPolicy, lopts.SecurityPolicy)
+	// allow actual isolated boot etc to be ignored if we have no hardware. Required for dev
+	// this is not a security issue as the attestation will fail without a genuine report
+	noSecurityHardware := parseAnnotationsBool(ctx, a, annotations.NoSecurityHardware, false)
+
+	// if there is a security policy (and SNP) we currently boot in a way that doesn't support any boot options
+	// this might change if the building of the vmgs file were to be done on demand but that is likely
+	// much slower and noy very useful. We do respect the filename of the vmgs file so if it is necessary to
+	// have different options then multiple files could be used.
+	if len(lopts.SecurityPolicy) > 0 && !noSecurityHardware {
+		// VPMem not supported by the enlightened kernel for SNP so set count to zero.
+		lopts.VPMemDeviceCount = 0
+		// set the default GuestState filename.
+		lopts.GuestStateFile = uvm.GuestStateFile
+		lopts.KernelBootOptions = ""
+		lopts.PreferredRootFSType = uvm.PreferredRootFSTypeNA
+		lopts.AllowOvercommit = false
+		lopts.SecurityPolicyEnabled = true
+	}
+}
+
 // SpecToUVMCreateOpts parses `s` and returns either `*uvm.OptionsLCOW` or
 // `*uvm.OptionsWCOW`.
 func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (interface{}, error) {
@@ -340,6 +364,13 @@ func SpecToUVMCreateOpts(ctx context.Context, s *specs.Spec, id, owner string) (
 		// parsing of FullyPhysicallyBacked needs to go after handling kernel direct boot and
 		// preferred rootfs type since it may overwrite settings created by those
 		handleAnnotationFullyPhysicallyBacked(ctx, s.Annotations, lopts)
+
+		// SecurityPolicy is very sensitive to other settings and will silently change those that are incompatible.
+		// Eg VMPem device count, overriden kernel option cannot be respected.
+		handleSecurityPolicy(ctx, s.Annotations, lopts)
+
+		// override the default GuestState filename if specified
+		lopts.GuestStateFile = parseAnnotationsString(s.Annotations, annotations.GuestStateFile, lopts.GuestStateFile)
 		return lopts, nil
 	} else if IsWCOW(s) {
 		wopts := uvm.NewDefaultOptionsWCOW(id, owner)

diff --git a/internal/schemaversion/schemaversion.go b/internal/schemaversion/schemaversion.go
@@ -21,6 +21,11 @@ func SchemaV21() *hcsschema.Version {
 	return &hcsschema.Version{Major: 2, Minor: 1}
 }
 
+// SchemaV25  makes it easy for callers to get a v2.5 schema version object.
+func SchemaV25() *hcsschema.Version {
+	return &hcsschema.Version{Major: 2, Minor: 5}
+}
+
 // isSupported determines if a given schema version is supported
 func IsSupported(sv *hcsschema.Version) error {
 	if IsV10(sv) {
@@ -32,6 +37,13 @@ func IsSupported(sv *hcsschema.Version) error {
 		}
 		return nil
 	}
+
+	if IsV25(sv) {
+		if osversion.Build() < 20348 { // pending solution to quuestion over version numbers re osversion.V21H2
+			return fmt.Errorf("unsupported on this Windows build")
+		}
+		return nil
+	}
 	return fmt.Errorf("unknown schema version %s", String(sv))
 }
 
@@ -54,6 +66,14 @@ func IsV21(sv *hcsschema.Version) bool {
 	return false
 }
 
+// V25 schema introduced much later. Required to support SNP.
+func IsV25(sv *hcsschema.Version) bool {
+	if sv.Major == 2 && sv.Minor == 5 {
+		return true
+	}
+	return false
+}
+
 // String returns a JSON encoding of a schema version object
 func String(sv *hcsschema.Version) string {
 	b, err := json.Marshal(sv)