Update cloud-hypervisor to v27.0.60, kernel-mshv to v5.15.72, kata to v3.0.0 (#4099)

* Update CH to v27.0.0 * Update CH to v27.0.60, kernel-mshv to v5.15.72 * update cgmanifest * Update kata to v3.0.0, apply patches for CH 27.0.0 * Update cgmanifest for kata
2022-11-15 13:20:41 -08:00 · 2022-11-15 13:20:41 -08:00 · fd4cc549bc
--- a/SPECS-EXTENDED/kernel-mshv/0001-mshv-Don-t-use-same-function-signature-as-KVM.patch
+++ b/SPECS-EXTENDED/kernel-mshv/0001-mshv-Don-t-use-same-function-signature-as-KVM.patch
@ -0,0 +1,65 @@
+From 653498214d5bad6a2baa1f276d6e346ad697f53b Mon Sep 17 00:00:00 2001
+From: Muminul Islam <muislam@microsoft.com>
+Date: Mon, 24 Oct 2022 16:58:44 -0700
+Subject: [PATCH] mshv: Don't use same function signature as KVM
+
+Function xfer_to_guest_mode_handle_work renamed to
+mshv_xfer_to_guest_mode_handle_work. Otherwise
+it causes `multiple definition of __crc_xfer_to_guest_mode_handle_work`
+error.
+
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+---
+ drivers/hv/mshv.h          | 2 +-
+ drivers/hv/mshv_main.c     | 2 +-
+ drivers/hv/xfer_to_guest.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hv/mshv.h b/drivers/hv/mshv.h
+index ad3400509003..d8c48379d818 100644
+--- a/drivers/hv/mshv.h
+++ b/drivers/hv/mshv.h
+@@ -37,7 +37,7 @@
+ 		/ sizeof(union hv_gpa_page_access_state))
+ extern struct mshv mshv;
+ 
+-int xfer_to_guest_mode_handle_work(unsigned long ti_work);
+int mshv_xfer_to_guest_mode_handle_work(unsigned long ti_work);
+ 
+ void mshv_isr(void);
+ int mshv_synic_init(unsigned int cpu);
+diff --git a/drivers/hv/mshv_main.c b/drivers/hv/mshv_main.c
+index c9e61935958b..87cb44a5145c 100644
+--- a/drivers/hv/mshv_main.c
+++ b/drivers/hv/mshv_main.c
+@@ -345,7 +345,7 @@ mshv_run_vp_with_root_scheduler(struct mshv_vp *vp, void __user *ret_message)
+ 				local_irq_restore(irq_flags);
+ 				preempt_enable();
+ 
+-				ret = xfer_to_guest_mode_handle_work(ti_work);
+				ret = mshv_xfer_to_guest_mode_handle_work(ti_work);
+ 
+ 				preempt_disable();
+ 
+diff --git a/drivers/hv/xfer_to_guest.c b/drivers/hv/xfer_to_guest.c
+index 19d4a16264c2..20c5261ce21b 100644
+--- a/drivers/hv/xfer_to_guest.c
+++ b/drivers/hv/xfer_to_guest.c
+@@ -11,7 +11,7 @@
+ #include <linux/tracehook.h>
+ 
+ /* Invoke with preemption and interrupt enabled */
+-int xfer_to_guest_mode_handle_work(unsigned long ti_work)
+int mshv_xfer_to_guest_mode_handle_work(unsigned long ti_work)
+ {
+ 	if (ti_work & _TIF_NOTIFY_SIGNAL)
+ 		tracehook_notify_signal();
+@@ -27,4 +27,4 @@ int xfer_to_guest_mode_handle_work(unsigned long ti_work)
+ 
+ 	return 0;
+ }
+-EXPORT_SYMBOL_GPL(xfer_to_guest_mode_handle_work);
+EXPORT_SYMBOL_GPL(mshv_xfer_to_guest_mode_handle_work);
+-- 
+2.25.1
+
--- a/SPECS-EXTENDED/kernel-mshv/kernel-mshv.signatures.json
+++ b/SPECS-EXTENDED/kernel-mshv/kernel-mshv.signatures.json
@ -1,7 +1,7 @@
 {
 "Signatures": {
  "config": "958a353cbe1199399641f5580353806af3bad5f348ce9049e9f4f0482a71d607",
-  "kernel-mshv-5.15.34.1.tar.gz": "57c0a30b682e3a600dac48b144c6f395a246ebea8936a57158e9230897b3e78e",
+  "kernel-mshv-5.15.72.mshv2.tar.gz": "594c73d2df786387fab8801239e3a527dcf19109eb7a70cddc754bafe63926d0",
  "cbl-mariner-ca-20211013.pem": "5ef124b0924cb1047c111a0ecff1ae11e6ad7cac8d1d9b40f98f99334121f0b0"
 }
 }
--- a/SPECS-EXTENDED/kernel-mshv/kernel-mshv.spec
+++ b/SPECS-EXTENDED/kernel-mshv/kernel-mshv.spec
@ -10,8 +10,8 @@

 Summary:        Mariner kernel that has MSHV Host support
 Name:           kernel-mshv
-Version:        5.15.34.1
-Release:        2%{?dist}
+Version:        5.15.72.mshv2
+Release:        1%{?dist}
 License:        GPLv2
 URL:            https://github.com/microsoft/CBL-Mariner-Linux-Kernel
 Group:          Development/Tools
@ -20,6 +20,7 @@ Distribution:   Mariner
 Source0:        %{_mariner_sources_url}/%{name}-%{version}.tar.gz
 Source1:        config
 Source2:        cbl-mariner-ca-20211013.pem
+Patch0:         0001-mshv-Don-t-use-same-function-signature-as-KVM.patch
 ExclusiveArch:  x86_64
 BuildRequires:  audit-devel
 BuildRequires:  bash
@ -74,7 +75,7 @@ Requires:       audit
 This package contains the 'perf' performance analysis tools for MSHV kernel.

 %prep
-%autosetup
+%autosetup -p1

 make mrproper

@ -237,6 +238,9 @@ ln -sf linux-%{uname_r}.cfg /boot/mariner.cfg
 %{_includedir}/perf/perf_dlfilter.h

 %changelog
+* Thu Oct 27 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 5.15.72.mshv2-1
+- Update to v5.15.72.mshv2.
+
 * Wed Sep 21 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 5.15.34.1-2
 - Copy vmlinuz to /boot/efi partition.

--- a/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json
+++ b/SPECS/cloud-hypervisor/cloud-hypervisor.signatures.json
@ -1,7 +1,7 @@
 {
 "Signatures": {
-  "cloud-hypervisor-26.0-cargo.tar.gz": "2f5898a223104409aa764aebb3357af53669d29cc3587e72a96937efeb1c6654",
-  "cloud-hypervisor-26.0.tar.gz": "3acd6b2e1c3025b56108d61e478160e3a4dde668ada659f77eae3113e687fff8",
-  "config.toml": "5cd23bddef9b66cb66fb3a31b9b803fa415b8f3cc6a25564a6dc380ed2629c47"
+  "cloud-hypervisor-27.0.60-cargo.tar.gz": "a54b75004a41b531178f38f82a5a337a64649bd026e92c0c3b403dd055fe664f",
+  "cloud-hypervisor-27.0.60.tar.gz": "3675e6ad82c1a1604a1c3b29d8551f4f03c32a4b7f3789a7523482fa555ffb03",
+  "config.toml": "e823c53144d9c88262f033560e988e2431a2f0b4a815ff0be8740f0c0bb9312c"
 }
 }
--- a/SPECS/cloud-hypervisor/cloud-hypervisor.spec
+++ b/SPECS/cloud-hypervisor/cloud-hypervisor.spec
@ -1,21 +1,25 @@
 %define using_rustup 0
 %define using_musl_libc 0
 %define using_vendored_crates 1
+%global githubref 099cdd2

 Summary:        Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on top of KVM.
 Name:           cloud-hypervisor
-Version:        26.0
-Release:        2%{?dist}
+Version:        27.0.60
+Release:        1%{?dist}
 License:        ASL 2.0 OR BSD-3-clause
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/System
 URL:            https://github.com/cloud-hypervisor/cloud-hypervisor
-Source0:        https://github.com/cloud-hypervisor/cloud-hypervisor/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source0:        https://github.com/cloud-hypervisor/cloud-hypervisor/tarball/%{githubref}#/%{name}-%{version}.tar.gz
 %if 0%{?using_vendored_crates}
 # Note: the %%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME.
-# To update the cache run:
-#   [repo_root]/toolkit/scripts/build_cargo_cache.sh %%{name}-%%{version}.tar.gz
+# To update the cache and config.toml run:
+#   tar -xf %{name}-%{version}.tar.gz
+#   cd %{name}-%{version}
+#   cargo vendor > config.toml
+#   tar -czf %{name}-%{version}-cargo.tar.gz vendor/
 Source1:        %{name}-%{version}-cargo.tar.gz
 Source2:        config.toml
 %endif
@ -40,7 +44,7 @@ ExclusiveArch:  x86_64

