C-WCOW: Unfiy data structures and reuse for C-LCOW and C-WCOW

MahatiC · MahatiC · commit 7f5ca4656bf4 · 2025-10-28T15:36:02.000Z
Signed-off-by: Mahati Chamarthy &lt;mahati.chamarthy@gmail.com&gt;
diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go
@@ -599,7 +599,7 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 			log.G(ctx).Tracef("hcsschema.MappedDirectory { %v }", settings)
 
 		case guestresource.ResourceTypeSecurityPolicy:
-			securityPolicyRequest := modifyGuestSettingsRequest.Settings.(*guestresource.WCOWConfidentialOptions)
+			securityPolicyRequest := modifyGuestSettingsRequest.Settings.(*guestresource.ConfidentialOptions)
 			log.G(ctx).Tracef("WCOWConfidentialOptions: { %v}", securityPolicyRequest)
 			err := b.hostState.SetWCOWConfidentialUVMOptions(req.ctx, securityPolicyRequest, b.logWriter)
 			if err != nil {
@@ -616,10 +616,9 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 			}
 			return nil
 		case guestresource.ResourceTypePolicyFragment:
-			//Note: Reusing the same type LCOWSecurityPolicyFragment for CWCOW.
-			r, ok := modifyGuestSettingsRequest.Settings.(*guestresource.LCOWSecurityPolicyFragment)
+			r, ok := modifyGuestSettingsRequest.Settings.(*guestresource.SecurityPolicyFragment)
 			if !ok {
-				return errors.New("the request settings are not of type LCOWSecurityPolicyFragment")
+				return errors.New("the request settings are not of type SecurityPolicyFragment")
 			}
 			return b.hostState.InjectFragment(ctx, r)
 		case guestresource.ResourceTypeWCOWBlockCims:
diff --git a/internal/gcs-sidecar/host.go b/internal/gcs-sidecar/host.go
@@ -73,7 +73,7 @@ func NewHost(initialEnforcer securitypolicy.SecurityPolicyEnforcer) *Host {
 // (ie fingerprint of a non leaf cert and the subject matches the leaf cert)
 // 3 - Check that this issuer/feed match the requirement of the user provided
 // security policy (done in the regoby LoadFragment)
-func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error) {
+func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.SecurityPolicyFragment) (err error) {
 	log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("GCS Host.InjectFragment")
 
 	raw, err := base64.StdEncoding.DecodeString(fragment.Fragment)
@@ -133,7 +133,7 @@ func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWS
 	return nil
 }
 
-func (h *Host) SetWCOWConfidentialUVMOptions(ctx context.Context, securityPolicyRequest *guestresource.WCOWConfidentialOptions, logWriter io.Writer) error {
+func (h *Host) SetWCOWConfidentialUVMOptions(ctx context.Context, securityPolicyRequest *guestresource.ConfidentialOptions, logWriter io.Writer) error {
 	h.policyMutex.Lock()
 	defer h.policyMutex.Unlock()
 
diff --git a/internal/gcs-sidecar/uvm.go b/internal/gcs-sidecar/uvm.go
@@ -92,7 +92,7 @@ func unmarshalContainerModifySettings(req *request) (_ *prot.ContainerModifySett
 			modifyGuestSettingsRequest.Settings = settings
 
 		case guestresource.ResourceTypeSecurityPolicy:
-			securityPolicyRequest := &guestresource.WCOWConfidentialOptions{}
+			securityPolicyRequest := &guestresource.ConfidentialOptions{}
 			if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, securityPolicyRequest); err != nil {
 				return nil, fmt.Errorf("invalid ResourceTypeSecurityPolicy request: %w", err)
 			}
diff --git a/internal/guest/prot/protocol.go b/internal/guest/prot/protocol.go
@@ -583,15 +583,15 @@ func UnmarshalContainerModifySettings(b []byte) (*containerModifySettings, error
 		}
 		msr.Settings = cc
 	case guestresource.ResourceTypeSecurityPolicy:
-		enforcer := &guestresource.LCOWConfidentialOptions{}
+		enforcer := &guestresource.ConfidentialOptions{}
 		if err := commonutils.UnmarshalJSONWithHresult(msrRawSettings, enforcer); err != nil {
-			return &request, errors.Wrap(err, "failed to unmarshal settings as LCOWConfidentialOptions")
+			return &request, errors.Wrap(err, "failed to unmarshal settings as ConfidentialOptions")
 		}
 		msr.Settings = enforcer
 	case guestresource.ResourceTypePolicyFragment:
-		fragment := &guestresource.LCOWSecurityPolicyFragment{}
+		fragment := &guestresource.SecurityPolicyFragment{}
 		if err := commonutils.UnmarshalJSONWithHresult(msrRawSettings, fragment); err != nil {
-			return &request, errors.Wrap(err, "failed to unmarshal settings as LCOWSecurityPolicyFragment")
+			return &request, errors.Wrap(err, "failed to unmarshal settings as SecurityPolicyFragment")
 		}
 		msr.Settings = fragment
 	default:
diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go
@@ -96,13 +96,13 @@ func NewHost(rtime runtime.Runtime, vsock transport.Transport, initialEnforcer s
 	}
 }
 
