mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-14 06:06:12 +00:00
Merge pull request #8753 from fidencio/topic/add-confidential-artefacts
TEEs: Introduce kernel-confidential
This commit is contained in:
Greg Kurz
GitHub
commit
0c37aec7dc
@ -35,6 +35,7 @@ jobs:
|
||||
- firecracker
|
||||
- kata-ctl
|
||||
- kernel
|
||||
- kernel-confidential
|
||||
- kernel-sev
|
||||
- kernel-dragonball-experimental
|
||||
- kernel-tdx-experimental
|
||||
|
||||
@ -20,6 +20,7 @@ endif
|
||||
ifeq ($(ARCH), x86_64)
|
||||
BASE_TARBALLS = serial-targets \
|
||||
firecracker-tarball \
|
||||
kernel-confidential-tarball \
|
||||
kernel-dragonball-experimental-tarball \
|
||||
kernel-nvidia-gpu-tarball \
|
||||
kernel-nvidia-gpu-snp-tarball \
|
||||
@ -110,6 +111,9 @@ kernel-nvidia-gpu-tdx-experimental-tarball:
|
||||
kernel-tarball:
|
||||
${MAKE} $@-build
|
||||
|
||||
kernel-confidential-tarball:
|
||||
${MAKE} $@-build
|
||||
|
||||
kernel-tdx-experimental-tarball:
|
||||
${MAKE} $@-build
|
||||
|
||||
|
||||
@ -92,6 +92,7 @@ options:
|
||||
firecracker
|
||||
kata-ctl
|
||||
kernel
|
||||
kernel-confidential
|
||||
kernel-dragonball-experimental
|
||||
kernel-experimental
|
||||
kernel-nvidia-gpu
|
||||
@ -280,7 +281,7 @@ install_cached_kernel_tarball_component() {
|
||||
"${final_tarball_path}" \
|
||||
|| return 1
|
||||
|
||||
if [[ "${kernel_name}" != "kernel-sev" ]]; then
|
||||
if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel-confidential" ]]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
@ -289,13 +290,13 @@ install_cached_kernel_tarball_component() {
|
||||
"${kernel_name}" \
|
||||
"${latest_artefact}" \
|
||||
"${latest_builder_image}" \
|
||||
"kata-static-kernel-sev-modules.tar.xz" \
|
||||
"${workdir}/kata-static-kernel-sev-modules.tar.xz" \
|
||||
"kata-static-${kernel_name}-modules.tar.xz" \
|
||||
"${workdir}/kata-static-${kernel_name}-modules.tar.xz" \
|
||||
|| return 1
|
||||
|
||||
if [[ -n "${module_dir}" ]]; then
|
||||
mkdir -p "${module_dir}"
|
||||
tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C "${module_dir}" && return 0
|
||||
tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C "${module_dir}" && return 0
|
||||
fi
|
||||
|
||||
return 1
|
||||
@ -315,6 +316,10 @@ install_kernel_helper() {
|
||||
kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
|
||||
default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
|
||||
module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
|
||||
elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
|
||||
kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
|
||||
default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
|
||||
module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
|
||||
fi
|
||||
|
||||
install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
|
||||
@ -332,6 +337,15 @@ install_kernel() {
|
||||
"-f"
|
||||
}
|
||||
|
||||
install_kernel_confidential() {
|
||||
local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
|
||||
|
||||
install_kernel_helper \
|
||||
"assets.kernel.confidential.version" \
|
||||
"kernel" \
|
||||
"-x confidential -u ${kernel_url}"
|
||||
}
|
||||
|
||||
install_kernel_dragonball_experimental() {
|
||||
install_kernel_helper \
|
||||
"assets.kernel-dragonball-experimental.version" \
|
||||
@ -741,6 +755,7 @@ handle_build() {
|
||||
install_initrd_sev
|
||||
install_kata_ctl
|
||||
install_kernel
|
||||
install_kernel_confidential
|
||||
install_kernel_dragonball_experimental
|
||||
install_kernel_tdx_experimental
|
||||
install_log_parser_rs
|
||||
@ -776,6 +791,8 @@ handle_build() {
|
||||
|
||||
kernel) install_kernel ;;
|
||||
|
||||
kernel-confidential) install_kernel_confidential ;;
|
||||
|
||||
kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
|
||||
|
||||
kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;
|
||||
|
||||
@ -110,7 +110,7 @@ Options:
|
||||
-t <hypervisor> : Hypervisor_target.
|
||||
-u <url> : Kernel URL to be used to download the kernel tarball.
|
||||
-v <version> : Kernel version to use if kernel path not provided.
|
||||
-x <type> : Confidential guest protection type, such as sev, snp and tdx
|
||||
-x <type> : Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those).