 %ifarch x86_64
 %define rust_def_target x86_64-unknown-linux-gnu
-%define cargo_pkg_feature_opts --no-default-features --features "common,mshv,kvm"
+%define cargo_pkg_feature_opts --no-default-features --features "mshv,kvm"
 %endif
 %ifarch aarch64
 %define rust_def_target aarch64-unknown-linux-gnu
@ -65,7 +69,7 @@ Cloud Hypervisor is an open source Virtual Machine Monitor (VMM) that runs on to

 %prep

-%setup -q
+%setup -q -n %{name}-%{name}-%{githubref}
 %if 0%{?using_vendored_crates}
 tar xf %{SOURCE1}
 mkdir -p .cargo
@ -148,6 +152,9 @@ cargo build --release --target=%{rust_musl_target} --package vhost_user_block %{
 %license LICENSE-BSD-3-Clause

 %changelog
+* Thu Oct 27 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 27.0.60-1
+- Update to v27.0.60
+
 * Wed Aug 31 2022 Olivia Crain <oliviacrain@microsoft.com> - 26.0-2
 - Bump package to rebuild with stable Rust compiler

--- a/SPECS/cloud-hypervisor/config.toml
+++ b/SPECS/cloud-hypervisor/config.toml
@ -32,6 +32,11 @@ git = "https://github.com/rust-vmm/vfio"
 branch = "main"
 replace-with = "vendored-sources"

+[source."https://github.com/rust-vmm/vhost"]
+git = "https://github.com/rust-vmm/vhost"
+branch = "main"
+replace-with = "vendored-sources"
+
 [source."https://github.com/rust-vmm/vm-fdt"]
 git = "https://github.com/rust-vmm/vm-fdt"
 branch = "main"
--- a/SPECS/kata-containers/0001-Merged-PR-9607-Allow-10-seconds-for-VM-creation-star.patch
+++ b/SPECS/kata-containers/0001-Merged-PR-9607-Allow-10-seconds-for-VM-creation-star.patch
@ -16,9 +16,9 @@ index aaa8e288..118e1b4d 100644
 	span, _ := katatrace.Trace(ctx, clh.Logger(), "StartVM", clhTracingTags, map[string]string{"sandbox_id": clh.id})
 	defer span.End()
 
-	ctx, cancel := context.WithTimeout(context.Background(), clhAPITimeout*time.Second)
+-	ctx, cancel := context.WithTimeout(context.Background(), clh.getClhAPITimeout()*time.Second)
 +	// FIXME - for now allow more than one second to create and start the VM.
-+	// ctx, cancel := context.WithTimeout(context.Background(), clhAPITimeout*time.Second)
+	// ctx, cancel := context.WithTimeout(context.Background(), clh.getClhAPITimeout()*time.Second)
 +	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 
--- a/SPECS/kata-containers/0005-Merged-PR-9956-shim-avoid-memory-hotplug-timeout.patch
+++ b/SPECS/kata-containers/0005-Merged-PR-9956-shim-avoid-memory-hotplug-timeout.patch
@ -16,9 +16,9 @@ index 118e1b4d..f18b6c6f 100644
 	}
 
 	cl := clh.client()
-	ctx, cancelResize := context.WithTimeout(ctx, clhAPITimeout*time.Second)
+-	ctx, cancelResize := context.WithTimeout(ctx, clh.getClhAPITimeout()*time.Second)
 +	// FIXME: memory hotplug sometimes takes longer than 1 second.
-+	// ctx, cancelResize := context.WithTimeout(ctx, clhAPITimeout*time.Second)
+	// ctx, cancelResize := context.WithTimeout(ctx, clh.getClhAPITimeout()*time.Second)
 +	ctx, cancelResize := context.WithTimeout(ctx, 10*time.Second)
 	defer cancelResize()
 
--- a/SPECS/kata-containers/kata-containers.signatures.json
+++ b/SPECS/kata-containers/kata-containers.signatures.json
@ -2,8 +2,8 @@
 "Signatures": {
  "15-dracut.conf": "af94e6b7c9dfa3910531e7b5532a18fd0340de88939a4852de4ec7a49c5889ca",
  "50-kata": "fb108c6337b3d3bf80b43ab04f2bf9a3bdecd29075ebd16320aefe8f81c502a7",
-  "kata-containers-2.5.0-vendor.tar.gz": "cc5b061c34aebd49f88f284182e230b923e8b3c37124ea1405a6a42fcdcf68e7",
-  "kata-containers-2.5.0.tar.gz": "fd57a23ab552001f2cb467458e87a8b01d7353bcdda18b44ec76a4fbee971716",
+  "kata-containers-3.0.0-vendor.tar.gz": "0f31ee3c1bca71650bf3dac3d1f04d2b42322b3c41abb1982a654463a655da42",
+  "kata-containers-3.0.0.tar.gz": "e1b3cd7402d99414dc3606364cbb6e71f4354c8be65f31ba5eae89f6c207d05d",
  "kata-osbuilder-generate.service": "4438c39799297efbf88cfc549964432a41506a3c89e13073fa908658a5bd6376",
  "kata-osbuilder.sh": "b2a0510933f36860c16447400119488a035a7cb579a6f8adc4925fff54f1883b"
 }
--- a/SPECS/kata-containers/kata-containers.spec
+++ b/SPECS/kata-containers/kata-containers.spec
@ -38,8 +38,8 @@

 Summary:        Kata Containers version 2.x repository
 Name:           kata-containers
-Version:        2.5.0
-Release:        7%{?dist}
+Version:        3.0.0
+Release:        1%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 URL:            https://github.com/%{name}/%{name}
@ -54,6 +54,10 @@ Patch1:         0002-Merged-PR-9671-Wait-for-a-possibly-slow-Guest.patch
 Patch2:         0003-Merged-PR-9805-Add-support-for-MSHV.patch
 Patch3:         0004-Merged-PR-9806-Fix-enable_debug-for-hypervisor.clh.patch
 Patch4:         0005-Merged-PR-9956-shim-avoid-memory-hotplug-timeout.patch
+Patch5:         runtime-Support-for-AMD-SEV-SNP-VMs.patch
+Patch6:         runtime-clh-Use-the-new-API-to-boot-with-TDX-firmware-td-shim.patch
+Patch7:         versions-Update-Cloud-Hypervisor.patch
+Patch8:         runtime-Re-generate-the-client-code.patch

 BuildRequires:  golang
 BuildRequires:  git-core
@ -220,6 +224,9 @@ ln -sf %{_bindir}/kata-runtime %{buildroot}%{_prefix}/local/bin/kata-runtime
 %exclude %{kataosbuilderdir}/rootfs-builder/ubuntu

 %changelog
+* Tue Nov 15 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 3.0.0-1
+- Update to v3.0.0, apply patches for compatibility with Cloud-hypervisor v27.0.60.
+
 * Tue Nov 01 2022 Olivia Crain <oliviacrain@microsoft.com> - 2.5.0-7
 - Bump release to rebuild with go 1.18.8