-// SetConfidentialUVMOptions takes guestresource.LCOWConfidentialOptions
+// SetConfidentialUVMOptions takes guestresource.ConfidentialOptions
 // to set up our internal data structures we use to store and enforce
 // security policy. The options can contain security policy enforcer type,
 // encoded security policy and signed UVM reference information The security
 // policy and uvm reference information can be further presented to workload
 // containers for validation and attestation purposes.
-func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error {
+func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.ConfidentialOptions) error {
 	h.policyMutex.Lock()
 	defer h.policyMutex.Unlock()
 	if h.securityPolicyEnforcerSet {
@@ -164,7 +164,7 @@ func (h *Host) SetConfidentialUVMOptions(ctx context.Context, r *guestresource.L
 // (ie fingerprint of a non leaf cert and the subject matches the leaf cert)
 // 3 - Check that this issuer/feed match the requirement of the user provided
 // security policy (done in the regoby LoadFragment)
-func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.LCOWSecurityPolicyFragment) (err error) {
+func (h *Host) InjectFragment(ctx context.Context, fragment *guestresource.SecurityPolicyFragment) (err error) {
 	log.G(ctx).WithField("fragment", fmt.Sprintf("%+v", fragment)).Debug("GCS Host.InjectFragment")
 
 	raw, err := base64.StdEncoding.DecodeString(fragment.Fragment)
@@ -638,15 +638,15 @@ func (h *Host) modifyHostSettings(ctx context.Context, containerID string, req *
 		}
 		return c.modifyContainerConstraints(ctx, req.RequestType, req.Settings.(*guestresource.LCOWContainerConstraints))
 	case guestresource.ResourceTypeSecurityPolicy:
-		r, ok := req.Settings.(*guestresource.LCOWConfidentialOptions)
+		r, ok := req.Settings.(*guestresource.ConfidentialOptions)
 		if !ok {
-			return errors.New("the request's settings are not of type LCOWConfidentialOptions")
+			return errors.New("the request's settings are not of type ConfidentialOptions")
 		}
 		return h.SetConfidentialUVMOptions(ctx, r)
 	case guestresource.ResourceTypePolicyFragment:
-		r, ok := req.Settings.(*guestresource.LCOWSecurityPolicyFragment)
+		r, ok := req.Settings.(*guestresource.SecurityPolicyFragment)
 		if !ok {
-			return errors.New("the request settings are not of type LCOWSecurityPolicyFragment")
+			return errors.New("the request settings are not of type SecurityPolicyFragment")
 		}
 		return h.InjectFragment(ctx, r)
 	default:
diff --git a/internal/protocol/guestresource/resources.go b/internal/protocol/guestresource/resources.go
@@ -229,25 +229,14 @@ type SignalProcessOptionsWCOW struct {
 	Signal guestrequest.SignalValueWCOW `json:",omitempty"`
 }
 
-// LCOWConfidentialOptions is used to set various confidential container specific
+// ConfidentialOptions is used to set various confidential container specific
 // options.
-type LCOWConfidentialOptions struct {
+type ConfidentialOptions struct {
 	EnforcerType          string `json:"EnforcerType,omitempty"`
 	EncodedSecurityPolicy string `json:"EncodedSecurityPolicy,omitempty"`
 	EncodedUVMReference   string `json:"EncodedUVMReference,omitempty"`
 }
 
-type LCOWSecurityPolicyFragment struct {
+type SecurityPolicyFragment struct {
 	Fragment string `json:"Fragment,omitempty"`
 }
-
-type WCOWConfidentialOptions struct {
-	EnforcerType          string `json:"EnforcerType,omitempty"`
-	EncodedSecurityPolicy string `json:"EncodedSecurityPolicy,omitempty"`
-	// Optional security policy
-	WCOWSecurityPolicy string
-	// Set when there is a security policy to apply on actual SNP hardware, use this rathen than checking the string length
-	WCOWSecurityPolicyEnabled bool
-	// Set which security policy enforcer to use (open door or rego). This allows for better fallback mechanic.
-	WCOWSecurityPolicyEnforcer string
-}
diff --git a/internal/uvm/security_policy.go b/internal/uvm/security_policy.go
@@ -16,69 +16,24 @@ import (
 	"github.com/Microsoft/hcsshim/pkg/ctrdtaskapi"
 )
 
