platforms: introduce generic bare-metal platform

cli/genpolicy/config.go

@@ -43,7 +43,7 @@ func NewConfig(platform platforms.Platform) *Config {
 			Settings: aksSettings,
 			Bin:      aksGenpolicyBin,
 		}
-	case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+	case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 		return &Config{
 			Rules:    kataRules,
 			Settings: kataSettings,

cli/main.go

@@ -105,7 +105,7 @@ func buildVersionString() (string, error) {
 		switch platform {
 		case platforms.AKSCloudHypervisorSNP:
 			fmt.Fprintf(versionsWriter, "\tgenpolicy version:\t%s\n", constants.MicrosoftGenpolicyVersion)
-		case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+		case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 			fmt.Fprintf(versionsWriter, "\tgenpolicy version:\t%s\n", constants.KataGenpolicyVersion)
 		}
 	}

coordinator/internal/authority/credentials.go

@@ -69,7 +69,7 @@ func (c *Credentials) ServerHandshake(rawConn net.Conn) (net.Conn, credentials.A
 	log := c.logger.With("peer", rawConn.RemoteAddr())
 	state, err := c.getState()
 	if err != nil {
-		log.Error("Could not get manifest state to validate peer", "error", err)
+		log.Warn("Could not get manifest state to validate peer", "error", err)
 		return nil, nil, fmt.Errorf("getting state: %w", err)
 	}
 

e2e/internal/contrasttest/contrasttest.go

@@ -196,7 +196,7 @@ func (ct *ContrastTest) patchReferenceValues(t *testing.T, platform platforms.Pl
 			SNPVersion:        toPtr(manifest.SVN(255)),
 			MicrocodeVersion:  toPtr(manifest.SVN(255)),
 		}
-	case platforms.K3sQEMUSNP:
+	case platforms.MetalQEMUSNP, platforms.K3sQEMUSNP:
 		// The generate command doesn't fill in all required fields when
 		// generating a manifest for baremetal SNP. Do that now.
 		for i, snp := range m.ReferenceValues.SNP {
@@ -206,7 +206,7 @@ func (ct *ContrastTest) patchReferenceValues(t *testing.T, platform platforms.Pl
 			snp.MinimumTCB.MicrocodeVersion = toPtr(manifest.SVN(0))
 			m.ReferenceValues.SNP[i] = snp
 		}
-	case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+	case platforms.MetalQEMUTDX, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 		// The generate command doesn't fill in all required fields when
 		// generating a manifest for baremetal TDX. Do that now.
 		for i, tdx := range m.ReferenceValues.TDX {
@@ -366,7 +366,7 @@ func (ct *ContrastTest) FactorPlatformTimeout(timeout time.Duration) time.Durati
 	switch ct.Platform {
 	case platforms.AKSCloudHypervisorSNP: // AKS defined is the baseline
 		return timeout
-	case platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+	case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.K3sQEMUSNP, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 		return 2 * timeout
 	default:
 		return timeout

internal/attestation/snp/issuer/issuer.go

@@ -44,7 +44,7 @@ func (i *Issuer) OID() asn1.ObjectIdentifier {
 }
 
 // Issue the attestation document.
-func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (res []byte, err error) {
+func (i *Issuer) Issue(ctx context.Context, ownPublicKey []byte, nonce []byte) (res []byte, err error) {
 	i.logger.Info("Issue called")
 	defer func() {
 		if err != nil {
@@ -71,7 +71,7 @@ func (i *Issuer) Issue(_ context.Context, ownPublicKey []byte, nonce []byte) (re
 
 	// Get cert chain from THIM
 	var certChain *spb.CertificateChain
-	thimRaw, err := i.thimGetter.GetCertification()
+	thimRaw, err := i.thimGetter.GetCertification(ctx)
 	if err != nil {
 		i.logger.Info("Could not retrieve THIM certification", "error", err)
 	} else {

internal/attestation/snp/issuer/thim.go

@@ -4,6 +4,7 @@
 package issuer
 
 import (
+	"context"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
@@ -78,7 +79,7 @@ func NewTHIMGetter(httpClient httpClient) *THIMGetter {
 }
 