--- a/SPECS/kata-containers/runtime-Re-generate-the-client-code.patch
+++ b/SPECS/kata-containers/runtime-Re-generate-the-client-code.patch
--- a/SPECS/kata-containers/runtime-Support-for-AMD-SEV-SNP-VMs.patch
+++ b/SPECS/kata-containers/runtime-Support-for-AMD-SEV-SNP-VMs.patch
@ -0,0 +1,268 @@
+From 22bda0838c77853ed92546308b59b6500083bb4e Mon Sep 17 00:00:00 2001
+From: Joana Pecholt <joana.pecholt@aisec.fraunhofer.de>
+Date: Tue, 23 Aug 2022 10:42:01 +0200
+Subject: [PATCH] runtime: Support for AMD SEV-SNP VMs
+
+This commit adds AMD SEV-SNP as a confidential guest option to the
+runtime. Information on required components such as OVMF, QEMU and
+a kernel supporting SEV-SNP are defined in the versions file and
+corresponding configs are added.
+
+Note: The CPU model 'host' provided by the current SNP-QEMU does
+not support all SNP capabilities yet, which is why this option is
+changed to EPYC-v4.
+
+Note: The guest's physical address space reduction specified with
+ReducedPhysBits is 1. Details are can be found in Section 15.34.6
+here https://www.amd.com/system/files/TechDocs/24593.pdf
+
+Fixes #4437
+
+Signed-off-by: Joana Pecholt <joana.pecholt@aisec.fraunhofer.de>
+---
+ src/runtime/pkg/govmm/qemu/qemu.go            |  7 ++++
+ src/runtime/virtcontainers/clh.go             |  2 ++
+ src/runtime/virtcontainers/hypervisor.go      |  6 ++++
+ .../virtcontainers/hypervisor_linux_amd64.go  |  9 ++++++
+ src/runtime/virtcontainers/qemu_amd64.go      | 32 +++++++++++++++++++
+ src/runtime/virtcontainers/qemu_amd64_test.go | 20 ++++++++++++
+ src/runtime/virtcontainers/qemu_arm64_test.go |  7 ++++
+ .../virtcontainers/qemu_ppc64le_test.go       |  6 ++++
+ src/runtime/virtcontainers/qemu_s390x_test.go |  6 ++++
+ 9 files changed, 95 insertions(+)
+
+diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go
+index 4b36df2ea3..5b04a01c1d 100644
+--- a/src/runtime/pkg/govmm/qemu/qemu.go
+++ b/src/runtime/pkg/govmm/qemu/qemu.go
+@@ -231,6 +231,9 @@ const (
+ 	// SEVGuest represents an SEV guest object
+ 	SEVGuest ObjectType = "sev-guest"
+ 
+	// SNPGuest represents an SNP guest object
+	SNPGuest ObjectType = "sev-snp-guest"
+
+ 	// SecExecGuest represents an s390x Secure Execution (Protected Virtualization in QEMU) object
+ 	SecExecGuest ObjectType = "s390-pv-guest"
+ 	// PEFGuest represent ppc64le PEF(Protected Execution Facility) object.
+@@ -295,6 +298,8 @@ func (object Object) Valid() bool {
+ 	case TDXGuest:
+ 		return object.ID != "" && object.File != "" && object.DeviceID != ""
+ 	case SEVGuest:
+		fallthrough
+	case SNPGuest:
+ 		return object.ID != "" && object.File != "" && object.CBitPos != 0 && object.ReducedPhysBits != 0
+ 	case SecExecGuest:
+ 		return object.ID != ""
+@@ -349,6 +354,8 @@ func (object Object) QemuParams(config *Config) []string {
+ 			deviceParams = append(deviceParams, fmt.Sprintf("config-firmware-volume=%s", object.FirmwareVolume))
+ 		}
+ 	case SEVGuest:
+		fallthrough
+	case SNPGuest:
+ 		objectParams = append(objectParams, string(object.Type))
+ 		objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID))
+ 		objectParams = append(objectParams, fmt.Sprintf("cbitpos=%d", object.CBitPos))
+diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go
+index d93ceed675..7595eaaad2 100644
+--- a/src/runtime/virtcontainers/clh.go
+++ b/src/runtime/virtcontainers/clh.go
+@@ -422,6 +422,8 @@ func (clh *cloudHypervisor) enableProtection() error {
+ 
+ 	case sevProtection:
+ 		return errors.New("SEV protection is not supported by Cloud Hypervisor")
+	case snpProtection:
+		return errors.New("SEV-SNP protection is not supported by Cloud Hypervisor")
+ 
+ 	default:
+ 		return errors.New("This system doesn't support Confidentian Computing (Guest Protection)")
+diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go
+index 0e7b4785bb..784945673f 100644
+--- a/src/runtime/virtcontainers/hypervisor.go
+++ b/src/runtime/virtcontainers/hypervisor.go
+@@ -870,6 +870,11 @@ const (
+ 	// Exclude from lint checking for it won't be used on arm64 code
+ 	sevProtection
+ 
+	// AMD Secure Encrypted Virtualization - Secure Nested Paging (SEV-SNP)
+	// https://developer.amd.com/sev/
+	// Exclude from lint checking for it won't be used on arm64 code
+	snpProtection
+
+ 	// IBM POWER 9 Protected Execution Facility
+ 	// https://www.kernel.org/doc/html/latest/powerpc/ultravisor.html
+ 	// Exclude from lint checking for it won't be used on arm64 code
+@@ -886,6 +891,7 @@ var guestProtectionStr = [...]string{
+ 	pefProtection:  "pef",
+ 	seProtection:   "se",
+ 	sevProtection:  "sev",
+	snpProtection:  "snp",
+ 	tdxProtection:  "tdx",
+ }
+ 
+diff --git a/src/runtime/virtcontainers/hypervisor_linux_amd64.go b/src/runtime/virtcontainers/hypervisor_linux_amd64.go
+index 38313d05b1..33d018fa6f 100644
+--- a/src/runtime/virtcontainers/hypervisor_linux_amd64.go
+++ b/src/runtime/virtcontainers/hypervisor_linux_amd64.go
+@@ -13,6 +13,8 @@ const (
+ 	tdxCPUFlag = "tdx"
+ 
+ 	sevKvmParameterPath = "/sys/module/kvm_amd/parameters/sev"
+
+	snpKvmParameterPath = "/sys/module/kvm_amd/parameters/sev_snp"
+ )
+ 
+ // Implementation of this function is architecture specific
+@@ -26,6 +28,13 @@ func availableGuestProtection() (guestProtection, error) {
+ 	if d, err := os.Stat(tdxSysFirmwareDir); (err == nil && d.IsDir()) || flags[tdxCPUFlag] {
+ 		return tdxProtection, nil
+ 	}
+	// SEV-SNP is supported and enabled when the kvm module `sev_snp` parameter is set to `Y`
+	if _, err := os.Stat(snpKvmParameterPath); err == nil {
+		if c, err := os.ReadFile(snpKvmParameterPath); err == nil && len(c) > 0 && (c[0] == 'Y') {
+			return snpProtection, nil
+		}
+	}
+	// Only choose SEV if SEV-SNP unsupported
+ 	// SEV is supported and enabled when the kvm module `sev` parameter is set to `1` (or `Y` for linux >= 5.12)
+ 	if _, err := os.Stat(sevKvmParameterPath); err == nil {
+ 		if c, err := os.ReadFile(sevKvmParameterPath); err == nil && len(c) > 0 && (c[0] == '1' || c[0] == 'Y') {
+diff --git a/src/runtime/virtcontainers/qemu_amd64.go b/src/runtime/virtcontainers/qemu_amd64.go
+index b7680a3180..83d1a3d6d2 100644
+--- a/src/runtime/virtcontainers/qemu_amd64.go
+++ b/src/runtime/virtcontainers/qemu_amd64.go
+@@ -169,6 +169,21 @@ func (q *qemuAmd64) bridges(number uint32) {
+ 	q.Bridges = genericBridges(number, q.qemuMachine.Type)
+ }
+ 
+func (q *qemuAmd64) cpuModel() string {
+	var err error
+	cpuModel := defaultCPUModel
+
+	// Temporary until QEMU cpu model 'host' supports AMD SEV-SNP
+	protection, err := availableGuestProtection()
+	if err == nil {
+		if protection == snpProtection {
+			cpuModel = "EPYC-v4"
+		}
+	}
+
+	return cpuModel
+}
+
+ func (q *qemuAmd64) memoryTopology(memoryMb, hostMemoryMb uint64, slots uint8) govmmQemu.Memory {
+ 	return genericMemoryTopology(memoryMb, hostMemoryMb, slots, q.memoryOffset)
+ }
+@@ -219,6 +234,13 @@ func (q *qemuAmd64) enableProtection() error {
+ 		q.qemuMachine.Options += "confidential-guest-support=sev"
+ 		logger.Info("Enabling SEV guest protection")
+ 		return nil
+	case snpProtection:
+		if q.qemuMachine.Options != "" {
+			q.qemuMachine.Options += ","
+		}
+		q.qemuMachine.Options += "confidential-guest-support=snp"
+		logger.Info("Enabling SNP guest protection")
+		return nil
+ 
+ 	// TODO: Add support for other x86_64 technologies
+ 
+@@ -263,6 +285,16 @@ func (q *qemuAmd64) appendProtectionDevice(devices []govmmQemu.Device, firmware,
+ 				CBitPos:         cpuid.AMDMemEncrypt.CBitPosition,
+ 				ReducedPhysBits: cpuid.AMDMemEncrypt.PhysAddrReduction,
+ 			}), "", nil
+	case snpProtection:
+		return append(devices,
+			govmmQemu.Object{
+				Type:            govmmQemu.SNPGuest,
+				ID:              "snp",
+				Debug:           false,
+				File:            firmware,
+				CBitPos:         cpuid.AMDMemEncrypt.CBitPosition,
+				ReducedPhysBits: 1,
+			}), "", nil
+ 	case noneProtection:
+ 		return devices, firmware, nil
+ 
+diff --git a/src/runtime/virtcontainers/qemu_amd64_test.go b/src/runtime/virtcontainers/qemu_amd64_test.go
+index 740cb6460b..73641ab455 100644
