From bfc6fc7a8526881b3fe448d901a14b373f5a0c3a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Wed, 27 Dec 2023 09:54:13 -0300
Subject: [PATCH 1/5] build: Get rid of QEMU experimental
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We've not been building QEMU experimental for a very long time, and the
entry there has only been serving the purpose to clutter the
versions.yaml (in the best case scenario) or even confuse new
contributors to the project.

Mind that the machinery to build the QEMU experimental is not touched,
and that's used to build the TEEs capabale artefacts.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 .../qemu/build-static-qemu-experimental.sh         | 14 ++++----------
 versions.yaml                                      |  5 -----
 2 files changed, 4 insertions(+), 15 deletions(-)

diff --git a/tools/packaging/static-build/qemu/build-static-qemu-experimental.sh b/tools/packaging/static-build/qemu/build-static-qemu-experimental.sh
index 1e0541c541..ecae287167 100755
--- a/tools/packaging/static-build/qemu/build-static-qemu-experimental.sh
+++ b/tools/packaging/static-build/qemu/build-static-qemu-experimental.sh
@@ -14,18 +14,12 @@ source "${script_dir}/../../scripts/lib.sh"
 
 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
-qemu_suffix="${qemu_suffix:-experimental}"
-qemu_tarball_name="${qemu_tarball_name:-kata-static-qemu-experimental.tar.gz}"
+qemu_suffix="${qemu_suffix:-}"
+qemu_tarball_name="${qemu_tarball_name:-}"
 
-if [ -z "$qemu_repo" ]; then
-	info "Get qemu information from runtime versions.yaml"
-	qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu-experimental.url")
-	[ -n "$qemu_url" ] || die "failed to get qemu url"
-	qemu_repo="${qemu_url}.git"
-fi
 [ -n "$qemu_repo" ] || die "failed to get qemu repo"
-
-[ -n "$qemu_version" ] || qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu-experimental.version")
 [ -n "$qemu_version" ] || die "failed to get qemu version"
+[ -n "$qemu_suffix" ] || die "failed to get qemu suffix"
+[ -n "$qemu_tarball_name" ] || die "failed to get qemu tarball name"
 
 "${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${qemu_suffix}" "${qemu_tarball_name}"
diff --git a/versions.yaml b/versions.yaml
index d6280c636c..dcc308e8b0 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -99,11 +99,6 @@ assets:
         https://github.com/qemu/qemu/tags
         .*/v?(\d\S+)\.tar\.gz
 
-    qemu-experimental:
-      description: "QEMU with virtiofs support"
-      url: "https://github.com/qemu/qemu"
-      version: "7a800cf9496fddddf71b21a00991e0ec757a170a"
-
     qemu-tdx-experimental:
       # yamllint disable-line rule:line-length
       description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"

From cf4835e3ae78d729ec642828c69a713857a34d29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Wed, 27 Dec 2023 15:04:11 -0300
Subject: [PATCH 2/5] packaging: qemu: Simplify "--disable-virtiofsd" logic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As all the supported architectures are disabling the virtiofsd build,
there's no need to keep the switch statement there.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 .../packaging/qemu/patches/8.1.x/no_patches.txt |  0
 .../no_patches.txt                              |  0
 tools/packaging/scripts/configure-hypervisor.sh | 17 +----------------
 3 files changed, 1 insertion(+), 16 deletions(-)
 create mode 100644 tools/packaging/qemu/patches/8.1.x/no_patches.txt
 create mode 100644 tools/packaging/qemu/patches/tag_patches/tdx-qemu-upstream-2023.9.21-v8.1.0/no_patches.txt