 // GetCertification returns the THIM certification.
-func (t *THIMGetter) GetCertification() (THIMSNPCertification, error) {
+func (t *THIMGetter) GetCertification(ctx context.Context) (THIMSNPCertification, error) {
 	// Return cached response if it is still valid.
 	if cached := t.getCached(); cached != nil {
 		var certification THIMSNPCertification
@@ -102,7 +103,9 @@ func (t *THIMGetter) GetCertification() (THIMSNPCertification, error) {
 			"Metadata": {"true"},
 		},
 	}
-	resp, err := t.httpClient.Do(req)
+	reqCtx, cancel := context.WithTimeout(ctx, 3*time.Second)
+	defer cancel()
+	resp, err := t.httpClient.Do(req.WithContext(reqCtx))
 	if err != nil {
 		return THIMSNPCertification{}, fmt.Errorf("getting THIM certification: %w", err)
 	}

internal/kuberesource/parts.go

@@ -110,12 +110,6 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 			fmt.Sprintf("--nydus-overlayfs-path=/opt/edgeless/%s/bin/nydus-overlayfs", runtimeHandler),
 		)
 	nydusSnapshotterVolumes := []*applycorev1.VolumeApplyConfiguration{
-		Volume().
-			WithName("var-lib-containerd").
-			WithHostPath(HostPathVolumeSource().
-				WithPath("/var/lib/rancher/k3s/agent/containerd").
-				WithType(corev1.HostPathDirectory),
-			),
 		Volume().
 			WithName("var-lib-nydus-snapshotter").
 			WithHostPath(HostPathVolumeSource().
@@ -132,9 +126,25 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
 		nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-microsoft:latest"
 		snapshotter = tardevSnapshotter
 		snapshotterVolumes = tardevSnapshotterVolumes
+	case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX:
+		nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest"
+		snapshotter = nydusSnapshotter
+		nydusSnapshotterVolumes = append(nydusSnapshotterVolumes, Volume().
+			WithName("var-lib-containerd").
+			WithHostPath(HostPathVolumeSource().
+				WithPath("/var/lib/containerd").
+				WithType(corev1.HostPathDirectory),
+			))
+		snapshotterVolumes = nydusSnapshotterVolumes
 	case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.RKE2QEMUTDX:
 		nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest"
 		snapshotter = nydusSnapshotter
+		nydusSnapshotterVolumes = append(nydusSnapshotterVolumes, Volume().
+			WithName("var-lib-containerd").
+			WithHostPath(HostPathVolumeSource().
+				WithPath("/var/lib/rancher/k3s/agent/containerd").
+				WithType(corev1.HostPathDirectory),
+			))
 		snapshotterVolumes = nydusSnapshotterVolumes
 	default:
 		return nil, fmt.Errorf("unsupported platform %q", platform)

internal/platforms/platforms.go

@@ -24,11 +24,15 @@ const (
 	K3sQEMUSNP
 	// RKE2QEMUTDX represents a deployment with QEMU on bare-metal TDX RKE2.
 	RKE2QEMUTDX
+	// MetalQEMUSNP is the generic platform for bare-metal SNP deployments.
+	MetalQEMUSNP
+	// MetalQEMUTDX is the generic platform for bare-metal TDX deployments.
+	MetalQEMUTDX
 )
 
 // All returns a list of all available platforms.
 func All() []Platform {
-	return []Platform{AKSCloudHypervisorSNP, K3sQEMUTDX, K3sQEMUSNP, RKE2QEMUTDX}
+	return []Platform{AKSCloudHypervisorSNP, K3sQEMUTDX, K3sQEMUSNP, RKE2QEMUTDX, MetalQEMUSNP, MetalQEMUTDX}
 }
 
 // AllStrings returns a list of all available platforms as strings.
@@ -51,6 +55,10 @@ func (p Platform) String() string {
 		return "K3s-QEMU-SNP"
 	case RKE2QEMUTDX:
 		return "RKE2-QEMU-TDX"
+	case MetalQEMUSNP:
+		return "Metal-QEMU-SNP"
+	case MetalQEMUTDX:
+		return "Metal-QEMU-TDX"
 	default:
 		return "Unknown"
 	}
@@ -67,6 +75,10 @@ func FromString(s string) (Platform, error) {
 		return K3sQEMUSNP, nil
 	case "rke2-qemu-tdx":
 		return RKE2QEMUTDX, nil
+	case "metal-qemu-snp":
+		return MetalQEMUSNP, nil
+	case "metal-qemu-tdx":
+		return MetalQEMUTDX, nil
 	default:
 		return Unknown, fmt.Errorf("unknown platform: %s", s)
 	}

justfile

@@ -47,7 +47,7 @@ node-installer platform=default_platform:
             just push "tardev-snapshotter"
             just push "node-installer-microsoft"
         ;;
-        "K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
+        "Metal-QEMU-SNP"|"Metal-QEMU-TDX"|"K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
             just push "nydus-snapshotter"
             just push "node-installer-kata"
         ;;
@@ -117,12 +117,12 @@ generate cli=default_cli platform=default_platform:
 
