From: Stefan Fritsch <sf@sfritsch.de>
Subject: Allow cd(4)/vioscsi(4) in confidential VM mode
To: tech@openbsd.org
Date: Fri, 21 Nov 2025 14:57:17 +0100

Hi,

allowing to mount CDs in confidential VMs does not seem too dangerous as 
this is triggered by the admin.

This is useful for installation and sometimes for cloud configuration
data. Also allow vioscsi(4) so that cd(4) can attach somewhere. Also, some 
VMs may use vioscsi(4) disks.

thoughts? ok?

Cheers,
Stefan


diff --git a/sys/dev/pv/vioscsi.c b/sys/dev/pv/vioscsi.c
index 02b95e823e2..7a7653cc4df 100644
--- a/sys/dev/pv/vioscsi.c
+++ b/sys/dev/pv/vioscsi.c
@@ -77,7 +77,7 @@ const struct cfattach vioscsi_ca = {
 };
 
 struct cfdriver vioscsi_cd = {
-	NULL, "vioscsi", DV_DULL,
+	NULL, "vioscsi", DV_DULL, CD_COCOVM
 };
 
 const struct scsi_adapter vioscsi_switch = {
diff --git a/sys/scsi/cd.c b/sys/scsi/cd.c
index 7307f2d912c..9ae5c89e8f4 100644
--- a/sys/scsi/cd.c
+++ b/sys/scsi/cd.c
@@ -152,7 +152,7 @@ const struct cfattach cd_ca = {
 };
 
 struct cfdriver cd_cd = {
-	NULL, "cd", DV_DISK
+	NULL, "cd", DV_DISK, CD_COCOVM
 };
 
 const struct scsi_inquiry_pattern cd_patterns[] = {
-- 
2.39.5