diff --git a/tools/packaging/qemu/patches/8.1.x/no_patches.txt b/tools/packaging/qemu/patches/8.1.x/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tools/packaging/qemu/patches/tag_patches/tdx-qemu-upstream-2023.9.21-v8.1.0/no_patches.txt b/tools/packaging/qemu/patches/tag_patches/tdx-qemu-upstream-2023.9.21-v8.1.0/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tools/packaging/scripts/configure-hypervisor.sh b/tools/packaging/scripts/configure-hypervisor.sh
index 8bdfc94de1..2f54921a14 100755
--- a/tools/packaging/scripts/configure-hypervisor.sh
+++ b/tools/packaging/scripts/configure-hypervisor.sh
@@ -331,22 +331,7 @@ generate_qemu_options() {
 	# From Kata Containers 2.5.0-alpha2 all arches but powerpc have been
 	# using the new implementation of virtiofs daemon, which is not part
 	# of QEMU.
-	# For the power, at least for now, keep building virtiofsd while
-	# building QEMU.
-	case "$arch" in
-	aarch64)
-		qemu_options+=(functionality:--disable-virtiofsd)
-		;;
-	x86_64)
-		qemu_options+=(functionality:--disable-virtiofsd)
-		;;
-	ppc64le)
-		qemu_options+=(functionality:--disable-virtiofsd)
-		;;
-	s390x)
-		qemu_options+=(functionality:--disable-virtiofsd)
-		;;
-	esac
+	qemu_options+=(functionality:--disable-virtiofsd)
 
 	qemu_options+=(functionality:--enable-virtfs)
 

From 379e2f3da21813f77c75ee1ea9e5a547a015faa1 Mon Sep 17 00:00:00 2001
From: Jianyong Wu <jianyong.wu@arm.com>
Date: Tue, 7 Nov 2023 05:56:20 +0000
Subject: [PATCH 3/5] kernel: update some configs based on kernel 6.5 and 6.6

There are lots of configs removed from latest kernel. Update them here
for convenience of next kernel upgrade.

Remove CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE [1]
Remove CONFIG_IP_NF_TARGET_CLUSTERIP [2]
Remove CONFIG_NET_SCH_CBQ [3]
Remove CONFIG_AUTOFS4_FS [4]
Remove CONFIG_EMBEDDED [5]

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=a7e4676e8e2cb158a4d24123de778087955e1b36
[2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=9db5d918e2c07fa09fab18bc7addf3408da0c76f
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=051d442098421c28c7951625652f61b1e15c4bd5
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=1f2190d6b7112d22d3f8dfeca16a2f6a2f51444e
[5] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=ef815d2cba782e96b9aad9483523d474ed41c62a

Fixes: #8408
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
---
 tools/packaging/kernel/configs/fragments/common/base.conf  | 7 -------
 tools/packaging/kernel/configs/fragments/common/fs.conf    | 1 -
 tools/packaging/kernel/configs/fragments/common/lsm.conf   | 1 -
 .../kernel/configs/fragments/common/netfilter.conf         | 1 -
 .../packaging/kernel/configs/fragments/common/network.conf | 1 -
 tools/packaging/kernel/configs/fragments/whitelist.conf    | 4 ++++
 6 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/tools/packaging/kernel/configs/fragments/common/base.conf b/tools/packaging/kernel/configs/fragments/common/base.conf
index 12d249e756..362608470f 100644
--- a/tools/packaging/kernel/configs/fragments/common/base.conf
+++ b/tools/packaging/kernel/configs/fragments/common/base.conf
@@ -4,13 +4,6 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SMP=y
 # Note, no nested VM support enabled here
 