+--- a/src/runtime/virtcontainers/qemu_amd64_test.go
+++ b/src/runtime/virtcontainers/qemu_amd64_test.go
+@@ -293,6 +293,26 @@ func TestQemuAmd64AppendProtectionDevice(t *testing.T) {
+ 
+ 	assert.Equal(expectedOut, devices)
+ 
+	// snp protection
+	amd64.(*qemuAmd64).protection = snpProtection
+
+	devices, bios, err = amd64.appendProtectionDevice(devices, firmware, "")
+	assert.NoError(err)
+	assert.Empty(bios)
+
+	expectedOut = append(expectedOut,
+		govmmQemu.Object{
+			Type:            govmmQemu.SNPGuest,
+			ID:              "snp",
+			Debug:           false,
+			File:            firmware,
+			CBitPos:         cpuid.AMDMemEncrypt.CBitPosition,
+			ReducedPhysBits: 1,
+		},
+	)
+
+	assert.Equal(expectedOut, devices)
+
+ 	// tdxProtection
+ 	amd64.(*qemuAmd64).protection = tdxProtection
+ 
+diff --git a/src/runtime/virtcontainers/qemu_arm64_test.go b/src/runtime/virtcontainers/qemu_arm64_test.go
+index d78f4474b3..15ae382223 100644
+--- a/src/runtime/virtcontainers/qemu_arm64_test.go
+++ b/src/runtime/virtcontainers/qemu_arm64_test.go
+@@ -209,6 +209,13 @@ func TestQemuArm64AppendProtectionDevice(t *testing.T) {
+ 	assert.Empty(bios)
+ 	assert.NoError(err)
+ 
+	// SNP protection
+	arm64.(*qemuArm64).protection = snpProtection
+	devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "")
+	assert.Empty(devices)
+	assert.Empty(bios)
+	assert.NoError(err)
+
+ 	// TDX protection
+ 	arm64.(*qemuArm64).protection = tdxProtection
+ 	devices, bios, err = arm64.appendProtectionDevice(devices, firmware, "")
+diff --git a/src/runtime/virtcontainers/qemu_ppc64le_test.go b/src/runtime/virtcontainers/qemu_ppc64le_test.go
+index 15e75a91b2..fd59f51b3a 100644
+--- a/src/runtime/virtcontainers/qemu_ppc64le_test.go
+++ b/src/runtime/virtcontainers/qemu_ppc64le_test.go
+@@ -79,6 +79,12 @@ func TestQemuPPC64leAppendProtectionDevice(t *testing.T) {
+ 	assert.Error(err)
+ 	assert.Empty(bios)
+ 
+	//SNP protection
+	ppc64le.(*qemuPPC64le).protection = snpProtection
+	devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "")
+	assert.Error(err)
+	assert.Empty(bios)
+
+ 	//TDX protection
+ 	ppc64le.(*qemuPPC64le).protection = tdxProtection
+ 	devices, bios, err = ppc64le.appendProtectionDevice(devices, firmware, "")
+diff --git a/src/runtime/virtcontainers/qemu_s390x_test.go b/src/runtime/virtcontainers/qemu_s390x_test.go
+index ada3cefc6e..909e1b87ea 100644
+--- a/src/runtime/virtcontainers/qemu_s390x_test.go
+++ b/src/runtime/virtcontainers/qemu_s390x_test.go
+@@ -136,6 +136,12 @@ func TestQemuS390xAppendProtectionDevice(t *testing.T) {
+ 	assert.Error(err)
+ 	assert.Empty(bios)
+ 
+	// SNP protection
+	s390x.(*qemuS390x).protection = snpProtection
+	devices, bios, err = s390x.appendProtectionDevice(devices, firmware, "")
+	assert.Error(err)
+	assert.Empty(bios)
+
+ 	// Secure Execution protection
+ 	s390x.(*qemuS390x).protection = seProtection
--- a/SPECS/kata-containers/runtime-clh-Use-the-new-API-to-boot-with-TDX-firmware-td-shim.patch
+++ b/SPECS/kata-containers/runtime-clh-Use-the-new-API-to-boot-with-TDX-firmware-td-shim.patch
@ -0,0 +1,35 @@
+From 067e2b1e33b34b6bd0a55246f8f3db36dce3b3f2 Mon Sep 17 00:00:00 2001
+From: Bo Chen <chen.bo@intel.com>
+Date: Fri, 30 Sep 2022 14:12:38 -0700
+Subject: [PATCH] runtime: clh: Use the new API to boot with TDX firmware
+ (td-shim)
+
+The new way to boot from TDX firmware (e.g. td-shim) is using the
+combination of '--platform tdx=on' with '--firmware tdshim'.
+
+Fixes: #5309
+
+Signed-off-by: Bo Chen <chen.bo@intel.com>
+---
+ src/runtime/virtcontainers/clh.go | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go
+index 7595eaaad2..9d40c882c1 100644
+--- a/src/runtime/virtcontainers/clh.go
+++ b/src/runtime/virtcontainers/clh.go
+@@ -417,7 +417,13 @@ func (clh *cloudHypervisor) enableProtection() error {
+ 			return errors.New("Firmware path is not specified")
+ 		}
+ 
+-		clh.vmconfig.Tdx = chclient.NewTdxConfig(firmwarePath)
+		clh.vmconfig.Payload.SetFirmware(firmwarePath)
+
+		if clh.vmconfig.Platform == nil {
+			clh.vmconfig.Platform = chclient.NewPlatformConfig()
+		}
+		clh.vmconfig.Platform.SetTdx(true)
+
+ 		return nil
+ 
+ 	case sevProtection:
--- a/SPECS/kata-containers/versions-Update-Cloud-Hypervisor.patch
+++ b/SPECS/kata-containers/versions-Update-Cloud-Hypervisor.patch
@ -0,0 +1,975 @@
+From 9d286af7b4543b0af9e6db53c6c84e0731f61c09 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
+Date: Fri, 21 Oct 2022 11:20:32 -0700
+Subject: [PATCH] versions: Update Cloud Hypervisor to b4e39427080
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+An API change, done a long time ago, has been exposed on Cloud
+Hypervisor and we should update it on the Kata Containers side to ensure
+it doesn't affect Cloud Hypervisor CI and because the change is needed
+for an upcoming work to get QAT working with Cloud Hypervisor.
+
+Fixes: #5492
+
+Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
+---
+ src/runtime/virtcontainers/clh.go             |   9 +-
+ src/runtime/virtcontainers/clh_test.go        |   2 +-
+ .../client/.openapi-generator/FILES           |   2 -
+ .../pkg/cloud-hypervisor/client/README.md     |   1 -
+ .../cloud-hypervisor/client/api/openapi.yaml  |  16 +-
+ .../cloud-hypervisor/client/api_default.go    | 154 +++++++-------
+ .../client/docs/DefaultApi.md                 |   8 +-
+ .../client/docs/VmAddDevice.md                | 108 ----------
+ .../client/model_vm_add_device.go             | 189 ------------------
+ .../cloud-hypervisor/cloud-hypervisor.yaml    |  13 +-
+ versions.yaml                                 |   2 +-
+ 11 files changed, 84 insertions(+), 420 deletions(-)
+ delete mode 100644 src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/VmAddDevice.md
+ delete mode 100644 src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_vm_add_device.go
+
+diff --git a/src/runtime/virtcontainers/clh.go b/src/runtime/virtcontainers/clh.go
+index 9d40c882c1..93a19facd5 100644
+--- a/src/runtime/virtcontainers/clh.go
+++ b/src/runtime/virtcontainers/clh.go
+@@ -100,7 +100,7 @@ type clhClient interface {
+ 	// Add/remove CPUs to/from the VM
+ 	VmResizePut(ctx context.Context, vmResize chclient.VmResize) (*http.Response, error)
+ 	// Add VFIO PCI device to the VM
+-	VmAddDevicePut(ctx context.Context, vmAddDevice chclient.VmAddDevice) (chclient.PciDeviceInfo, *http.Response, error)
+	VmAddDevicePut(ctx context.Context, deviceConfig chclient.DeviceConfig) (chclient.PciDeviceInfo, *http.Response, error)
+ 	// Add a new disk device to the VM
+ 	VmAddDiskPut(ctx context.Context, diskConfig chclient.DiskConfig) (chclient.PciDeviceInfo, *http.Response, error)
+ 	// Remove a device from the VM
+@@ -136,8 +136,8 @@ func (c *clhClientApi) VmResizePut(ctx context.Context, vmResize chclient.VmResi
+ 	return c.ApiInternal.VmResizePut(ctx).VmResize(vmResize).Execute()
+ }
+ 
+-func (c *clhClientApi) VmAddDevicePut(ctx context.Context, vmAddDevice chclient.VmAddDevice) (chclient.PciDeviceInfo, *http.Response, error) {
+-	return c.ApiInternal.VmAddDevicePut(ctx).VmAddDevice(vmAddDevice).Execute()
+func (c *clhClientApi) VmAddDevicePut(ctx context.Context, deviceConfig chclient.DeviceConfig) (chclient.PciDeviceInfo, *http.Response, error) {
+	return c.ApiInternal.VmAddDevicePut(ctx).DeviceConfig(deviceConfig).Execute()
+ }
+ 
+ func (c *clhClientApi) VmAddDiskPut(ctx context.Context, diskConfig chclient.DiskConfig) (chclient.PciDeviceInfo, *http.Response, error) {
+@@ -808,8 +808,7 @@ func (clh *cloudHypervisor) hotPlugVFIODevice(device *config.VFIODev) error {
+ 	defer cancel()
+ 
+ 	// Create the clh device config via the constructor to ensure default values are properly assigned
+-	clhDevice := *chclient.NewVmAddDevice()
+-	clhDevice.Path = &device.SysfsDev
+	clhDevice := *chclient.NewDeviceConfig(device.SysfsDev)
+ 	pciInfo, _, err := cl.VmAddDevicePut(ctx, clhDevice)
+ 	if err != nil {
+ 		return fmt.Errorf("Failed to hotplug device %+v %s", device, openAPIClientError(err))
+diff --git a/src/runtime/virtcontainers/clh_test.go b/src/runtime/virtcontainers/clh_test.go
+index 58b1b7fe9a..d36ace88fb 100644
