Add support for running confidential WCOW UVMs

Initial changes to allow creating confidential WCOW UVMs. uvmboot tool is also updated for
easier command line testing of confidential UVMs.

Signed-off-by: Amit Barve <[email protected]>

Author: ambarve

internal/hcs/schema2/chipset.go

@@ -24,4 +24,6 @@ type Chipset struct {
 
 	// LinuxKernelDirect - Added in v2.2 Builds >=181117
 	LinuxKernelDirect *LinuxKernelDirect `json:"LinuxKernelDirect,omitempty"`
+
+	FirmwareFile *FirmwareFile `json:"FirmwareFile,omitempty"`
 }

internal/hcs/schema2/firmware.go

@@ -0,0 +1,8 @@
+package hcsschema
+
+type FirmwareFile struct {
+	// Parameters is an experimental/pre-release field. The field itself or its
+	// behavior can change in future iterations of the schema. Avoid taking a hard
+	// dependency on this field.
+	Parameters []byte `json:"Parameters,omitempty"`
+}

internal/hcs/schema2/windows_crash_reporting.go

@@ -13,4 +13,6 @@ type WindowsCrashReporting struct {
 	DumpFileName string `json:"DumpFileName,omitempty"`
 
 	MaxDumpSize int64 `json:"MaxDumpSize,omitempty"`
+
+	DumpType string `json:"DumpType,omitempty"`
 }

internal/layers/wcow_parse.go

@@ -16,6 +16,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/copyfile"
 	"github.com/Microsoft/hcsshim/internal/uvm"
 	"github.com/Microsoft/hcsshim/internal/uvmfolder"
+	"github.com/Microsoft/hcsshim/internal/wclayer"
 	"github.com/Microsoft/hcsshim/pkg/cimfs"
 )
 
@@ -257,16 +258,16 @@ func GetWCOWUVMBootFilesFromLayers(ctx context.Context, rootfs []*types.Mount, l
 	}
 
 	if _, err = os.Stat(scratchVHDPath); os.IsNotExist(err) {
-		sourceScratch := filepath.Join(uvmFolder, `UtilityVM\SystemTemplate.vhdx`)
+		sourceScratch := filepath.Join(uvmFolder, wclayer.UtilityVMPath, wclayer.UtilityVMScratchVhd)
 		if err := copyfile.CopyFile(ctx, sourceScratch, scratchVHDPath, true); err != nil {
 			return nil, err
 		}
 	}
 	return &uvm.WCOWBootFiles{
 		BootType: uvm.VmbFSBoot,
 		VmbFSFiles: &uvm.VmbFSBootFiles{
-			OSFilesPath:           filepath.Join(uvmFolder, `UtilityVM\Files`),
-			OSRelativeBootDirPath: `\EFI\Microsoft\Boot`,
+			OSFilesPath:           filepath.Join(uvmFolder, wclayer.UtilityVMFilesPath),
+			OSRelativeBootDirPath: wclayer.BootDirRelativePath,
 			ScratchVHDPath:        scratchVHDPath,
 		},
 	}, nil