-# Turn off embedded mode, as it disabled 'too much', and we
-# no longer pass all the tests. We should refine this, and
-# work out which of the ~66 items it enables are really needed.
-# I believe this is the actual syntax we need for a fragment to
-# disable an item...
-# CONFIG_EMBEDDED is not set
-
 # Note, no virt enabled baloon yet
 CONFIG_INPUT=y
 CONFIG_PRINTK=y
diff --git a/tools/packaging/kernel/configs/fragments/common/fs.conf b/tools/packaging/kernel/configs/fragments/common/fs.conf
index c3be9f925e..8ff5573c17 100644
--- a/tools/packaging/kernel/configs/fragments/common/fs.conf
+++ b/tools/packaging/kernel/configs/fragments/common/fs.conf
@@ -31,7 +31,6 @@ CONFIG_FSNOTIFY=y
 CONFIG_DNOTIFY=y
 CONFIG_INOTIFY_USER=y
 CONFIG_FANOTIFY=y
-CONFIG_AUTOFS4_FS=y
 CONFIG_AUTOFS_FS=y
 CONFIG_TMPFS=y
 CONFIG_DEVTMPFS=y
diff --git a/tools/packaging/kernel/configs/fragments/common/lsm.conf b/tools/packaging/kernel/configs/fragments/common/lsm.conf
index 6dc685fca7..fa29f43159 100644
--- a/tools/packaging/kernel/configs/fragments/common/lsm.conf
+++ b/tools/packaging/kernel/configs/fragments/common/lsm.conf
@@ -7,6 +7,5 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
diff --git a/tools/packaging/kernel/configs/fragments/common/netfilter.conf b/tools/packaging/kernel/configs/fragments/common/netfilter.conf
index 02aeda788f..55b5d330d2 100644
--- a/tools/packaging/kernel/configs/fragments/common/netfilter.conf
+++ b/tools/packaging/kernel/configs/fragments/common/netfilter.conf
@@ -190,7 +190,6 @@ CONFIG_IP_NF_TARGET_MASQUERADE=y
 CONFIG_IP_NF_TARGET_NETMAP=y
 CONFIG_IP_NF_TARGET_REDIRECT=y
 CONFIG_IP_NF_MANGLE=y
-CONFIG_IP_NF_TARGET_CLUSTERIP=y
 CONFIG_IP_NF_TARGET_ECN=y
 CONFIG_IP_NF_TARGET_TTL=y
 CONFIG_IP_NF_RAW=y
diff --git a/tools/packaging/kernel/configs/fragments/common/network.conf b/tools/packaging/kernel/configs/fragments/common/network.conf
index 7bdc3de7a0..2270c9a14a 100644
--- a/tools/packaging/kernel/configs/fragments/common/network.conf
+++ b/tools/packaging/kernel/configs/fragments/common/network.conf
@@ -42,7 +42,6 @@ CONFIG_BRIDGE=y
 CONFIG_BRIDGE_IGMP_SNOOPING=y
 CONFIG_LLC=y
 CONFIG_NET_SCHED=y
-CONFIG_NET_SCH_CBQ=y
 CONFIG_NET_SCH_MULTIQ=y
 CONFIG_NET_SCH_FQ_CODEL=y
 CONFIG_NET_SCH_FQ=y
diff --git a/tools/packaging/kernel/configs/fragments/whitelist.conf b/tools/packaging/kernel/configs/fragments/whitelist.conf
index e6b2711511..39d34eedd3 100644
--- a/tools/packaging/kernel/configs/fragments/whitelist.conf
+++ b/tools/packaging/kernel/configs/fragments/whitelist.conf
@@ -2,10 +2,13 @@
 # without generating an error in fragment merging
 CONFIG_ARCH_RANDOM
 CONFIG_ARM64_CRYPTO
+CONFIG_AUTOFS4_FS
 CONFIG_GENERIC_MSI_IRQ_DOMAIN
+CONFIG_IP_NF_TARGET_CLUSTERIP
 CONFIG_PCI_MSI_IRQ_DOMAIN
 CONFIG_CLK_LGM_CGU
 CONFIG_MEMCG_SWAP
+CONFIG_NET_SCH_CBQ
 CONFIG_NF_NAT_IPV4
 CONFIG_NF_NAT_NEEDED
 CONFIG_NF_NAT_PROTO_DCCP
@@ -20,6 +23,7 @@ CONFIG_NF_LOG_COMMON
 CONFIG_MANDATORY_FILE_LOCKING
 CONFIG_ARM64_UAO
 CONFIG_VFIO_MDEV_DEVICE
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
 CONFIG_SPECULATION_MITIGATIONS
 CONFIG_X86_SGX
 CONFIG_VIRTIO_IOMMU

From 8b2f43a2c2049a9f5ac9a9d8844b11f4dbfc39d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Mon, 8 Jan 2024 13:11:42 -0300
Subject: [PATCH 4/5] build: Add "confidential" kernel
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We're using a Kernel based on v6.7, which should include all te
patches needed for SEV / SNP / TDX.