+--- a/src/runtime/virtcontainers/clh_test.go
+++ b/src/runtime/virtcontainers/clh_test.go
+@@ -104,7 +104,7 @@ func (c *clhClientMock) VmResizePut(ctx context.Context, vmResize chclient.VmRes
+ }
+ 
+ //nolint:golint
+-func (c *clhClientMock) VmAddDevicePut(ctx context.Context, vmAddDevice chclient.VmAddDevice) (chclient.PciDeviceInfo, *http.Response, error) {
+func (c *clhClientMock) VmAddDevicePut(ctx context.Context, deviceConfig chclient.DeviceConfig) (chclient.PciDeviceInfo, *http.Response, error) {
+ 	return chclient.PciDeviceInfo{}, nil, nil
+ }
+ 
+diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/FILES b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/FILES
+index 60eb887203..6369a3a413 100644
+--- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/FILES
+++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/.openapi-generator/FILES
+@@ -35,7 +35,6 @@ docs/SgxEpcConfig.md
+ docs/TdxConfig.md
+ docs/TokenBucket.md
+ docs/VdpaConfig.md
+-docs/VmAddDevice.md
+ docs/VmConfig.md
+ docs/VmCoredumpData.md
+ docs/VmInfo.md
+@@ -76,7 +75,6 @@ model_sgx_epc_config.go
+ model_tdx_config.go
+ model_token_bucket.go
+ model_vdpa_config.go
+-model_vm_add_device.go
+ model_vm_config.go
+ model_vm_coredump_data.go
+ model_vm_info.go
+diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/README.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/README.md
+index 04b5c9f0cf..a33f74c7ed 100644
+--- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/README.md
+++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/README.md
+@@ -137,7 +137,6 @@ Class | Method | HTTP request | Description
+  - [TdxConfig](docs/TdxConfig.md)
+  - [TokenBucket](docs/TokenBucket.md)
+  - [VdpaConfig](docs/VdpaConfig.md)
+- - [VmAddDevice](docs/VmAddDevice.md)
+  - [VmConfig](docs/VmConfig.md)
+  - [VmCoredumpData](docs/VmCoredumpData.md)
+  - [VmInfo](docs/VmInfo.md)
+diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml
+index fbffa9053d..61e57e3727 100644
+--- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml
+++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml
+@@ -171,7 +171,7 @@ paths:
+         content:
+           application/json:
+             schema:
+-              $ref: '#/components/schemas/VmAddDevice'
+              $ref: '#/components/schemas/DeviceConfig'
+         description: The path of the new device
+         required: true
+       responses:
+@@ -1808,20 +1808,6 @@ components:
+           format: int64
+           type: integer
+       type: object
+-    VmAddDevice:
+-      example:
+-        path: path
+-        iommu: false
+-        id: id
+-      properties:
+-        path:
+-          type: string
+-        iommu:
+-          default: false
+-          type: boolean
+-        id:
+-          type: string
+-      type: object
+     VmRemoveDevice:
+       example:
+         id: id
+diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api_default.go b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api_default.go
+index cf97c19dd5..cb9b99d66a 100644
+--- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api_default.go
+++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api_default.go
+@@ -38,8 +38,8 @@ func (r ApiBootVMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ BootVM Boot the previously created VM instance.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiBootVMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiBootVMRequest
+ */
+ func (a *DefaultApiService) BootVM(ctx _context.Context) ApiBootVMRequest {
+ 	return ApiBootVMRequest{
+@@ -133,8 +133,8 @@ func (r ApiCreateVMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ CreateVM Create the cloud-hypervisor Virtual Machine (VM) instance. The instance is not booted, only created.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiCreateVMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiCreateVMRequest
+ */
+ func (a *DefaultApiService) CreateVM(ctx _context.Context) ApiCreateVMRequest {
+ 	return ApiCreateVMRequest{
+@@ -226,8 +226,8 @@ func (r ApiDeleteVMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ DeleteVM Delete the cloud-hypervisor Virtual Machine (VM) instance.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiDeleteVMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiDeleteVMRequest
+ */
+ func (a *DefaultApiService) DeleteVM(ctx _context.Context) ApiDeleteVMRequest {
+ 	return ApiDeleteVMRequest{
+@@ -314,8 +314,8 @@ func (r ApiPauseVMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ PauseVM Pause a previously booted VM instance.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiPauseVMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiPauseVMRequest
+ */
+ func (a *DefaultApiService) PauseVM(ctx _context.Context) ApiPauseVMRequest {
+ 	return ApiPauseVMRequest{
+@@ -402,8 +402,8 @@ func (r ApiPowerButtonVMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ PowerButtonVM Trigger a power button in the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiPowerButtonVMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiPowerButtonVMRequest
+ */
+ func (a *DefaultApiService) PowerButtonVM(ctx _context.Context) ApiPowerButtonVMRequest {
+ 	return ApiPowerButtonVMRequest{
+@@ -490,8 +490,8 @@ func (r ApiRebootVMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ RebootVM Reboot the VM instance.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiRebootVMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiRebootVMRequest
+ */
+ func (a *DefaultApiService) RebootVM(ctx _context.Context) ApiRebootVMRequest {
+ 	return ApiRebootVMRequest{
+@@ -578,8 +578,8 @@ func (r ApiResumeVMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ ResumeVM Resume a previously paused VM instance.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiResumeVMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiResumeVMRequest
+ */
+ func (a *DefaultApiService) ResumeVM(ctx _context.Context) ApiResumeVMRequest {
+ 	return ApiResumeVMRequest{
+@@ -666,8 +666,8 @@ func (r ApiShutdownVMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ ShutdownVM Shut the VM instance down.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiShutdownVMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiShutdownVMRequest
+ */
+ func (a *DefaultApiService) ShutdownVM(ctx _context.Context) ApiShutdownVMRequest {
+ 	return ApiShutdownVMRequest{
+@@ -754,8 +754,8 @@ func (r ApiShutdownVMMRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ ShutdownVMM Shuts the cloud-hypervisor VMM.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiShutdownVMMRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiShutdownVMMRequest
+ */
+ func (a *DefaultApiService) ShutdownVMM(ctx _context.Context) ApiShutdownVMMRequest {
+ 	return ApiShutdownVMMRequest{
+@@ -831,14 +831,14 @@ func (a *DefaultApiService) ShutdownVMMExecute(r ApiShutdownVMMRequest) (*_netht
+ }
+ 
+ type ApiVmAddDevicePutRequest struct {
+-	ctx         _context.Context
+-	ApiService  *DefaultApiService
+-	vmAddDevice *VmAddDevice
+	ctx          _context.Context
+	ApiService   *DefaultApiService
+	deviceConfig *DeviceConfig
+ }
+ 
+ // The path of the new device
+-func (r ApiVmAddDevicePutRequest) VmAddDevice(vmAddDevice VmAddDevice) ApiVmAddDevicePutRequest {
+-	r.vmAddDevice = &vmAddDevice
+func (r ApiVmAddDevicePutRequest) DeviceConfig(deviceConfig DeviceConfig) ApiVmAddDevicePutRequest {
+	r.deviceConfig = &deviceConfig
+ 	return r
+ }
+ 
+@@ -849,8 +849,8 @@ func (r ApiVmAddDevicePutRequest) Execute() (PciDeviceInfo, *_nethttp.Response,
+ /*
+ VmAddDevicePut Add a new device to the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmAddDevicePutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmAddDevicePutRequest
+ */
+ func (a *DefaultApiService) VmAddDevicePut(ctx _context.Context) ApiVmAddDevicePutRequest {
+ 	return ApiVmAddDevicePutRequest{
+@@ -860,8 +860,7 @@ func (a *DefaultApiService) VmAddDevicePut(ctx _context.Context) ApiVmAddDeviceP
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return PciDeviceInfo
+//  @return PciDeviceInfo
