add "secret_free" parameter to /machine-config endpoint

This will later indicate to Firecracker that guest memory should be
backed by guest_memfd.

Signed-off-by: Patrick Roy <[email protected]>

Author: roypat

src/vmm/src/resources.rs

@@ -110,6 +110,14 @@ pub struct VmResources {
 }
 
 impl VmResources {
+    /// Whether this [`VmResources`] object contains any devices that require host kernel access
+    /// into guest memory.
+    pub fn has_any_io_devices(&self) -> bool {
+        !self.block.devices.is_empty()
+            || self.vsock.get().is_some()
+            || self.net_builder.iter().next().is_some()
+    }
+
     /// Configures Vmm resources as described by the `config_json` param.
     pub fn from_json(
         config_json: &str,
@@ -217,6 +225,11 @@ impl VmResources {
                         BalloonConfigError::IncompatibleWith("huge pages"),
                     ));
                 }
+                if self.machine_config.mem_config.secret_free {
+                    return Err(ResourcesError::BalloonDevice(
+                        BalloonConfigError::IncompatibleWith("secret freedom"),
+                    ));
+                }
             }
 
             SharedDeviceType::Vsock(vsock) => {
@@ -256,12 +269,23 @@ impl VmResources {
             return Err(MachineConfigError::IncompatibleBalloonSize);
         }
 
+        #[cfg(target_arch = "x86_64")]
+        if self.has_any_io_devices() && self.machine_config.mem_config.secret_free {
+            return Err(MachineConfigError::Incompatible("secret freedom", "I/O"));
+        }
+
         if self.balloon.get().is_some() && updated.huge_pages != HugePageConfig::None {
             return Err(MachineConfigError::Incompatible(
                 "balloon device",
                 "huge pages",
             ));
         }
+        if self.balloon.get().is_some() && updated.mem_config.secret_free {
+            return Err(MachineConfigError::Incompatible(
+                "balloon device",
+                "secret freedom",
+            ));
+        }
         self.machine_config = updated;
 
         Ok(())
@@ -320,6 +344,10 @@ impl VmResources {
             return Err(BalloonConfigError::IncompatibleWith("huge pages"));
         }
 
+        if self.machine_config.mem_config.secret_free {
+            return Err(BalloonConfigError::IncompatibleWith("secret freedom"));
+        }
+
         self.balloon.set(config)
     }
 
@@ -343,6 +371,11 @@ impl VmResources {
         &mut self,
         block_device_config: BlockDeviceConfig,
     ) -> Result<(), DriveError> {
+        #[cfg(target_arch = "x86_64")]
+        if self.machine_config.mem_config.secret_free {
+            return Err(DriveError::NoSecretFreeIOOnX86);
+        }
+
         self.block.insert(block_device_config)
     }
 
@@ -351,12 +384,22 @@ impl VmResources {
         &mut self,
         body: NetworkInterfaceConfig,
     ) -> Result<(), NetworkInterfaceError> {
+        #[cfg(target_arch = "x86_64")]
+        if self.machine_config.mem_config.secret_free {
+            return Err(NetworkInterfaceError::NoSecretFreeIOOnX86);
+        }
+
         let _ = self.net_builder.build(body)?;
         Ok(())
     }
 
     /// Sets a vsock device to be attached when the VM starts.
     pub fn set_vsock_device(&mut self, config: VsockDeviceConfig) -> Result<(), VsockConfigError> {
+        #[cfg(target_arch = "x86_64")]
+        if self.machine_config.mem_config.secret_free {
+            return Err(VsockConfigError::NoSecretFreeIOOnX86);
+        }
+
         self.vsock.insert(config)
     }
 

src/vmm/src/vmm_config/drive.rs

@@ -24,6 +24,9 @@ pub enum DriveError {
     DeviceUpdate(VmmError),
     /// A root block device already exists!
     RootBlockDeviceAlreadyAdded,
+    /// A block device was added on x86 while secret freedom was enabled.
+    #[cfg(target_arch = "x86_64")]
+    NoSecretFreeIOOnX86,
 }
 
 /// Use this structure to set up the Block Device before booting the kernel.

src/vmm/src/vmm_config/machine_config.rs

@@ -99,6 +99,11 @@ pub struct MemoryConfig {
     #[cfg(target_arch = "aarch64")]
     #[serde(default)]
     pub initial_swiotlb_size: usize,
+    /// Whether guest_memfd should be used to back normal guest memory. If this is enabled
+    /// and any devices are attached to the VM, then initial_swiotlb_size must be non-zero,
+    /// as I/O into secret free memory is not possible.
+    #[serde(default)]
+    pub secret_free: bool,
 }
 
 /// Struct used in PUT `/machine-config` API call.
@@ -301,6 +306,13 @@ impl MachineConfig {
             return Err(MachineConfigError::InvalidSwiotlbRegionSize);
         }
 
+        if mem_config.secret_free && page_config != HugePageConfig::None {
+            return Err(MachineConfigError::Incompatible(
+                "secret freedom",
+                "huge pages",
+            ));
+        }
+
         let cpu_template = match update.cpu_template {
             None => self.cpu_template.clone(),
             Some(StaticCpuTemplate::None) => None,
@@ -325,7 +337,7 @@ impl MachineConfig {
 mod tests {
     use crate::cpu_config::templates::{CpuTemplateType, CustomCpuTemplate, StaticCpuTemplate};
     use crate::vmm_config::machine_config::{
-        HugePageConfig, MachineConfig, MachineConfigError, MachineConfigUpdate,
+        HugePageConfig, MachineConfig, MachineConfigError, MachineConfigUpdate, MemoryConfig,
     };
 
     #[test]
@@ -379,6 +391,23 @@ mod tests {
             .unwrap();
         assert_eq!(updated.huge_pages, HugePageConfig::Hugetlbfs2M);
         assert_eq!(updated.mem_size_mib, 32);
+
+        let res = mconf.update(&MachineConfigUpdate {
+            huge_pages: Some(HugePageConfig::Hugetlbfs2M),
+            mem_config: Some(MemoryConfig {
+                secret_free: true,
+                ..Default::default()
+            }),
+            ..Default::default()
+        });
+
+        assert_eq!(
+            res,
+            Err(MachineConfigError::Incompatible(
+                "secret freedom",
+                "huge pages"
+            ))
+        );
     }
 
     #[test]

src/vmm/src/vmm_config/net.rs

@@ -71,6 +71,9 @@ pub enum NetworkInterfaceError {
     GuestMacAddressInUse(String),
     /// Cannot open/create the tap device: {0}
     OpenTap(#[from] TapError),
+    /// A net device was added on x86 while secret freedom was enabled.
+    #[cfg(target_arch = "x86_64")]
+    NoSecretFreeIOOnX86,
 }
 
 /// Builder for a list of network devices.

src/vmm/src/vmm_config/vsock.rs

@@ -17,6 +17,9 @@ pub enum VsockConfigError {
     CreateVsockBackend(VsockUnixBackendError),
     /// Cannot create vsock device: {0}
     CreateVsockDevice(VsockError),
+    /// A vsock device was added on x86 while secret freedom was enabled.
+    #[cfg(target_arch = "x86_64")]
+    NoSecretFreeIOOnX86,
 }
 
 /// This struct represents the strongly typed equivalent of the json body