hypervisor: Set isolation policy for SNP guest

It's a requirement that a SEV-SNP enabled guest on MSHV must have isolation policy set before launching the guest. Signed-off-by: Jinank Jain <jinankjain@microsoft.com>
2023-10-04 10:23:40 +00:00 · 2023-10-04 10:23:40 +00:00 · a5763bcb6c
commit a5763bcb6c
parent 3981642dd1
1 changed files with 17 additions and 0 deletions
--- a/hypervisor/src/mshv/mod.rs
+++ b/hypervisor/src/mshv/mod.rs
@ -234,6 +234,23 @@ impl hypervisor::Hypervisor for MshvHypervisor {
            break;
        }

+        // Set additional partition property for SEV-SNP partition.
+        if mshv_vm_type == VmType::Snp {
+            let snp_policy = snp::get_default_snp_guest_policy();
+            // SAFETY: access union fields
+            unsafe {
+                debug!(
+                    "Setting the partition isolation policy as: 0x{:x}",
+                    snp_policy.as_uint64
+                );
+                fd.set_partition_property(
+                    hv_partition_property_code_HV_PARTITION_PROPERTY_ISOLATION_POLICY,
+                    snp_policy.as_uint64,
+                )
+                .map_err(|e| hypervisor::HypervisorError::SetPartitionProperty(e.into()))?;
+            }
+        }
+
        // Default Microsoft Hypervisor behavior for unimplemented MSR is to
        // send a fault to the guest if it tries to access it. It is possible
        // to override this behavior with a more suitable option i.e., ignore