-type ConfidentialUVMOpt func(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error
+type ConfidentialUVMOpt func(ctx context.Context, r *guestresource.ConfidentialOptions) error
 
 // WithSecurityPolicy sets the desired security policy for the resource.
 func WithSecurityPolicy(policy string) ConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error {
+	return func(ctx context.Context, r *guestresource.ConfidentialOptions) error {
 		r.EncodedSecurityPolicy = policy
 		return nil
 	}
 }
 
 // WithSecurityPolicyEnforcer sets the desired enforcer type for the resource.
 func WithSecurityPolicyEnforcer(enforcer string) ConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error {
+	return func(ctx context.Context, r *guestresource.ConfidentialOptions) error {
 		r.EnforcerType = enforcer
 		return nil
 	}
 }
 
-// TODO (Mahati): Move this block out later
-type WCOWConfidentialUVMOpt func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error
-
-// WithSecurityPolicy sets the desired security policy for the resource.
-func WithWCOWSecurityPolicy(policy string) WCOWConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error {
-		r.EncodedSecurityPolicy = policy
-		return nil
-	}
-}
-
-// WithSecurityPolicyEnforcer sets the desired enforcer type for the resource.
-func WithWCOWSecurityPolicyEnforcer(enforcer string) WCOWConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.WCOWConfidentialOptions) error {
-		r.EnforcerType = enforcer
-		return nil
-	}
-}
-
-func (uvm *UtilityVM) SetWCOWConfidentialUVMOptions(ctx context.Context, opts ...WCOWConfidentialUVMOpt) error {
-	if uvm.operatingSystem != "windows" {
-		return errNotSupported
-	}
-	uvm.m.Lock()
-	defer uvm.m.Unlock()
-	confOpts := &guestresource.WCOWConfidentialOptions{}
-	for _, o := range opts {
-		if err := o(ctx, confOpts); err != nil {
-			return err
-		}
-	}
-	modification := &hcsschema.ModifySettingRequest{
-		RequestType: guestrequest.RequestTypeAdd,
-		GuestRequest: guestrequest.ModificationRequest{
-			ResourceType: guestresource.ResourceTypeSecurityPolicy,
-			RequestType:  guestrequest.RequestTypeAdd,
-			Settings:     *confOpts,
-		},
-	}
-	if err := uvm.modify(ctx, modification); err != nil {
-		return fmt.Errorf("uvm::Policy: failed to modify utility VM configuration: %w", err)
-	}
-	return nil
-}
-
 func base64EncodeFileContents(filePath string) (string, error) {
 	if filePath == "" {
 		return "", nil
@@ -94,7 +49,7 @@ func base64EncodeFileContents(filePath string) (string, error) {
 // content before setting it for the resource. This is no-op if the
 // `referenceName` is empty or the file doesn't exist.
 func WithUVMReferenceInfo(referenceRoot string, referenceName string) ConfidentialUVMOpt {
-	return func(ctx context.Context, r *guestresource.LCOWConfidentialOptions) error {
+	return func(ctx context.Context, r *guestresource.ConfidentialOptions) error {
 		if referenceName == "" {
 			return nil
 		}
@@ -112,6 +67,11 @@ func WithUVMReferenceInfo(referenceRoot string, referenceName string) Confidenti
 	}
 }
 
+// defaultWCOWOSBootFilesPath returns `%ProgramFiles%\Windows Containers`.
+func defaultWCOWOSBootFilesPath() string {
+	return filepath.Join(os.Getenv("ProgramFiles"), "Windows Containers")
+}
+
 // SetConfidentialUVMOptions sends information required to run the UVM on
 // SNP hardware, e.g., security policy and enforcer type, signed UVM reference
 // information, etc.
@@ -126,7 +86,7 @@ func (uvm *UtilityVM) SetConfidentialUVMOptions(ctx context.Context, opts ...Con
 	uvm.m.Lock()
 	defer uvm.m.Unlock()
 
