cloud-hypervisor: add platformOEMStrings and extraPlatformOpts.

Ramblurr · Ramblurr · commit df9df1b5a40f · 2025-07-16T08:22:32.000+02:00
The cloud-hypervisor command line interface unfortunately doesn't support
multiple instances of the same arg with a different value, so we have to resort
to these extra module options rather than using extraArgs.

To make matters even worse, the `--platform` argument (of which there can be
only one), is overloaded with different types of sub-args that also need to be
provided multiple times.

This commit allows the operator to add oem strings (for example to pass systemd
credentials), as well as raw platform options as needed.
diff --git a/lib/runners/cloud-hypervisor.nix b/lib/runners/cloud-hypervisor.nix
@@ -6,7 +6,7 @@
 let
   inherit (pkgs) lib;
   inherit (microvmConfig) vcpu mem balloon initialBalloonMem deflateOnOOM hotplugMem hotpluggedMem user interfaces volumes shares socket devices hugepageMem graphics storeDisk storeOnDisk kernel initrdPath;
-  inherit (microvmConfig.cloud-hypervisor) extraArgs;
+  inherit (microvmConfig.cloud-hypervisor) platformOEMStrings extraPlatformOpts extraArgs;
 
   kernelPath = {
     x86_64-linux = "${kernel.dev}/vmlinux";
@@ -93,6 +93,9 @@ let
 
   supportsNotifySocket = true;
 
+  oemStringValues = (lib.optionals supportsNotifySocket ["io.systemd.credential:vmm.notify_socket=vsock-stream:2:8888"]) ++ platformOEMStrings;
+  oemStringOptions = lib.optionals  (oemStringValues != [])  ["oem_strings=[${lib.concatStringsSep "," oemStringValues}]"];
+  platformOps = lib.concatStringsSep "," (oemStringOptions ++ extraPlatformOpts);
 in {
   inherit tapMultiQueue;
 
@@ -146,10 +149,10 @@ in {
         "--cmdline" "${kernelConsole} reboot=t panic=-1 ${builtins.unsafeDiscardStringContext (toString microvmConfig.kernelParams)}"
         "--seccomp" "true"
         "--memory" memOps
+        "--platform" platformOps
       ]
       ++
       lib.optionals supportsNotifySocket [
-        "--platform" "oem_strings=[io.systemd.credential:vmm.notify_socket=vsock-stream:2:8888]"
         "--vsock" "cid=3,socket=notify.vsock"
       ]
       ++
diff --git a/nixos-modules/microvm/options.nix b/nixos-modules/microvm/options.nix
@@ -515,6 +515,30 @@ in
       '';
     };
 
+    cloud-hypervisor.platformOEMStrings = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = ''
+      Extra arguments to pass to cloud-hypervisor's --platform oem_strings= argument.
+
+      All the oem strings will be concatenated with a comma (,) and wrapped in oem_string=[].
+      '';
+      example = literalExpression /* nix */ ''
+      [ "io.systemd.credential:APIKEY=supersecret" ]
+      '';
+    };
+    cloud-hypervisor.extraPlatformOpts = mkOption {
+      type = with types; listOf str;
+      default = [];
+      description = ''
+      Extra arguments to pass to cloud-hypervisor's --platform argument.
+      All --platform args will be concatended with a comma (,).
+      '';
+      example = literalExpression /* nix */ ''
+      [ "uuid=<dmi_device_uuid>" ]
+      '';
+    };
+
     cloud-hypervisor.extraArgs = mkOption {
       type = with types; listOf str;
       default = [];
