snp-daemon/scripts/start_qemu_vm.sh

#!/bin/bash
OVMF_PATH="/var/lib/detee/boot/0346619257269b9a61ee003e197d521b8e2283483070d163a34940d6a1d40d76";

[[ -z "$VM_UUID" ]] && {
  echo "Environment variable VM_UUID is not set."
  exit 1
}
source "/etc/detee/daemon/vms/${VM_UUID}.sh"

mandatory_vars=("KERNEL" "INITRD" "PARAMS" "CPU_TYPE" \
  "VCPUS" "MEMORY" "MAX_MEMORY" "DISK")
for var in "${mandatory_vars[@]}"; do
  if [ -z "${!var}" ]; then
    echo "Environment variable $var is not set."
    exit 1
  fi
done

interfaces=$(env | sort | grep -oE '^NETWORK_INTERFACE_[0-9]*')
nat_configured="false"
vtap_nic_count=1
qemu_device_params=""
while read -r interface; do

  interface_type="$( echo ${!interface} | cut -d '_' -f1 )"

  if [[ "$interface_type" == "macvtap" || "$interface_type" == "ipvtap" ]]; then
    interface_device="$( echo ${!interface} | cut -d '_' -f2 )"
    interface_name="$( echo ${!interface} | cut -d '_' -f3 )"
    if [[ "$interface_type" == "macvtap" ]]; then
      ip link add link $interface_device name $interface_name type $interface_type mode bridge
    else 
      ip link add link $interface_device name $interface_name type $interface_type mode l3
    fi
    sysctl -w net.ipv6.conf.$interface_name.accept_ra=0
    ip link set $interface_name up
    ip link set $interface_name promisc on

    vtap_index="$(cat /sys/class/net/${interface_name}/ifindex)"
    vtap_addr="$(cat /sys/class/net/${interface_name}/address)"

    exec {fd_number}<> /dev/tap${vtap_index}
    qemu_device_params+=" -netdev tap,id=hostnet1,fd=${fd_number}"
    qemu_device_params+=" -device virtio-net-pci,netdev=hostnet${vtap_nic_count},mac=${vtap_addr},romfile="
    ((vtap_nic_count++))
  fi

  if [[ "$interface_type" == "NAT" && "$nat_configured" == "false" ]]; then 
    ports=""
    nat_configured="true"
    for port_pair in $NAT_PORT_FW; do
      host_port="$( echo $port_pair | cut -d ':' -f1 )"
      guest_port="$( echo $port_pair | cut -d ':' -f2 )"
      ports+=",hostfwd=tcp::${host_port}-:${guest_port}"
    done
    qemu_device_params+=" -netdev user,id=natnic${ports}"
    qemu_device_params+=" -device virtio-net-pci,netdev=natnic,romfile="
  fi

  # TODO: also handle bridge device (when IPs are public, but the host is the gateway)

done <<< "$( echo "$interfaces" )"

qemu-system-x86_64 $qemu_device_params \
    -enable-kvm -cpu $CPU_TYPE -vga none \
    -machine q35,confidential-guest-support=sev0,memory-backend=ram1 \
    -smp $VCPUS,maxcpus=$VCPUS \
    -m $MEMORY,slots=5,maxmem=$MAX_MEMORY \
    -no-reboot -bios "$OVMF_PATH" \
    -drive file=${DISK},if=none,id=disk0,format=qcow2 \
    -device virtio-blk-pci,drive=disk0 \
    -object memory-backend-memfd,id=ram1,size=$MEMORY,share=true,prealloc=false \
    -object sev-snp-guest,id=sev0,cbitpos=51,reduced-phys-bits=1,kernel-hashes=on \
    -kernel $KERNEL -append "$PARAMS" -initrd $INITRD \
    -nographic -monitor pty -serial mon:stdio -monitor unix:monitor,server,nowait