+ func (a *DefaultApiService) VmAddDevicePutExecute(r ApiVmAddDevicePutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodPut
+@@ -882,8 +881,8 @@ func (a *DefaultApiService) VmAddDevicePutExecute(r ApiVmAddDevicePutRequest) (P
+ 	localVarHeaderParams := make(map[string]string)
+ 	localVarQueryParams := _neturl.Values{}
+ 	localVarFormParams := _neturl.Values{}
+-	if r.vmAddDevice == nil {
+-		return localVarReturnValue, nil, reportError("vmAddDevice is required and must be specified")
+	if r.deviceConfig == nil {
+		return localVarReturnValue, nil, reportError("deviceConfig is required and must be specified")
+ 	}
+ 
+ 	// to determine the Content-Type header
+@@ -904,7 +903,7 @@ func (a *DefaultApiService) VmAddDevicePutExecute(r ApiVmAddDevicePutRequest) (P
+ 		localVarHeaderParams["Accept"] = localVarHTTPHeaderAccept
+ 	}
+ 	// body params
+-	localVarPostBody = r.vmAddDevice
+	localVarPostBody = r.deviceConfig
+ 	req, err := a.client.prepareRequest(r.ctx, localVarPath, localVarHTTPMethod, localVarPostBody, localVarHeaderParams, localVarQueryParams, localVarFormParams, localVarFormFileName, localVarFileName, localVarFileBytes)
+ 	if err != nil {
+ 		return localVarReturnValue, nil, err
+@@ -961,8 +960,8 @@ func (r ApiVmAddDiskPutRequest) Execute() (PciDeviceInfo, *_nethttp.Response, er
+ /*
+ VmAddDiskPut Add a new disk to the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmAddDiskPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmAddDiskPutRequest
+ */
+ func (a *DefaultApiService) VmAddDiskPut(ctx _context.Context) ApiVmAddDiskPutRequest {
+ 	return ApiVmAddDiskPutRequest{
+@@ -972,8 +971,7 @@ func (a *DefaultApiService) VmAddDiskPut(ctx _context.Context) ApiVmAddDiskPutRe
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return PciDeviceInfo
+//  @return PciDeviceInfo
+ func (a *DefaultApiService) VmAddDiskPutExecute(r ApiVmAddDiskPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodPut
+@@ -1073,8 +1071,8 @@ func (r ApiVmAddFsPutRequest) Execute() (PciDeviceInfo, *_nethttp.Response, erro
+ /*
+ VmAddFsPut Add a new virtio-fs device to the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmAddFsPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmAddFsPutRequest
+ */
+ func (a *DefaultApiService) VmAddFsPut(ctx _context.Context) ApiVmAddFsPutRequest {
+ 	return ApiVmAddFsPutRequest{
+@@ -1084,8 +1082,7 @@ func (a *DefaultApiService) VmAddFsPut(ctx _context.Context) ApiVmAddFsPutReques
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return PciDeviceInfo
+//  @return PciDeviceInfo
+ func (a *DefaultApiService) VmAddFsPutExecute(r ApiVmAddFsPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodPut
+@@ -1185,8 +1182,8 @@ func (r ApiVmAddNetPutRequest) Execute() (PciDeviceInfo, *_nethttp.Response, err
+ /*
+ VmAddNetPut Add a new network device to the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmAddNetPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmAddNetPutRequest
+ */
+ func (a *DefaultApiService) VmAddNetPut(ctx _context.Context) ApiVmAddNetPutRequest {
+ 	return ApiVmAddNetPutRequest{
+@@ -1196,8 +1193,7 @@ func (a *DefaultApiService) VmAddNetPut(ctx _context.Context) ApiVmAddNetPutRequ
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return PciDeviceInfo
+//  @return PciDeviceInfo
+ func (a *DefaultApiService) VmAddNetPutExecute(r ApiVmAddNetPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodPut
+@@ -1297,8 +1293,8 @@ func (r ApiVmAddPmemPutRequest) Execute() (PciDeviceInfo, *_nethttp.Response, er
+ /*
+ VmAddPmemPut Add a new pmem device to the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmAddPmemPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmAddPmemPutRequest
+ */
+ func (a *DefaultApiService) VmAddPmemPut(ctx _context.Context) ApiVmAddPmemPutRequest {
+ 	return ApiVmAddPmemPutRequest{
+@@ -1308,8 +1304,7 @@ func (a *DefaultApiService) VmAddPmemPut(ctx _context.Context) ApiVmAddPmemPutRe
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return PciDeviceInfo
+//  @return PciDeviceInfo
+ func (a *DefaultApiService) VmAddPmemPutExecute(r ApiVmAddPmemPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodPut
+@@ -1409,8 +1404,8 @@ func (r ApiVmAddVdpaPutRequest) Execute() (PciDeviceInfo, *_nethttp.Response, er
+ /*
+ VmAddVdpaPut Add a new vDPA device to the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmAddVdpaPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmAddVdpaPutRequest
+ */
+ func (a *DefaultApiService) VmAddVdpaPut(ctx _context.Context) ApiVmAddVdpaPutRequest {
+ 	return ApiVmAddVdpaPutRequest{
+@@ -1420,8 +1415,7 @@ func (a *DefaultApiService) VmAddVdpaPut(ctx _context.Context) ApiVmAddVdpaPutRe
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return PciDeviceInfo
+//  @return PciDeviceInfo
+ func (a *DefaultApiService) VmAddVdpaPutExecute(r ApiVmAddVdpaPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodPut
+@@ -1521,8 +1515,8 @@ func (r ApiVmAddVsockPutRequest) Execute() (PciDeviceInfo, *_nethttp.Response, e
+ /*
+ VmAddVsockPut Add a new vsock device to the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmAddVsockPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmAddVsockPutRequest
+ */
+ func (a *DefaultApiService) VmAddVsockPut(ctx _context.Context) ApiVmAddVsockPutRequest {
+ 	return ApiVmAddVsockPutRequest{
+@@ -1532,8 +1526,7 @@ func (a *DefaultApiService) VmAddVsockPut(ctx _context.Context) ApiVmAddVsockPut
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return PciDeviceInfo
+//  @return PciDeviceInfo
+ func (a *DefaultApiService) VmAddVsockPutExecute(r ApiVmAddVsockPutRequest) (PciDeviceInfo, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodPut
+@@ -1633,8 +1626,8 @@ func (r ApiVmCoredumpPutRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ VmCoredumpPut Takes a VM coredump.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmCoredumpPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmCoredumpPutRequest
+ */
+ func (a *DefaultApiService) VmCoredumpPut(ctx _context.Context) ApiVmCoredumpPutRequest {
+ 	return ApiVmCoredumpPutRequest{
+@@ -1726,8 +1719,8 @@ func (r ApiVmCountersGetRequest) Execute() (map[string]map[string]int64, *_netht
+ /*
+ VmCountersGet Get counters from the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmCountersGetRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmCountersGetRequest
+ */
+ func (a *DefaultApiService) VmCountersGet(ctx _context.Context) ApiVmCountersGetRequest {
+ 	return ApiVmCountersGetRequest{
+@@ -1737,8 +1730,7 @@ func (a *DefaultApiService) VmCountersGet(ctx _context.Context) ApiVmCountersGet
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return map[string]map[string]int64
+//  @return map[string]map[string]int64
+ func (a *DefaultApiService) VmCountersGetExecute(r ApiVmCountersGetRequest) (map[string]map[string]int64, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodGet
+@@ -1826,8 +1818,8 @@ func (r ApiVmInfoGetRequest) Execute() (VmInfo, *_nethttp.Response, error) {
+ /*
+ VmInfoGet Returns general information about the cloud-hypervisor Virtual Machine (VM) instance.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmInfoGetRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmInfoGetRequest
+ */
+ func (a *DefaultApiService) VmInfoGet(ctx _context.Context) ApiVmInfoGetRequest {
+ 	return ApiVmInfoGetRequest{
+@@ -1837,8 +1829,7 @@ func (a *DefaultApiService) VmInfoGet(ctx _context.Context) ApiVmInfoGetRequest
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return VmInfo
+//  @return VmInfo
+ func (a *DefaultApiService) VmInfoGetExecute(r ApiVmInfoGetRequest) (VmInfo, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodGet
+@@ -1933,8 +1924,8 @@ func (r ApiVmReceiveMigrationPutRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ VmReceiveMigrationPut Receive a VM migration from URL
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmReceiveMigrationPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmReceiveMigrationPutRequest
+ */
+ func (a *DefaultApiService) VmReceiveMigrationPut(ctx _context.Context) ApiVmReceiveMigrationPutRequest {
