mantle: Support AMD SEV-SNP confidential instances on GCP

Fix #3556
coreos · Sep 11, 2024 · 0a88d9f · 0a88d9f
1 parent 0afebdf
commit 0a88d9f
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 15 deletions.
diff --git a/mantle/cmd/kola/options.go b/mantle/cmd/kola/options.go
@@ -125,7 +125,7 @@ func init() {
 	sv(&kola.GCPOptions.ServiceAcct, "gcp-service-account", "", "GCP service account to attach to instance (default project default)")
 	bv(&kola.GCPOptions.ServiceAuth, "gcp-service-auth", false, "for non-interactive auth when running within GCP")
 	sv(&kola.GCPOptions.JSONKeyFile, "gcp-json-key", "", "use a service account's JSON key for authentication (default \"~/"+auth.GCPConfigPath+"\")")
-	bv(&kola.GCPOptions.Confidential, "gcp-confidential-vm", false, "create confidential instances")
+	sv(&kola.GCPOptions.ConfidentialType, "gcp-confidential-type", "", "create confidential instances: sev, sev_snp, sev-snp")
 
 	// openstack-specific options
 	sv(&kola.OpenStackOptions.ConfigPath, "openstack-config-file", "", "Path to a clouds.yaml formatted OpenStack config file. The underlying library defaults to ./clouds.yaml")
@@ -245,9 +245,9 @@ func syncOptionsImpl(useCosa bool) error {
 	if kolaPlatform == "gcp" && kola.GCPOptions.MachineType == "" {
 		switch kola.Options.CosaBuildArch {
 		case "x86_64":
-			if kola.GCPOptions.Confidential {
+			if kola.GCPOptions.ConfidentialType != "" {
 				// https://cloud.google.com/compute/confidential-vm/docs/locations
-				fmt.Print("Setting instance type for confidential computing")
+				fmt.Printf("Setting instance type for confidential computing\n")
 				kola.GCPOptions.MachineType = "n2d-standard-2"
 			} else {
 				kola.GCPOptions.MachineType = "n1-standard-1"

diff --git a/mantle/platform/api/gcloud/api.go b/mantle/platform/api/gcloud/api.go
@@ -33,16 +33,16 @@ var (
 )
 
 type Options struct {
-	Image        string
-	Project      string
-	Zone         string
-	MachineType  string
-	DiskType     string
-	Network      string
-	ServiceAcct  string
-	JSONKeyFile  string
-	ServiceAuth  bool
-	Confidential bool
+	Image            string
+	Project          string
+	Zone             string
+	MachineType      string
+	DiskType         string
+	Network          string
+	ServiceAcct      string
+	JSONKeyFile      string
+	ServiceAuth      bool
+	ConfidentialType string
 	*platform.Options
 }
 

diff --git a/mantle/platform/api/gcloud/compute.go b/mantle/platform/api/gcloud/compute.go
@@ -147,13 +147,18 @@ func (a *API) mkinstance(userdata, name string, keys []*agent.Key, opts platform
 		})
 	}
 	// create confidential instance
-	if a.options.Confidential {
+	ConfidentialType := strings.ToUpper(a.options.ConfidentialType)
+	ConfidentialType = strings.Replace(ConfidentialType, "-", "_", -1)
+	if ConfidentialType == "SEV" || ConfidentialType == "SEV_SNP" {
+		fmt.Printf("Using confidential type for confidential computing %s\n", ConfidentialType)
 		instance.ConfidentialInstanceConfig = &compute.ConfidentialInstanceConfig{
-			EnableConfidentialCompute: true,
+			ConfidentialInstanceType: ConfidentialType,
 		}
 		instance.Scheduling = &compute.Scheduling{
 			OnHostMaintenance: "TERMINATE",
 		}
+	} else {
+		return nil, fmt.Errorf("Does not support confidential type %s, should be: sev, sev_snp, sev-snp\n", a.options.ConfidentialType)
 	}
 	// attach aditional disk
 	for _, spec := range opts.AdditionalDisks {