Skip to content

Commit 0366cb2

Browse files
ambarveambarve
committed
Add default allow all policy to uvmboot
With the latest changes to sidecar GCS, we can't boot the UVM anymore without a proper policy. uvmboot tool can't be used to test/debug CWCOW uvm boots if there is no policy provided. This commits adds a default policy and a flag to override it if required while creating UVMs with the tool. Signed-off-by: Amit Barve <ambarve@microsoft.com>
1 parent 144c633 commit 0366cb2

File tree

1 file changed

+11
-0
lines changed

1 file changed

+11
-0
lines changed

internal/tools/uvmboot/conf_wcow.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,9 @@ const (
1919
vmgsFilePathArgName = "vmgs-path"
2020
disableSBArgName = "disable-secure-boot"
2121
isolationTypeArgName = "isolation-type"
22+
23+
// default policy (that allows all operations) used when no policy is provided
24+
allowAllPolicy = "cGFja2FnZSBwb2xpY3kKCmFwaV92ZXJzaW9uIDo9ICIwLjExLjAiCmZyYW1ld29ya192ZXJzaW9uIDo9ICIwLjQuMCIKCm1vdW50X2NpbXMgOj0geyJhbGxvd2VkIjogdHJ1ZX0KbW91bnRfZGV2aWNlIDo9IHsiYWxsb3dlZCI6IHRydWV9Cm1vdW50X292ZXJsYXkgOj0geyJhbGxvd2VkIjogdHJ1ZX0KY3JlYXRlX2NvbnRhaW5lciA6PSB7ImFsbG93ZWQiOiB0cnVlLCAiZW52X2xpc3QiOiBudWxsLCAiYWxsb3dfc3RkaW9fYWNjZXNzIjogdHJ1ZX0KdW5tb3VudF9kZXZpY2UgOj0geyJhbGxvd2VkIjogdHJ1ZX0KdW5tb3VudF9vdmVybGF5IDo9IHsiYWxsb3dlZCI6IHRydWV9CmV4ZWNfaW5fY29udGFpbmVyIDo9IHsiYWxsb3dlZCI6IHRydWUsICJlbnZfbGlzdCI6IG51bGx9CmV4ZWNfZXh0ZXJuYWwgOj0geyJhbGxvd2VkIjogdHJ1ZSwgImVudl9saXN0IjogbnVsbCwgImFsbG93X3N0ZGlvX2FjY2VzcyI6IHRydWV9CnNodXRkb3duX2NvbnRhaW5lciA6PSB7ImFsbG93ZWQiOiB0cnVlfQpzaWduYWxfY29udGFpbmVyX3Byb2Nlc3MgOj0geyJhbGxvd2VkIjogdHJ1ZX0KcGxhbjlfbW91bnQgOj0geyJhbGxvd2VkIjogdHJ1ZX0KcGxhbjlfdW5tb3VudCA6PSB7ImFsbG93ZWQiOiB0cnVlfQpnZXRfcHJvcGVydGllcyA6PSB7ImFsbG93ZWQiOiB0cnVlfQpkdW1wX3N0YWNrcyA6PSB7ImFsbG93ZWQiOiB0cnVlfQpydW50aW1lX2xvZ2dpbmcgOj0geyJhbGxvd2VkIjogdHJ1ZX0KbG9hZF9mcmFnbWVudCA6PSB7ImFsbG93ZWQiOiB0cnVlfQpzY3JhdGNoX21vdW50IDo9IHsiYWxsb3dlZCI6IHRydWV9CnNjcmF0Y2hfdW5tb3VudCA6PSB7ImFsbG93ZWQiOiB0cnVlfQo="
2225
)
2326

2427
var (
@@ -28,6 +31,7 @@ var (
2831
cwcowVMGSPath string
2932
cwcowDisableSecureBoot bool
3033
cwcowIsolationMode string
34+
cwcowSecurityPolicy string
3135
)
3236

3337
var cwcowCommand = cli.Command{
@@ -79,6 +83,12 @@ var cwcowCommand = cli.Command{
7983
Destination: &cwcowIsolationMode,
8084
Required: true,
8185
},
86+
cli.StringFlag{
87+
Name: securityPolicyArgName,
88+
Usage: "Security policy that should be enforced inside the UVM. If none is provided, default policy that allows all operations will be used.",
89+
Destination: &cwcowSecurityPolicy,
90+
Value: allowAllPolicy,
91+
},
8292
},
8393
Action: func(c *cli.Context) error {
8494
runMany(c, func(id string) error {
@@ -91,6 +101,7 @@ var cwcowCommand = cli.Command{
91101

92102
// confidential specific options
93103
options.SecurityPolicyEnabled = true
104+
options.SecurityPolicy = cwcowSecurityPolicy
94105
options.DisableSecureBoot = cwcowDisableSecureBoot
95106
options.GuestStateFilePath = cwcowVMGSPath
96107
options.IsolationType = cwcowIsolationMode

0 commit comments

Comments
 (0)