By doing this, later on, we'll be able to stop building the specific
kernel for each one of the targets we have for the TEEs.

Let's note that we've introduced the "confidential" target for the
kernel builder script, while the TEE specific builds are being kept as
they're -- at least for now.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 .../build-kata-static-tarball-amd64.yaml      |  1 +
 .../kata-deploy/local-build/Makefile          |  4 +++
 .../local-build/kata-deploy-binaries.sh       | 25 ++++++++++++++++---
 tools/packaging/kernel/build-kernel.sh        |  6 ++---
 .../fragments/x86_64/confidential/sev.conf    |  1 +
 .../fragments/x86_64/confidential/snp.conf    |  1 +
 .../fragments/x86_64/confidential/tdx.conf    |  1 +
 tools/packaging/kernel/kata_config_version    |  2 +-
 .../kernel/patches/6.7.x/no_patches.txt       |  0
 versions.yaml                                 |  4 +++
 10 files changed, 37 insertions(+), 8 deletions(-)
 create mode 120000 tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
 create mode 120000 tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
 create mode 120000 tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
 create mode 100644 tools/packaging/kernel/patches/6.7.x/no_patches.txt

diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index 41ca2cc8b3..a58ebb0886 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -35,6 +35,7 @@ jobs:
           - firecracker
           - kata-ctl
           - kernel
+          - kernel-confidential
           - kernel-sev
           - kernel-dragonball-experimental
           - kernel-tdx-experimental
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index b2de80dac2..21ad3626df 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -20,6 +20,7 @@ endif
 ifeq ($(ARCH), x86_64)
 BASE_TARBALLS = serial-targets \
 	firecracker-tarball \
+	kernel-confidential-tarball \
 	kernel-dragonball-experimental-tarball \
 	kernel-nvidia-gpu-tarball \
 	kernel-nvidia-gpu-snp-tarball \
@@ -110,6 +111,9 @@ kernel-nvidia-gpu-tdx-experimental-tarball:
 kernel-tarball:
 	${MAKE} $@-build
 
+kernel-confidential-tarball:
+	${MAKE} $@-build
+
 kernel-tdx-experimental-tarball:
 	${MAKE} $@-build
 
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index f02302907d..8f0c2dd634 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -92,6 +92,7 @@ options:
 	firecracker
 	kata-ctl
 	kernel
+	kernel-confidential
 	kernel-dragonball-experimental
 	kernel-experimental
 	kernel-nvidia-gpu
@@ -280,7 +281,7 @@ install_cached_kernel_tarball_component() {
 		"${final_tarball_path}" \
 		|| return 1
 	
-	if [[ "${kernel_name}" != "kernel-sev" ]]; then
+	if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel-confidential" ]]; then
 		return 0
 	fi
 
@@ -289,13 +290,13 @@ install_cached_kernel_tarball_component() {
 		"${kernel_name}" \
 		"${latest_artefact}" \
 		"${latest_builder_image}" \
-		"kata-static-kernel-sev-modules.tar.xz" \
-		"${workdir}/kata-static-kernel-sev-modules.tar.xz" \
+		"kata-static-${kernel_name}-modules.tar.xz" \
+		"${workdir}/kata-static-${kernel_name}-modules.tar.xz" \
 		|| return 1
 
 	if [[ -n "${module_dir}" ]]; then
 		mkdir -p "${module_dir}"
-		tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C  "${module_dir}" && return 0
+		tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C  "${module_dir}" && return 0
 	fi
 
 	return 1
@@ -315,6 +316,10 @@ install_kernel_helper() {
 		kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
 		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
 		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
+	elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
+		kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
+		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
+		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
 	fi
 
 	install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
@@ -332,6 +337,15 @@ install_kernel() {
 		"-f"
 }
 