|
||||
EOF
|
||||
exit "$exit_code"
|
||||
}
|
||||
@ -151,7 +151,7 @@ get_tee_kernel() {
|
||||
|
||||
local kernel_tarball="${version}.tar.gz"
|
||||
|
||||
# Depending on where we're getting the terball from it may have a
|
||||
# Depending on where we're getting the tarball from it may have a
|
||||
# different name, such as linux-${version}.tar.gz or simply
|
||||
# ${version}.tar.gz. Let's try both before failing.
|
||||
curl --fail -L "${kernel_url}/linux-${kernel_tarball}" -o ${kernel_tarball} || curl --fail -OL "${kernel_url}/${kernel_tarball}"
|
||||
@ -457,7 +457,7 @@ build_kernel() {
|
||||
arch_target=$(arch_to_kernel "${arch_target}")
|
||||
pushd "${kernel_path}" >>/dev/null
|
||||
make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
|
||||
if [ "${conf_guest}" == "sev" ]; then
|
||||
if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then
|
||||
make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
|
||||
fi
|
||||
[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
|
||||
@ -603,7 +603,7 @@ main() {
|
||||
x)
|
||||
conf_guest="${OPTARG}"
|
||||
case "$conf_guest" in
|
||||
sev|snp|tdx) ;;
|
||||
confidential|sev|snp|tdx) ;;
|
||||
*) die "Confidential guest type '$conf_guest' not supported" ;;
|
||||
esac
|
||||
;;
|
||||
|
||||
@ -4,13 +4,6 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
|
||||
CONFIG_SMP=y
|
||||
# Note, no nested VM support enabled here
|
||||
|
||||
# Turn off embedded mode, as it disabled 'too much', and we
|
||||
# no longer pass all the tests. We should refine this, and
|
||||
# work out which of the ~66 items it enables are really needed.
|
||||
# I believe this is the actual syntax we need for a fragment to
|
||||
# disable an item...
|
||||
# CONFIG_EMBEDDED is not set
|
||||
|
||||
# Note, no virt enabled baloon yet
|
||||
CONFIG_INPUT=y
|
||||
CONFIG_PRINTK=y
|
||||
|
||||
@ -31,7 +31,6 @@ CONFIG_FSNOTIFY=y
|
||||
CONFIG_DNOTIFY=y
|
||||
CONFIG_INOTIFY_USER=y
|
||||
CONFIG_FANOTIFY=y
|
||||
CONFIG_AUTOFS4_FS=y
|
||||
CONFIG_AUTOFS_FS=y
|
||||
CONFIG_TMPFS=y
|
||||
CONFIG_DEVTMPFS=y
|
||||
|
||||
@ -7,6 +7,5 @@ CONFIG_SECURITY_NETWORK=y
|
||||
CONFIG_SECURITY_SELINUX=y
|
||||
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
|
||||
CONFIG_SECURITY_SELINUX_DEVELOP=y
|
||||
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
|
||||
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
|
||||
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
|
||||
|
||||
@ -190,7 +190,6 @@ CONFIG_IP_NF_TARGET_MASQUERADE=y
|
||||
CONFIG_IP_NF_TARGET_NETMAP=y
|
||||
CONFIG_IP_NF_TARGET_REDIRECT=y
|
||||
CONFIG_IP_NF_MANGLE=y
|
||||
CONFIG_IP_NF_TARGET_CLUSTERIP=y
|
||||
CONFIG_IP_NF_TARGET_ECN=y
|
||||
CONFIG_IP_NF_TARGET_TTL=y
|
||||
CONFIG_IP_NF_RAW=y
|
||||
|
||||
@ -42,7 +42,6 @@ CONFIG_BRIDGE=y
|
||||
CONFIG_BRIDGE_IGMP_SNOOPING=y
|
||||
CONFIG_LLC=y
|
||||
CONFIG_NET_SCHED=y
|
||||
CONFIG_NET_SCH_CBQ=y
|
||||
CONFIG_NET_SCH_MULTIQ=y
|
||||
CONFIG_NET_SCH_FQ_CODEL=y
|
||||
CONFIG_NET_SCH_FQ=y
|
||||
|
||||
@ -2,10 +2,13 @@
|
||||
# without generating an error in fragment merging
|
||||
CONFIG_ARCH_RANDOM
|
||||
CONFIG_ARM64_CRYPTO
|
||||
CONFIG_AUTOFS4_FS
|
||||
CONFIG_GENERIC_MSI_IRQ_DOMAIN
|
||||
CONFIG_IP_NF_TARGET_CLUSTERIP
|
||||
CONFIG_PCI_MSI_IRQ_DOMAIN
|
||||
CONFIG_CLK_LGM_CGU
|
||||
CONFIG_MEMCG_SWAP
|
||||
CONFIG_NET_SCH_CBQ
|
||||
CONFIG_NF_NAT_IPV4
|
||||
CONFIG_NF_NAT_NEEDED
|
||||
CONFIG_NF_NAT_PROTO_DCCP
|
||||
@ -20,6 +23,7 @@ CONFIG_NF_LOG_COMMON
|
||||
CONFIG_MANDATORY_FILE_LOCKING
|
||||
CONFIG_ARM64_UAO