internal/tools/uvmboot/conf_wcow.go

@@ -0,0 +1,155 @@
+//go:build windows
+
+package main
+
+import (
+	"context"
+	"os"
+
+	"github.com/containerd/console"
+	"github.com/urfave/cli"
+
+	"github.com/Microsoft/hcsshim/internal/cmd"
+	"github.com/Microsoft/hcsshim/internal/log"
+	"github.com/Microsoft/hcsshim/internal/uvm"
+)
+
+const (
+	confidentialArgName  = "confidential"
+	vmgsFilePathArgName  = "vmgs-path"
+	disableSBArgName     = "disable-secure-boot"
+	isolationTypeArgName = "isolation-type"
+)
+
+var (
+	cwcowBootVHD           string
+	cwcowEFIVHD            string
+	cwcowScratchVHD        string
+	cwcowVMGSPath          string
+	cwcowDisableSecureBoot bool
+	cwcowIsolationMode     string
+)
+
+var cwcowCommand = cli.Command{
+	Name:  "cwcow",
+	Usage: "boot a confidential WCOW UVM",
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:        "exec",
+			Usage:       "Command to execute in the UVM.",
+			Destination: &wcowCommandLine,
+		},
+		cli.BoolFlag{
+			Name:        "tty,t",
+			Usage:       "create the process in the UVM with a TTY enabled",
+			Destination: &wcowUseTerminal,
+		},
+		cli.StringFlag{
+			Name:        "efi-vhd",
+			Usage:       "VHD at the provided path MUST have the EFI boot partition and be properly formatted for UEFI boot.",
+			Destination: &cwcowEFIVHD,
+			Required:    true,
+		},
+		cli.StringFlag{
+			Name:        "boot-cim-vhd",
+			Usage:       "A VHD containing the block CIM that contains the OS files.",
+			Destination: &cwcowBootVHD,
+			Required:    true,
+		},
+		cli.StringFlag{
+			Name:        "scratch-vhd",
+			Usage:       "A scratch VHD for the UVM",
+			Destination: &cwcowScratchVHD,
+			Required:    true,
+		},
+		cli.StringFlag{
+			Name:        vmgsFilePathArgName,
+			Usage:       "VMGS file path (only applies when confidential mode is enabled). This option is only applicable in confidential mode.",
+			Destination: &cwcowVMGSPath,
+			Required:    true,
+		},
+		cli.BoolFlag{
+			Name:        disableSBArgName,
+			Usage:       "Disables Secure Boot when running the UVM in confidential mode. This option is only applicable in confidential mode.",
+			Destination: &cwcowDisableSecureBoot,
+		},
+		cli.StringFlag{
+			Name:        isolationTypeArgName,
+			Usage:       "VM Isolation type (one of Disabled, GuestStateOnly, VirtualizationBasedSecurity, SecureNestedPaging or TrustDomain). Applicable only when using the confidential mode. This option is only applicable in confidential mode.",
+			Destination: &cwcowIsolationMode,
+			Required:    true,
+		},
+	},
+	Action: func(c *cli.Context) error {
+		runMany(c, func(id string) error {
+			options := uvm.NewDefaultOptionsWCOW(id, "")
+			options.ProcessorCount = 2
+			options.MemorySizeInMB = 2048
+			options.AllowOvercommit = false
+			options.EnableDeferredCommit = false
+			options.DumpDirectoryPath = "C:\\crashdumps"
+
+			// confidential specific options
+			options.SecurityPolicyEnabled = true
+			options.DisableSecureBoot = cwcowDisableSecureBoot
+			options.GuestStateFilePath = cwcowVMGSPath
+			options.IsolationType = cwcowIsolationMode
+			// always enable graphics console with uvmboot - helps with testing/debugging
+			options.EnableGraphicsConsole = true
+			options.BootFiles = &uvm.WCOWBootFiles{
+				BootType: uvm.BlockCIMBoot,
+				BlockCIMFiles: &uvm.BlockCIMBootFiles{
+					BootCIMVHDPath: cwcowBootVHD,
+					EFIVHDPath:     cwcowEFIVHD,
+					ScratchVHDPath: cwcowScratchVHD,
+				},
+			}
+			setGlobalOptions(c, options.Options)
+			tempDir, err := os.MkdirTemp("", "uvmboot")
+			if err != nil {
+				return err
+			}
+			defer os.RemoveAll(tempDir)
+
+			vm, err := uvm.CreateWCOW(context.TODO(), options)
+			if err != nil {
+				return err
+			}
+			defer vm.Close()
+			if err := vm.Start(context.TODO()); err != nil {
+				return err
+			}
+			if wcowCommandLine != "" {
+				cmd := cmd.Command(vm, "cmd.exe", "/c", wcowCommandLine)
+				cmd.Spec.User.Username = `NT AUTHORITY\SYSTEM`
+				cmd.Log = log.L.Dup()
+				if wcowUseTerminal {
+					cmd.Spec.Terminal = true
+					cmd.Stdin = os.Stdin
+					cmd.Stdout = os.Stdout
+					con, err := console.ConsoleFromFile(os.Stdin)
+					if err == nil {
+						err = con.SetRaw()
+						if err != nil {
+							return err
+						}
+						defer func() {
+							_ = con.Reset()
+						}()
+					}
+				} else {
+					cmd.Stdout = os.Stdout
+					cmd.Stderr = os.Stdout
+				}
+				err = cmd.Run()
+				if err != nil {
+					return err
+				}
+			}
+			_ = vm.Terminate(context.TODO())
+			_ = vm.Wait()
+			return vm.ExitError()
+		})
+		return nil
+	},
+}

internal/tools/uvmboot/main.go

@@ -26,6 +26,7 @@ const (
 	countArgName                = "count"
 
 	execCommandLineArgName = "exec"
+	uvmConsolePipe         = "\\\\.\\pipe\\uvmpipe"
 )
 
