github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-16 23:17:42 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #8753 from fidencio/topic/add-confidential-artefacts

Browse Source 
TEEs: Introduce kernel-confidential
This commit is contained in:
Greg Kurz 2024-01-10 16:59:57 +01:00 committed by GitHub
commit 0c37aec7dc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 47 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@ -35,6 +35,7 @@ jobs:
- firecracker - firecracker
- kata-ctl - kata-ctl
- kernel - kernel
- kernel-confidential
- kernel-sev - kernel-sev
- kernel-dragonball-experimental - kernel-dragonball-experimental
- kernel-tdx-experimental - kernel-tdx-experimental

4
tools/packaging/kata-deploy/local-build/Makefile
View File

@ -20,6 +20,7 @@ endif
ifeq ($(ARCH), x86_64) ifeq ($(ARCH), x86_64)
BASE_TARBALLS = serial-targets \ BASE_TARBALLS = serial-targets \
firecracker-tarball \ firecracker-tarball \
kernel-confidential-tarball \
kernel-dragonball-experimental-tarball \ kernel-dragonball-experimental-tarball \
kernel-nvidia-gpu-tarball \ kernel-nvidia-gpu-tarball \
kernel-nvidia-gpu-snp-tarball \ kernel-nvidia-gpu-snp-tarball \
@ -110,6 +111,9 @@ kernel-nvidia-gpu-tdx-experimental-tarball:
kernel-tarball: kernel-tarball:
${MAKE} $@-build ${MAKE} $@-build
kernel-confidential-tarball:
${MAKE} $@-build
kernel-tdx-experimental-tarball: kernel-tdx-experimental-tarball:
${MAKE} $@-build ${MAKE} $@-build

25
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@ -92,6 +92,7 @@ options:
firecracker firecracker
kata-ctl kata-ctl
kernel kernel
kernel-confidential
kernel-dragonball-experimental kernel-dragonball-experimental
kernel-experimental kernel-experimental
kernel-nvidia-gpu kernel-nvidia-gpu
@ -280,7 +281,7 @@ install_cached_kernel_tarball_component() {
"${final_tarball_path}" \ "${final_tarball_path}" \
|| return 1 || return 1
if [[ "${kernel_name}" != "kernel-sev" ]]; then if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel-confidential" ]]; then
return 0 return 0
fi fi
@ -289,13 +290,13 @@ install_cached_kernel_tarball_component() {
"${kernel_name}" \ "${kernel_name}" \
"${latest_artefact}" \ "${latest_artefact}" \
"${latest_builder_image}" \ "${latest_builder_image}" \
"kata-static-kernel-sev-modules.tar.xz" \ "kata-static-${kernel_name}-modules.tar.xz" \
"${workdir}/kata-static-kernel-sev-modules.tar.xz" \ "${workdir}/kata-static-${kernel_name}-modules.tar.xz" \
|| return 1 || return 1
if [[ -n "${module_dir}" ]]; then if [[ -n "${module_dir}" ]]; then
mkdir -p "${module_dir}" mkdir -p "${module_dir}"
tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C "${module_dir}" && return 0 tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C "${module_dir}" && return 0
fi fi
return 1 return 1
@ -315,6 +316,10 @@ install_kernel_helper() {
kernel_version="$(get_from_kata_deps assets.kernel.sev.version)" kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches" default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}" module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
fi fi
install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0 install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
@ -332,6 +337,15 @@ install_kernel() {
"-f" "-f"
} }
install_kernel_confidential() {
local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
install_kernel_helper \
"assets.kernel.confidential.version" \
"kernel" \
"-x confidential -u ${kernel_url}"
}
install_kernel_dragonball_experimental() { install_kernel_dragonball_experimental() {
install_kernel_helper \ install_kernel_helper \
"assets.kernel-dragonball-experimental.version" \ "assets.kernel-dragonball-experimental.version" \
@ -741,6 +755,7 @@ handle_build() {
install_initrd_sev install_initrd_sev
install_kata_ctl install_kata_ctl
install_kernel install_kernel
install_kernel_confidential
install_kernel_dragonball_experimental install_kernel_dragonball_experimental
install_kernel_tdx_experimental install_kernel_tdx_experimental
install_log_parser_rs install_log_parser_rs
@ -776,6 +791,8 @@ handle_build() {
kernel) install_kernel ;; kernel) install_kernel ;;
kernel-confidential) install_kernel_confidential ;;
kernel-dragonball-experimental) install_kernel_dragonball_experimental ;; kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
kernel-nvidia-gpu) install_kernel_nvidia_gpu ;; kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;