+ 	return ApiVmReceiveMigrationPutRequest{
+@@ -2033,8 +2024,8 @@ func (r ApiVmRemoveDevicePutRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ VmRemoveDevicePut Remove a device from the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmRemoveDevicePutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmRemoveDevicePutRequest
+ */
+ func (a *DefaultApiService) VmRemoveDevicePut(ctx _context.Context) ApiVmRemoveDevicePutRequest {
+ 	return ApiVmRemoveDevicePutRequest{
+@@ -2133,8 +2124,8 @@ func (r ApiVmResizePutRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ VmResizePut Resize the VM
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmResizePutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmResizePutRequest
+ */
+ func (a *DefaultApiService) VmResizePut(ctx _context.Context) ApiVmResizePutRequest {
+ 	return ApiVmResizePutRequest{
+@@ -2233,8 +2224,8 @@ func (r ApiVmResizeZonePutRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ VmResizeZonePut Resize a memory zone
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmResizeZonePutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmResizeZonePutRequest
+ */
+ func (a *DefaultApiService) VmResizeZonePut(ctx _context.Context) ApiVmResizeZonePutRequest {
+ 	return ApiVmResizeZonePutRequest{
+@@ -2333,8 +2324,8 @@ func (r ApiVmRestorePutRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ VmRestorePut Restore a VM from a snapshot.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmRestorePutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmRestorePutRequest
+ */
+ func (a *DefaultApiService) VmRestorePut(ctx _context.Context) ApiVmRestorePutRequest {
+ 	return ApiVmRestorePutRequest{
+@@ -2433,8 +2424,8 @@ func (r ApiVmSendMigrationPutRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ VmSendMigrationPut Send a VM migration to URL
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmSendMigrationPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmSendMigrationPutRequest
+ */
+ func (a *DefaultApiService) VmSendMigrationPut(ctx _context.Context) ApiVmSendMigrationPutRequest {
+ 	return ApiVmSendMigrationPutRequest{
+@@ -2533,8 +2524,8 @@ func (r ApiVmSnapshotPutRequest) Execute() (*_nethttp.Response, error) {
+ /*
+ VmSnapshotPut Returns a VM snapshot.
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmSnapshotPutRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmSnapshotPutRequest
+ */
+ func (a *DefaultApiService) VmSnapshotPut(ctx _context.Context) ApiVmSnapshotPutRequest {
+ 	return ApiVmSnapshotPutRequest{
+@@ -2626,8 +2617,8 @@ func (r ApiVmmPingGetRequest) Execute() (VmmPingResponse, *_nethttp.Response, er
+ /*
+ VmmPingGet Ping the VMM to check for API server availability
+ 
+-	@param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+-	@return ApiVmmPingGetRequest
+ @param ctx _context.Context - for authentication, logging, cancellation, deadlines, tracing, etc. Passed from http.Request or context.Background().
+ @return ApiVmmPingGetRequest
+ */
+ func (a *DefaultApiService) VmmPingGet(ctx _context.Context) ApiVmmPingGetRequest {
+ 	return ApiVmmPingGetRequest{
+@@ -2637,8 +2628,7 @@ func (a *DefaultApiService) VmmPingGet(ctx _context.Context) ApiVmmPingGetReques
+ }
+ 
+ // Execute executes the request
+-//
+-//	@return VmmPingResponse
+//  @return VmmPingResponse
+ func (a *DefaultApiService) VmmPingGetExecute(r ApiVmmPingGetRequest) (VmmPingResponse, *_nethttp.Response, error) {
+ 	var (
+ 		localVarHTTPMethod   = _nethttp.MethodGet
+diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md
+index 1391a0b277..d610977193 100644
+--- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md
+++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/DefaultApi.md
+@@ -554,7 +554,7 @@ No authorization required
+ 
+ ## VmAddDevicePut
+ 
+-> PciDeviceInfo VmAddDevicePut(ctx).VmAddDevice(vmAddDevice).Execute()
+> PciDeviceInfo VmAddDevicePut(ctx).DeviceConfig(deviceConfig).Execute()
+ 
+ Add a new device to the VM
+ 
+@@ -571,11 +571,11 @@ import (
+ )
+ 
+ func main() {
+-    vmAddDevice := *openapiclient.NewVmAddDevice() // VmAddDevice | The path of the new device
+    deviceConfig := *openapiclient.NewDeviceConfig("Path_example") // DeviceConfig | The path of the new device
+ 
+     configuration := openapiclient.NewConfiguration()
+     api_client := openapiclient.NewAPIClient(configuration)
+-    resp, r, err := api_client.DefaultApi.VmAddDevicePut(context.Background()).VmAddDevice(vmAddDevice).Execute()
+    resp, r, err := api_client.DefaultApi.VmAddDevicePut(context.Background()).DeviceConfig(deviceConfig).Execute()
+     if err != nil {
+         fmt.Fprintf(os.Stderr, "Error when calling `DefaultApi.VmAddDevicePut``: %v\n", err)
+         fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
+@@ -596,7 +596,7 @@ Other parameters are passed through a pointer to a apiVmAddDevicePutRequest stru
+ 
+ Name | Type | Description  | Notes
+ ------------- | ------------- | ------------- | -------------
+- **vmAddDevice** | [**VmAddDevice**](VmAddDevice.md) | The path of the new device | 
+ **deviceConfig** | [**DeviceConfig**](DeviceConfig.md) | The path of the new device | 
+ 
+ ### Return type
+ 
+diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/VmAddDevice.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/VmAddDevice.md
+deleted file mode 100644
+index aaef7b32cb..0000000000
+--- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/VmAddDevice.md
+++ /dev/null
+@@ -1,108 +0,0 @@
+-# VmAddDevice
+-
+-## Properties
+-
+-Name | Type | Description | Notes
+------------- | ------------- | ------------- | -------------
+-**Path** | Pointer to **string** |  | [optional] 
+-**Iommu** | Pointer to **bool** |  | [optional] [default to false]
+-**Id** | Pointer to **string** |  | [optional] 
+-
+-## Methods
+-
+-### NewVmAddDevice
+-
+-`func NewVmAddDevice() *VmAddDevice`
+-
+-NewVmAddDevice instantiates a new VmAddDevice object
+-This constructor will assign default values to properties that have it defined,
+-and makes sure properties required by API are set, but the set of arguments
+-will change when the set of required properties is changed
+-
+-### NewVmAddDeviceWithDefaults
+-
+-`func NewVmAddDeviceWithDefaults() *VmAddDevice`
+-
+-NewVmAddDeviceWithDefaults instantiates a new VmAddDevice object
+-This constructor will only assign default values to properties that have it defined,
+-but it doesn't guarantee that properties required by API are set
+-
+-### GetPath
+-
+-`func (o *VmAddDevice) GetPath() string`
+-
+-GetPath returns the Path field if non-nil, zero value otherwise.
+-
+-### GetPathOk
+-
+-`func (o *VmAddDevice) GetPathOk() (*string, bool)`
+-
+-GetPathOk returns a tuple with the Path field if it's non-nil, zero value otherwise
+-and a boolean to check if the value has been set.
+-
+-### SetPath
+-
+-`func (o *VmAddDevice) SetPath(v string)`
+-
+-SetPath sets Path field to given value.
+-
+-### HasPath
+-
+-`func (o *VmAddDevice) HasPath() bool`
+-
+-HasPath returns a boolean if a field has been set.
+-
+-### GetIommu
+-
+-`func (o *VmAddDevice) GetIommu() bool`
+-
+-GetIommu returns the Iommu field if non-nil, zero value otherwise.
+-
+-### GetIommuOk
+-
+-`func (o *VmAddDevice) GetIommuOk() (*bool, bool)`
+-
+-GetIommuOk returns a tuple with the Iommu field if it's non-nil, zero value otherwise
+-and a boolean to check if the value has been set.
+-
+-### SetIommu
+-
+-`func (o *VmAddDevice) SetIommu(v bool)`
+-
+-SetIommu sets Iommu field to given value.
+-
+-### HasIommu
+-
+-`func (o *VmAddDevice) HasIommu() bool`
+-
+-HasIommu returns a boolean if a field has been set.
+-
+-### GetId
+-
+-`func (o *VmAddDevice) GetId() string`
+-
+-GetId returns the Id field if non-nil, zero value otherwise.
+-
+-### GetIdOk
+-
+-`func (o *VmAddDevice) GetIdOk() (*string, bool)`
+-
+-GetIdOk returns a tuple with the Id field if it's non-nil, zero value otherwise
+-and a boolean to check if the value has been set.
+-
+-### SetId
+-
+-`func (o *VmAddDevice) SetId(v string)`