|
||||
CONFIG_VFIO_MDEV_DEVICE
|
||||
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
|
||||
CONFIG_SPECULATION_MITIGATIONS
|
||||
CONFIG_X86_SGX
|
||||
CONFIG_VIRTIO_IOMMU
|
||||
|
||||
@ -0,0 +1 @@
|
||||
../sev/sev.conf
|
||||
@ -0,0 +1 @@
|
||||
../snp/snp.conf
|
||||
@ -0,0 +1 @@
|
||||
../tdx/tdx.conf
|
||||
@ -1 +1 @@
|
||||
120
|
||||
121
|
||||
|
||||
0
tools/packaging/kernel/patches/6.7.x/no_patches.txt
Normal file
0
tools/packaging/kernel/patches/6.7.x/no_patches.txt
Normal file
0
tools/packaging/qemu/patches/8.1.x/no_patches.txt
Normal file
0
tools/packaging/qemu/patches/8.1.x/no_patches.txt
Normal file
@ -331,22 +331,7 @@ generate_qemu_options() {
|
||||
# From Kata Containers 2.5.0-alpha2 all arches but powerpc have been
|
||||
# using the new implementation of virtiofs daemon, which is not part
|
||||
# of QEMU.
|
||||
# For the power, at least for now, keep building virtiofsd while
|
||||
# building QEMU.
|
||||
case "$arch" in
|
||||
aarch64)
|
||||
qemu_options+=(functionality:--disable-virtiofsd)
|
||||
;;
|
||||
x86_64)
|
||||
qemu_options+=(functionality:--disable-virtiofsd)
|
||||
;;
|
||||
ppc64le)
|
||||
qemu_options+=(functionality:--disable-virtiofsd)
|
||||
;;
|
||||
s390x)
|
||||
qemu_options+=(functionality:--disable-virtiofsd)
|
||||
;;
|
||||
esac
|
||||
qemu_options+=(functionality:--disable-virtiofsd)
|
||||
|
||||
qemu_options+=(functionality:--enable-virtfs)
|
||||
|
||||
|
||||
@ -14,18 +14,12 @@ source "${script_dir}/../../scripts/lib.sh"
|
||||
|
||||
qemu_repo="${qemu_repo:-}"
|
||||
qemu_version="${qemu_version:-}"
|
||||
qemu_suffix="${qemu_suffix:-experimental}"
|
||||
qemu_tarball_name="${qemu_tarball_name:-kata-static-qemu-experimental.tar.gz}"
|
||||
qemu_suffix="${qemu_suffix:-}"
|
||||
qemu_tarball_name="${qemu_tarball_name:-}"
|
||||
|
||||
if [ -z "$qemu_repo" ]; then
|
||||
info "Get qemu information from runtime versions.yaml"
|
||||
qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu-experimental.url")
|
||||
[ -n "$qemu_url" ] || die "failed to get qemu url"
|
||||
qemu_repo="${qemu_url}.git"
|
||||
fi
|
||||
[ -n "$qemu_repo" ] || die "failed to get qemu repo"
|
||||
|
||||
[ -n "$qemu_version" ] || qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu-experimental.version")
|
||||
[ -n "$qemu_version" ] || die "failed to get qemu version"
|
||||
[ -n "$qemu_suffix" ] || die "failed to get qemu suffix"
|
||||
[ -n "$qemu_tarball_name" ] || die "failed to get qemu tarball name"
|
||||
|
||||
"${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${qemu_suffix}" "${qemu_tarball_name}"
|
||||
|
||||
@ -99,11 +99,6 @@ assets:
|
||||
https://github.com/qemu/qemu/tags
|
||||
.*/v?(\d\S+)\.tar\.gz
|
||||
|
||||
qemu-experimental:
|
||||
description: "QEMU with virtiofs support"
|
||||
url: "https://github.com/qemu/qemu"
|
||||
version: "7a800cf9496fddddf71b21a00991e0ec757a170a"
|
||||
|
||||
qemu-tdx-experimental:
|
||||
# yamllint disable-line rule:line-length
|
||||
description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"
|
||||
@ -175,6 +170,10 @@ assets:
|
||||
description: "Linux kernel optimised for virtual machines"
|
||||
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
|
||||
version: "v6.1.62"
|
||||
confidential:
|
||||
description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
|
||||
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
|
||||
version: "v6.7"
|
||||
sev:
|
||||
description: "Linux kernel that supports SEV and SNP"
|
||||
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user