x86: force no-kvmclock on cmdline if secret_free=True

kvm-clock is incompatible with direct map removal for now. This is
because kvm-clock tries to access guest memory through the direct map.
Additionally, it does not handle failures during guest-attempted
activations of kvm-clock gracefully (e.g. it cannot/does not communicate
these back to the guest). This means a guest will unconditionally assume
that if it wrote to the kvm-clock MSR to activate kvm-clock, it will
work. But if KVM internally fails to activate kvm-clock, KVM will never
write the information the guest expects into guest memory, resulting in
the guest reading garbage data (generally, zeros), resulting in division
by zero panics in the guest.

Hence, explicitly tells guests that they shouldn't even try to enable
kvm-clock, if they value their lives.

Signed-off-by: Patrick Roy <roypat@amazon.co.uk>

Author: roypat

src/vmm/src/builder.rs

@@ -233,6 +233,11 @@ pub fn build_microvm_for_boot(
 
     let secret_free = vm_resources.machine_config.secret_free;
 
+    #[cfg(target_arch = "x86_64")]
+    if secret_free {
+        boot_cmdline.insert_str("no-kvmclock")?;
+    }
+
     let (mut vmm, mut vcpus) = create_vmm_and_vcpus(
         instance_info,
         event_manager,