-	confOpts := &guestresource.LCOWConfidentialOptions{}
+	confOpts := &guestresource.ConfidentialOptions{}
 	for _, o := range opts {
 		if err := o(ctx, confOpts); err != nil {
 			return err
@@ -156,7 +116,7 @@ func (uvm *UtilityVM) InjectPolicyFragment(ctx context.Context, fragment *ctrdta
 		GuestRequest: guestrequest.ModificationRequest{
 			ResourceType: guestresource.ResourceTypePolicyFragment,
 			RequestType:  guestrequest.RequestTypeAdd,
-			Settings: guestresource.LCOWSecurityPolicyFragment{
+			Settings: guestresource.SecurityPolicyFragment{
 				Fragment: fragment.Fragment,
 			},
 		},
diff --git a/internal/uvm/start.go b/internal/uvm/start.go
@@ -326,27 +326,20 @@ func (uvm *UtilityVM) Start(ctx context.Context) (err error) {
 	}
 	uvm.SCSIManager = mgr
 
-	if uvm.confidentialUVMOptions != nil && uvm.OS() == "linux" {
+	if uvm.confidentialUVMOptions != nil || uvm.HasConfidentialPolicy() {
+		uvmReferenceInfoFile := defaultLCOWOSBootFilesPath()
+		if uvm.OS() == "windows" {
+			uvmReferenceInfoFile = defaultWCOWOSBootFilesPath()
+		}
 		copts := []ConfidentialUVMOpt{
 			WithSecurityPolicy(uvm.confidentialUVMOptions.SecurityPolicy),
 			WithSecurityPolicyEnforcer(uvm.confidentialUVMOptions.SecurityPolicyEnforcer),
-			WithUVMReferenceInfo(defaultLCOWOSBootFilesPath(), uvm.confidentialUVMOptions.UVMReferenceInfoFile),
+			WithUVMReferenceInfo(uvmReferenceInfoFile, uvm.confidentialUVMOptions.UVMReferenceInfoFile),
 		}
 		if err := uvm.SetConfidentialUVMOptions(ctx, copts...); err != nil {
 			return err
 		}
 	}
-
-	if uvm.HasConfidentialPolicy() && uvm.OS() == "windows" {
-		copts := []WCOWConfidentialUVMOpt{
-			WithWCOWSecurityPolicy(uvm.createOpts.(*OptionsWCOW).SecurityPolicy),
-			WithWCOWSecurityPolicyEnforcer(uvm.createOpts.(*OptionsWCOW).SecurityPolicyEnforcer),
-		}
-		if err := uvm.SetWCOWConfidentialUVMOptions(ctx, copts...); err != nil {
-			return err
-		}
-	}
-
 	return nil
 }
 
diff --git a/test/gcs/main_test.go b/test/gcs/main_test.go
@@ -169,7 +169,7 @@ func getHostErr(rt runtime.Runtime, tp transport.Transport) (*hcsv2.Host, error)
 	h := hcsv2.NewHost(rt, tp, &securitypolicy.OpenDoorSecurityPolicyEnforcer{}, os.Stdout)
 	if err := h.SetConfidentialUVMOptions(
 		context.Background(),
-		&guestresource.LCOWConfidentialOptions{},
+		&guestresource.ConfidentialOptions{},
 	); err != nil {
 		return nil, fmt.Errorf("could not set host security policy: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ func unmarshalContainerModifySettings(req request) (_ prot.ContainerModifySett`
`92`	`92`	`modifyGuestSettingsRequest.Settings = settings`
`93`	`93`
`94`	`94`	`case guestresource.ResourceTypeSecurityPolicy:`
`95`		`- securityPolicyRequest := &guestresource.WCOWConfidentialOptions{}`
	`95`	`+ securityPolicyRequest := &guestresource.ConfidentialOptions{}`
`96`	`96`	`if err := commonutils.UnmarshalJSONWithHresult(rawGuestRequest, securityPolicyRequest); err != nil {`
`97`	`97`	`return nil, fmt.Errorf("invalid ResourceTypeSecurityPolicy request: %w", err)`
`98`	`98`	`}`
Original file line number	Diff line number	Diff line change
`@@ -169,7 +169,7 @@ func getHostErr(rt runtime.Runtime, tp transport.Transport) (*hcsv2.Host, error)`
`169`	`169`	`h := hcsv2.NewHost(rt, tp, &securitypolicy.OpenDoorSecurityPolicyEnforcer{}, os.Stdout)`
`170`	`170`	`if err := h.SetConfidentialUVMOptions(`
`171`	`171`	`context.Background(),`
`172`		`- &guestresource.LCOWConfidentialOptions{},`
	`172`	`+ &guestresource.ConfidentialOptions{},`
`173`	`173`	`); err != nil {`
`174`	`174`	`return nil, fmt.Errorf("could not set host security policy: %w", err)`
`175`	`175`	`}`