8
tools/packaging/kernel/build-kernel.sh
View File

@ -110,7 +110,7 @@ Options:
-t <hypervisor> : Hypervisor_target. -t <hypervisor> : Hypervisor_target.
-u <url> : Kernel URL to be used to download the kernel tarball. -u <url> : Kernel URL to be used to download the kernel tarball.
-v <version> : Kernel version to use if kernel path not provided. -v <version> : Kernel version to use if kernel path not provided.
-x <type> : Confidential guest protection type, such as sev, snp and tdx -x <type> : Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those).
EOF EOF
exit "$exit_code" exit "$exit_code"
} }
@ -151,7 +151,7 @@ get_tee_kernel() {
local kernel_tarball="${version}.tar.gz" local kernel_tarball="${version}.tar.gz"
# Depending on where we're getting the terball from it may have a # Depending on where we're getting the tarball from it may have a
# different name, such as linux-${version}.tar.gz or simply # different name, such as linux-${version}.tar.gz or simply
# ${version}.tar.gz. Let's try both before failing. # ${version}.tar.gz. Let's try both before failing.
curl --fail -L "${kernel_url}/linux-${kernel_tarball}" -o ${kernel_tarball} || curl --fail -OL "${kernel_url}/${kernel_tarball}" curl --fail -L "${kernel_url}/linux-${kernel_tarball}" -o ${kernel_tarball} || curl --fail -OL "${kernel_url}/${kernel_tarball}"
@ -457,7 +457,7 @@ build_kernel() {
arch_target=$(arch_to_kernel "${arch_target}") arch_target=$(arch_to_kernel "${arch_target}")
pushd "${kernel_path}" >>/dev/null pushd "${kernel_path}" >>/dev/null
make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG} make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
if [ "${conf_guest}" == "sev" ]; then if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then
make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
fi fi
[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ]) [ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
@ -603,7 +603,7 @@ main() {
x) x)
conf_guest="${OPTARG}" conf_guest="${OPTARG}"
case "$conf_guest" in case "$conf_guest" in
sev|snp|tdx) ;; confidential|sev|snp|tdx) ;;
*) die "Confidential guest type '$conf_guest' not supported" ;; *) die "Confidential guest type '$conf_guest' not supported" ;;
esac esac
;; ;;

7
tools/packaging/kernel/configs/fragments/common/base.conf
View File

@ -4,13 +4,6 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
CONFIG_SMP=y CONFIG_SMP=y
# Note, no nested VM support enabled here # Note, no nested VM support enabled here
# Turn off embedded mode, as it disabled 'too much', and we
# no longer pass all the tests. We should refine this, and
# work out which of the ~66 items it enables are really needed.
# I believe this is the actual syntax we need for a fragment to
# disable an item...
# CONFIG_EMBEDDED is not set
# Note, no virt enabled baloon yet # Note, no virt enabled baloon yet
CONFIG_INPUT=y CONFIG_INPUT=y
CONFIG_PRINTK=y CONFIG_PRINTK=y

1
tools/packaging/kernel/configs/fragments/common/fs.conf
View File

@ -31,7 +31,6 @@ CONFIG_FSNOTIFY=y
CONFIG_DNOTIFY=y CONFIG_DNOTIFY=y
CONFIG_INOTIFY_USER=y CONFIG_INOTIFY_USER=y
CONFIG_FANOTIFY=y CONFIG_FANOTIFY=y
CONFIG_AUTOFS4_FS=y
CONFIG_AUTOFS_FS=y CONFIG_AUTOFS_FS=y
CONFIG_TMPFS=y CONFIG_TMPFS=y
CONFIG_DEVTMPFS=y CONFIG_DEVTMPFS=y