     # On baremetal SNP, we don't have default values for MinimumTCB, so we need to set some here.
     case {{ platform }} in
-        "K3s-QEMU-SNP")
+        "Metal-QEMU-SNP"|"K3s-QEMU-SNP")
             yq --inplace \
             '.ReferenceValues.snp.[].MinimumTCB = {"BootloaderVersion":0,"TEEVersion":0,"SNPVersion":0,"MicrocodeVersion":0}' \
             {{ workspace_dir }}/manifest.json
         ;;
-        "K3s-QEMU-TDX" | "RKE2-QEMU-TDX")
+        "Metal-QEMU-TDX"|"K3s-QEMU-TDX" | "RKE2-QEMU-TDX")
             yq --inplace \
             '.ReferenceValues.tdx.[].MinimumTeeTcbSvn = "04010200000000000000000000000000" | .ReferenceValues.tdx.[].MrSeam = "1cc6a17ab799e9a693fac7536be61c12ee1e0fabada82d0c999e08ccee2aa86de77b0870f558c570e7ffe55d6d47fa04"' \
             {{ workspace_dir }}/manifest.json
@@ -186,7 +186,7 @@ create-pre platform=default_platform:
             # TODO(burgerdev): this should create the resource group for consistency
             :
         ;;
-        "K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
+        "Metal-QEMU-SNP"|"Metal-QEMU-TDX"|"K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
             :
         ;;
         "AKS-PEER-SNP")
@@ -215,7 +215,7 @@ create platform=default_platform:
         "AKS-CLH-SNP")
             nix run -L .#scripts.create-coco-aks -- --name="$azure_resource_group" --location="$azure_location"
         ;;
-        "K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
+        "Metal-QEMU-SNP"|"Metal-QEMU-TDX"|"K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
             :
         ;;
         "AKS-PEER-SNP")

nodeinstaller/internal/constants/constants.go

@@ -57,7 +57,7 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer
 		config.Hypervisor["clh"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img")
 		config.Hypervisor["clh"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "bin", "cloud-hypervisor-snp")}
 		config.Hypervisor["clh"]["enable_debug"] = debug
-	case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+	case platforms.MetalQEMUTDX, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 		if err := toml.Unmarshal([]byte(kataBareMetalQEMUTDXBaseConfig), &config); err != nil {
 			return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err)
 		}
@@ -75,7 +75,7 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer
 		if debug {
 			config.Hypervisor["qemu"]["enable_debug"] = true
 		}
-	case platforms.K3sQEMUSNP:
+	case platforms.MetalQEMUSNP, platforms.K3sQEMUSNP:
 		if err := toml.Unmarshal([]byte(kataBareMetalQEMUSNPBaseConfig), &config); err != nil {
 			return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err)
 		}
@@ -129,11 +129,11 @@ func ContainerdRuntimeConfigFragment(baseDir, snapshotter string, platform platf
 		cfg.Options = map[string]any{
 			"ConfigPath": filepath.Join(baseDir, "etc", "configuration-clh-snp.toml"),
 		}
-	case platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
+	case platforms.MetalQEMUTDX, platforms.K3sQEMUTDX, platforms.RKE2QEMUTDX:
 		cfg.Options = map[string]any{
 			"ConfigPath": filepath.Join(baseDir, "etc", "configuration-qemu-tdx.toml"),
 		}
-	case platforms.K3sQEMUSNP:
+	case platforms.MetalQEMUSNP, platforms.K3sQEMUSNP:
 		cfg.Options = map[string]any{
 			"ConfigPath": filepath.Join(baseDir, "etc", "configuration-qemu-snp.toml"),
 		}

nodeinstaller/node-installer.go

@@ -107,6 +107,12 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 	case platforms.AKSCloudHypervisorSNP:
 		kataConfigPath = filepath.Join(kataConfigPath, "configuration-clh-snp.toml")
 		containerdConfigPath = filepath.Join(hostMount, "etc", "containerd", "config.toml")
+	case platforms.MetalQEMUSNP:
+		kataConfigPath = filepath.Join(kataConfigPath, "configuration-qemu-snp.toml")
+		containerdConfigPath = filepath.Join(hostMount, "etc", "containerd", "config.toml")
+	case platforms.MetalQEMUTDX:
+		kataConfigPath = filepath.Join(kataConfigPath, "configuration-qemu-tdx.toml")
+		containerdConfigPath = filepath.Join(hostMount, "etc", "containerd", "config.toml")
 	case platforms.K3sQEMUSNP:
 		kataConfigPath = filepath.Join(kataConfigPath, "configuration-qemu-snp.toml")
 		containerdConfigPath = filepath.Join(hostMount, "var", "lib", "rancher", "k3s", "agent", "etc", "containerd", "config.toml.tmpl")
@@ -139,7 +145,7 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 	}
 