 var (
@@ -86,6 +87,7 @@ func main() {
 	app.Commands = []cli.Command{
 		lcowCommand,
 		wcowCommand,
+		cwcowCommand,
 	}
 
 	app.Before = func(c *cli.Context) error {
@@ -120,6 +122,11 @@ func setGlobalOptions(c *cli.Context, options *uvm.Options) {
 	if c.GlobalIsSet(enableDeferredCommitArgName) {
 		options.EnableDeferredCommit = c.GlobalBool(enableDeferredCommitArgName)
 	}
+	if c.GlobalIsSet(enableDeferredCommitArgName) {
+		options.EnableDeferredCommit = c.GlobalBool(enableDeferredCommitArgName)
+	}
+	// Always set the console pipe in uvmboot, it helps with testing/debugging
+	options.ConsolePipe = uvmConsolePipe
 }
 
 // todo: add a context here to propagate cancel/timeouts to runFunc uvm

internal/uvm/create.go

@@ -122,23 +122,26 @@ type Options struct {
 	NumaProcessorCounts []uint32
 	// NumaMemoryBlocksCounts are the number of memory blocks per vNUMA node.
 	NumaMemoryBlocksCounts []uint64
+
+	EnableGraphicsConsole bool   // If true, enable a graphics console for the utility VM
+	ConsolePipe           string // The named pipe path to use for the serial console (COM1).  eg \\.\pipe\vmpipe
 }
 
 func verifyWCOWBootFiles(bootFiles *WCOWBootFiles) error {
-	if bootFiles.BootType == VmbFSBoot {
+	if bootFiles == nil {
+		return fmt.Errorf("boot files is nil")
+	}
+	switch bootFiles.BootType {
+	case VmbFSBoot:
 		if bootFiles.VmbFSFiles == nil {
 			return fmt.Errorf("VmbFS boot files is empty")
-		} else if bootFiles.BlockCIMFiles != nil {
-			return fmt.Errorf("confidential boot files should be empty")
 		}
-	} else if bootFiles.BootType == BlockCIMBoot {
+	case BlockCIMBoot:
 		if bootFiles.BlockCIMFiles == nil {
-			return fmt.Errorf("Confidential boot files is empty")
-		} else if bootFiles.VmbFSFiles != nil {
-			return fmt.Errorf("VmbFS boot files should be empty")
+			return fmt.Errorf("confidential boot files is empty")
 		}
-	} else {
-		return fmt.Errorf("invalid boot type specified")
+	default:
+		return fmt.Errorf("invalid boot type (%d) specified", bootFiles.BootType)
 	}
 	return nil
 }
@@ -178,6 +181,9 @@ func verifyOptions(_ context.Context, options interface{}) error {
 		if err := verifyWCOWBootFiles(opts.BootFiles); err != nil {
 			return err
 		}
+		if opts.SecurityPolicyEnabled && opts.GuestStateFilePath == "" {
+			return fmt.Errorf("GuestStateFilePath must be provided when enabling security policy")
+		}
 	}
 	return nil
 }

internal/uvm/create_lcow.go

@@ -115,8 +115,6 @@ type OptionsLCOW struct {
 	KernelDirect            bool                 // Skip UEFI and boot directly to `kernel`
 	RootFSFile              string               // Filename under `BootFilesPath` for the UVMs root file system. Defaults to `InitrdFile`
 	KernelBootOptions       string               // Additional boot options for the kernel
-	EnableGraphicsConsole   bool                 // If true, enable a graphics console for the utility VM
-	ConsolePipe             string               // The named pipe path to use for the serial console.  eg \\.\pipe\vmpipe
 	UseGuestConnection      bool                 // Whether the HCS should connect to the UVM's GCS. Defaults to true
 	ExecCommandLine         string               // The command line to exec from init. Defaults to GCS
 	ForwardStdout           bool                 // Whether stdout will be forwarded from the executed program. Defaults to false
@@ -164,8 +162,6 @@ func NewDefaultOptionsLCOW(id, owner string) *OptionsLCOW {
 		KernelDirect:            kernelDirectSupported,
 		RootFSFile:              InitrdFile,
 		KernelBootOptions:       "",
-		EnableGraphicsConsole:   false,
-		ConsolePipe:             "",
 		UseGuestConnection:      true,
 		ExecCommandLine:         fmt.Sprintf("/bin/gcs -v4 -log-format json -loglevel %s", logrus.StandardLogger().Level.String()),
 		ForwardStdout:           false,