+-
+-SetId sets Id field to given value.
+-
+-### HasId
+-
+-`func (o *VmAddDevice) HasId() bool`
+-
+-HasId returns a boolean if a field has been set.
+-
+-
+-[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+-
+-
+diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_vm_add_device.go b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_vm_add_device.go
+deleted file mode 100644
+index acc3c177d9..0000000000
+--- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_vm_add_device.go
+++ /dev/null
+@@ -1,189 +0,0 @@
+-/*
+-Cloud Hypervisor API
+-
+-Local HTTP based API for managing and inspecting a cloud-hypervisor virtual machine.
+-
+-API version: 0.3.0
+-*/
+-
+-// Code generated by OpenAPI Generator (https://openapi-generator.tech); DO NOT EDIT.
+-
+-package openapi
+-
+-import (
+-	"encoding/json"
+-)
+-
+-// VmAddDevice struct for VmAddDevice
+-type VmAddDevice struct {
+-	Path  *string `json:"path,omitempty"`
+-	Iommu *bool   `json:"iommu,omitempty"`
+-	Id    *string `json:"id,omitempty"`
+-}
+-
+-// NewVmAddDevice instantiates a new VmAddDevice object
+-// This constructor will assign default values to properties that have it defined,
+-// and makes sure properties required by API are set, but the set of arguments
+-// will change when the set of required properties is changed
+-func NewVmAddDevice() *VmAddDevice {
+-	this := VmAddDevice{}
+-	var iommu bool = false
+-	this.Iommu = &iommu
+-	return &this
+-}
+-
+-// NewVmAddDeviceWithDefaults instantiates a new VmAddDevice object
+-// This constructor will only assign default values to properties that have it defined,
+-// but it doesn't guarantee that properties required by API are set
+-func NewVmAddDeviceWithDefaults() *VmAddDevice {
+-	this := VmAddDevice{}
+-	var iommu bool = false
+-	this.Iommu = &iommu
+-	return &this
+-}
+-
+-// GetPath returns the Path field value if set, zero value otherwise.
+-func (o *VmAddDevice) GetPath() string {
+-	if o == nil || o.Path == nil {
+-		var ret string
+-		return ret
+-	}
+-	return *o.Path
+-}
+-
+-// GetPathOk returns a tuple with the Path field value if set, nil otherwise
+-// and a boolean to check if the value has been set.
+-func (o *VmAddDevice) GetPathOk() (*string, bool) {
+-	if o == nil || o.Path == nil {
+-		return nil, false
+-	}
+-	return o.Path, true
+-}
+-
+-// HasPath returns a boolean if a field has been set.
+-func (o *VmAddDevice) HasPath() bool {
+-	if o != nil && o.Path != nil {
+-		return true
+-	}
+-
+-	return false
+-}
+-
+-// SetPath gets a reference to the given string and assigns it to the Path field.
+-func (o *VmAddDevice) SetPath(v string) {
+-	o.Path = &v
+-}
+-
+-// GetIommu returns the Iommu field value if set, zero value otherwise.
+-func (o *VmAddDevice) GetIommu() bool {
+-	if o == nil || o.Iommu == nil {
+-		var ret bool
+-		return ret
+-	}
+-	return *o.Iommu
+-}
+-
+-// GetIommuOk returns a tuple with the Iommu field value if set, nil otherwise
+-// and a boolean to check if the value has been set.
+-func (o *VmAddDevice) GetIommuOk() (*bool, bool) {
+-	if o == nil || o.Iommu == nil {
+-		return nil, false
+-	}
+-	return o.Iommu, true
+-}
+-
+-// HasIommu returns a boolean if a field has been set.
+-func (o *VmAddDevice) HasIommu() bool {
+-	if o != nil && o.Iommu != nil {
+-		return true
+-	}
+-
+-	return false
+-}
+-
+-// SetIommu gets a reference to the given bool and assigns it to the Iommu field.
+-func (o *VmAddDevice) SetIommu(v bool) {
+-	o.Iommu = &v
+-}
+-
+-// GetId returns the Id field value if set, zero value otherwise.
+-func (o *VmAddDevice) GetId() string {
+-	if o == nil || o.Id == nil {
+-		var ret string
+-		return ret
+-	}
+-	return *o.Id
+-}
+-
+-// GetIdOk returns a tuple with the Id field value if set, nil otherwise
+-// and a boolean to check if the value has been set.
+-func (o *VmAddDevice) GetIdOk() (*string, bool) {
+-	if o == nil || o.Id == nil {
+-		return nil, false
+-	}
+-	return o.Id, true
+-}
+-
+-// HasId returns a boolean if a field has been set.
+-func (o *VmAddDevice) HasId() bool {
+-	if o != nil && o.Id != nil {
+-		return true
+-	}
+-
+-	return false
+-}
+-
+-// SetId gets a reference to the given string and assigns it to the Id field.
+-func (o *VmAddDevice) SetId(v string) {
+-	o.Id = &v
+-}
+-
+-func (o VmAddDevice) MarshalJSON() ([]byte, error) {
+-	toSerialize := map[string]interface{}{}
+-	if o.Path != nil {
+-		toSerialize["path"] = o.Path
+-	}
+-	if o.Iommu != nil {
+-		toSerialize["iommu"] = o.Iommu
+-	}
+-	if o.Id != nil {
+-		toSerialize["id"] = o.Id
+-	}
+-	return json.Marshal(toSerialize)
+-}
+-
+-type NullableVmAddDevice struct {
+-	value *VmAddDevice
+-	isSet bool
+-}
+-
+-func (v NullableVmAddDevice) Get() *VmAddDevice {
+-	return v.value
+-}
+-
+-func (v *NullableVmAddDevice) Set(val *VmAddDevice) {
+-	v.value = val
+-	v.isSet = true
+-}
+-
+-func (v NullableVmAddDevice) IsSet() bool {
+-	return v.isSet
+-}
+-
+-func (v *NullableVmAddDevice) Unset() {
+-	v.value = nil
+-	v.isSet = false
+-}
+-
+-func NewNullableVmAddDevice(val *VmAddDevice) *NullableVmAddDevice {
+-	return &NullableVmAddDevice{value: val, isSet: true}
+-}
+-
+-func (v NullableVmAddDevice) MarshalJSON() ([]byte, error) {
+-	return json.Marshal(v.value)
+-}
+-
+-func (v *NullableVmAddDevice) UnmarshalJSON(src []byte) error {
+-	v.isSet = true
+-	return json.Unmarshal(src, &v.value)
+-}
+diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml b/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml
+index c793ce3edb..46d9aac832 100644
+--- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml
+++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml
+@@ -185,7 +185,7 @@ paths:
+         content:
+           application/json:
+             schema:
+-              $ref: "#/components/schemas/VmAddDevice"
+              $ref: "#/components/schemas/DeviceConfig"
+         required: true
+       responses:
+         200:
+@@ -1077,17 +1077,6 @@ components:
+           type: integer
+           format: int64
+ 
+-    VmAddDevice:
+-      type: object
+-      properties:
+-        path:
+-          type: string
+-        iommu:
+-          type: boolean
+-          default: false
+-        id:
+-          type: string
+-
+     VmRemoveDevice:
+       type: object
+       properties:
+diff --git a/versions.yaml b/versions.yaml
+index a4836a11ce..fdc48d84e3 100644
+--- a/versions.yaml
+++ b/versions.yaml
+@@ -75,7 +75,7 @@ assets:
+       url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
+       uscan-url: >-
+         https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
+-      version: "v26.0"
+      version: "b4e39427080293c674b8db627ee6daf1f1b56806"
+ 
+     firecracker:
+       description: "Firecracker micro-VMM"
--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -1577,8 +1577,8 @@
        "type": "other",
        "other": {
          "name": "cloud-hypervisor",
-          "version": "26.0",
-          "downloadUrl": "https://github.com/cloud-hypervisor/cloud-hypervisor/archive/v26.0.tar.gz"
+          "version": "27.0.60",
+          "downloadUrl": "https://github.com/cloud-hypervisor/cloud-hypervisor/tarball/099cdd2"
        }
      }
    },
@ -7341,8 +7341,8 @@
        "type": "other",
        "other": {
          "name": "kata-containers",
-          "version": "2.5.0",
-          "downloadUrl": "https://github.com/kata-containers/kata-containers/archive/refs/tags/2.5.0.tar.gz"
+          "version": "3.0.0",
+          "downloadUrl": "https://github.com/kata-containers/kata-containers/archive/refs/tags/3.0.0.tar.gz"
        }
      }
    },
@ -7431,8 +7431,8 @@
        "type": "other",
        "other": {
          "name": "kernel-mshv",
-          "version": "5.15.34.1",
-          "downloadUrl": "https://cblmarinerstorage.blob.core.windows.net/sources/core/kernel-mshv-5.15.34.1.tar.gz"
+          "version": "5.15.72.mshv2",
+          "downloadUrl": "https://cblmarinerstorage.blob.core.windows.net/sources/core/kernel-mshv-5.15.72.mshv2.tar.gz"
        }
      }
    },
@ -28317,4 +28317,4 @@
    }
  ],
  "Version": 1
-}
+}