 	switch platform {
-	case platforms.AKSCloudHypervisorSNP:
+	case platforms.AKSCloudHypervisorSNP, platforms.MetalQEMUSNP, platforms.MetalQEMUTDX:
 		return restartHostContainerd(containerdConfigPath, "containerd")
 	case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP:
 		if hostServiceExists("k3s") {
@@ -206,7 +212,7 @@ func patchContainerdConfig(runtimeHandler, basePath, configPath string, platform
 	case platforms.AKSCloudHypervisorSNP:
 		snapshotterName = fmt.Sprintf("tardev-%s", runtimeHandler)
 		socketName = fmt.Sprintf("/run/containerd/tardev-snapshotter-%s.sock", runtimeHandler)
-	case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.RKE2QEMUTDX:
+	case platforms.MetalQEMUTDX, platforms.MetalQEMUSNP, platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.RKE2QEMUTDX:
 		snapshotterName = fmt.Sprintf("nydus-%s", runtimeHandler)
 		socketName = fmt.Sprintf("/run/containerd/containerd-nydus-grpc-%s.sock", runtimeHandler)
 

packages/by-name/contrast/package.nix

@@ -52,8 +52,10 @@ let
         "contrast-cc-${platform}-${builtins.substring 0 8 (builtins.readFile hashFile)}";
 
       aks-clh-snp-handler = runtimeHandler "aks-clh-snp" microsoft.contrast-node-installer-image.runtimeHash;
+      metal-qemu-tdx-handler = runtimeHandler "metal-qemu-tdx" kata.contrast-node-installer-image.runtimeHash;
       k3s-qemu-tdx-handler = runtimeHandler "k3s-qemu-tdx" kata.contrast-node-installer-image.runtimeHash;
       rke2-qemu-tdx-handler = runtimeHandler "rke2-qemu-tdx" kata.contrast-node-installer-image.runtimeHash;
+      metal-qemu-snp-handler = runtimeHandler "metal-qemu-snp" kata.contrast-node-installer-image.runtimeHash;
       k3s-qemu-snp-handler = runtimeHandler "k3s-qemu-snp" kata.contrast-node-installer-image.runtimeHash;
 
       aksRefVals = {
@@ -128,8 +130,10 @@ let
     builtins.toFile "reference-values.json" (
       builtins.toJSON {
         "${aks-clh-snp-handler}" = aksRefVals;
+        "${metal-qemu-tdx-handler}" = tdxRefVals;
         "${k3s-qemu-tdx-handler}" = tdxRefVals;
         "${rke2-qemu-tdx-handler}" = tdxRefVals;
+        "${metal-qemu-snp-handler}" = snpRefVals;
         "${k3s-qemu-snp-handler}" = snpRefVals;
       }
     );

packages/by-name/kata/kata-runtime/0007-genpolicy-rules-remove-check-for-OCI-version.patch

@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Paul Meyer <[email protected]>
+Date: Fri, 6 Dec 2024 15:16:45 +0100
+Subject: [PATCH] genpolicy/rules: remove check for OCI version
+
+Signed-off-by: Paul Meyer <[email protected]>
+---
+ src/tools/genpolicy/rules.rego | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
+index 6ddcd18cd1334dfabeadd1b0e7a54c723c7cae4d..c8de30897a01a0de49b99587c7e12ef534c353bc 100644
+--- a/src/tools/genpolicy/rules.rego
++++ b/src/tools/genpolicy/rules.rego
+@@ -71,9 +71,6 @@ CreateContainerRequest {
+
+     p_oci := p_container.OCI
+
+-    print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
+-    p_oci.Version == i_oci.Version
+-
+     print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly)
+     p_oci.Root.Readonly == i_oci.Root.Readonly
+

packages/by-name/kata/kata-runtime/0008-genpolicy-settings-change-cpath-for-Nydus-guest-pull.patch

@@ -10,7 +10,7 @@ https://github.com/kata-containers/kata-containers/blob/775f6bd/tests/integratio
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/genpolicy-settings.json b/src/tools/genpolicy/genpolicy-settings.json
-index fcafa46cc3b62b74aa5ba08fdbd76fa3370ae77e..4e9f6481d649fc45716f182c394f38059792eb91 100644
+index e50d5e545e3fe42db486771345310d4c2157be2f..d2d1511ae75d56c4f39915515343b2cd20d9d65a 100644
 --- a/src/tools/genpolicy/genpolicy-settings.json
 +++ b/src/tools/genpolicy/genpolicy-settings.json
 @@ -243,7 +243,7 @@