+install_kernel_confidential() {
+	local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
+
+	install_kernel_helper \
+		"assets.kernel.confidential.version" \
+		"kernel" \
+		"-x confidential -u ${kernel_url}"
+}
+
 install_kernel_dragonball_experimental() {
 	install_kernel_helper \
 		"assets.kernel-dragonball-experimental.version" \
@@ -741,6 +755,7 @@ handle_build() {
 		install_initrd_sev
 		install_kata_ctl
 		install_kernel
+		install_kernel_confidential
 		install_kernel_dragonball_experimental
 		install_kernel_tdx_experimental
 		install_log_parser_rs
@@ -776,6 +791,8 @@ handle_build() {
 
 	kernel) install_kernel ;;
 
+	kernel-confidential) install_kernel_confidential ;;
+
 	kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
 
 	kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;
diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index f1d1bb62c2..05cd63399f 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -110,7 +110,7 @@ Options:
 	-t <hypervisor>	: Hypervisor_target.
 	-u <url>	: Kernel URL to be used to download the kernel tarball.
 	-v <version>	: Kernel version to use if kernel path not provided.
-	-x <type>	: Confidential guest protection type, such as sev, snp and tdx
+	-x <type>	: Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those).
 EOF
 	exit "$exit_code"
 }
@@ -457,7 +457,7 @@ build_kernel() {
 	arch_target=$(arch_to_kernel "${arch_target}")
 	pushd "${kernel_path}" >>/dev/null
 	make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
-	if [ "${conf_guest}" == "sev" ]; then
+	if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then
 		make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
 	fi
 	[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
@@ -603,7 +603,7 @@ main() {
 			x)
 				conf_guest="${OPTARG}"
 				case "$conf_guest" in
-					sev|snp|tdx) ;;
+					confidential|sev|snp|tdx) ;;
 					*) die "Confidential guest type '$conf_guest' not supported" ;;
 				esac
 				;;
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
new file mode 120000
index 0000000000..9dda7d6ead
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
@@ -0,0 +1 @@
+../sev/sev.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
new file mode 120000
index 0000000000..83464ffe3b
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
@@ -0,0 +1 @@
+../snp/snp.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
new file mode 120000
index 0000000000..f4f9ffeb3e
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
@@ -0,0 +1 @@
+../tdx/tdx.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index 52bd8e43af..9289ddcee3 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-120
+121
diff --git a/tools/packaging/kernel/patches/6.7.x/no_patches.txt b/tools/packaging/kernel/patches/6.7.x/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/versions.yaml b/versions.yaml
index dcc308e8b0..564e42de03 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -170,6 +170,10 @@ assets:
     description: "Linux kernel optimised for virtual machines"
     url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
     version: "v6.1.62"
+    confidential:
+      description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
+      url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
+      version: "v6.7"
     sev:
       description: "Linux kernel that supports SEV and SNP"
       url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"

From c3f6eaa267163a34dd33f18876a971edabf34e54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Tue, 9 Jan 2024 14:35:12 -0300
Subject: [PATCH 5/5] build-kernel: Fix typo 'terball' -> 'tarball'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SSIA. :-)

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/packaging/kernel/build-kernel.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index 05cd63399f..a92c8183ed 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -151,7 +151,7 @@ get_tee_kernel() {
 
 	local kernel_tarball="${version}.tar.gz"
 
-	# Depending on where we're getting the terball from it may have a
+	# Depending on where we're getting the tarball from it may have a
 	# different name, such as linux-${version}.tar.gz or simply
 	# ${version}.tar.gz.  Let's try both before failing.
 	curl --fail -L "${kernel_url}/linux-${kernel_tarball}" -o ${kernel_tarball} || curl --fail -OL "${kernel_url}/${kernel_tarball}"