1
tools/packaging/kernel/configs/fragments/common/lsm.conf
View File

@ -7,6 +7,5 @@ CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_SELINUX=y CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256

1
tools/packaging/kernel/configs/fragments/common/netfilter.conf
View File

@ -190,7 +190,6 @@ CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_NETMAP=y CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_CLUSTERIP=y
CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_TTL=y CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_RAW=y CONFIG_IP_NF_RAW=y

1
tools/packaging/kernel/configs/fragments/common/network.conf
View File

@ -42,7 +42,6 @@ CONFIG_BRIDGE=y
CONFIG_BRIDGE_IGMP_SNOOPING=y CONFIG_BRIDGE_IGMP_SNOOPING=y
CONFIG_LLC=y CONFIG_LLC=y
CONFIG_NET_SCHED=y CONFIG_NET_SCHED=y
CONFIG_NET_SCH_CBQ=y
CONFIG_NET_SCH_MULTIQ=y CONFIG_NET_SCH_MULTIQ=y
CONFIG_NET_SCH_FQ_CODEL=y CONFIG_NET_SCH_FQ_CODEL=y
CONFIG_NET_SCH_FQ=y CONFIG_NET_SCH_FQ=y

4
tools/packaging/kernel/configs/fragments/whitelist.conf
View File

@ -2,10 +2,13 @@
# without generating an error in fragment merging # without generating an error in fragment merging
CONFIG_ARCH_RANDOM CONFIG_ARCH_RANDOM
CONFIG_ARM64_CRYPTO CONFIG_ARM64_CRYPTO
CONFIG_AUTOFS4_FS
CONFIG_GENERIC_MSI_IRQ_DOMAIN CONFIG_GENERIC_MSI_IRQ_DOMAIN
CONFIG_IP_NF_TARGET_CLUSTERIP
CONFIG_PCI_MSI_IRQ_DOMAIN CONFIG_PCI_MSI_IRQ_DOMAIN
CONFIG_CLK_LGM_CGU CONFIG_CLK_LGM_CGU
CONFIG_MEMCG_SWAP CONFIG_MEMCG_SWAP
CONFIG_NET_SCH_CBQ
CONFIG_NF_NAT_IPV4 CONFIG_NF_NAT_IPV4
CONFIG_NF_NAT_NEEDED CONFIG_NF_NAT_NEEDED
CONFIG_NF_NAT_PROTO_DCCP CONFIG_NF_NAT_PROTO_DCCP
@ -20,6 +23,7 @@ CONFIG_NF_LOG_COMMON
CONFIG_MANDATORY_FILE_LOCKING CONFIG_MANDATORY_FILE_LOCKING
CONFIG_ARM64_UAO CONFIG_ARM64_UAO
CONFIG_VFIO_MDEV_DEVICE CONFIG_VFIO_MDEV_DEVICE
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
CONFIG_SPECULATION_MITIGATIONS CONFIG_SPECULATION_MITIGATIONS
CONFIG_X86_SGX CONFIG_X86_SGX
CONFIG_VIRTIO_IOMMU CONFIG_VIRTIO_IOMMU

1
tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf Symbolic link
View File

@ -0,0 +1 @@
../sev/sev.conf

1
tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf Symbolic link
View File

@ -0,0 +1 @@
../snp/snp.conf

1
tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf Symbolic link
View File

@ -0,0 +1 @@
../tdx/tdx.conf

2
tools/packaging/kernel/kata_config_version
View File

@ -1 +1 @@
120 121

0
tools/packaging/kernel/patches/6.7.x/no_patches.txt Normal file
View File

0
tools/packaging/qemu/patches/8.1.x/no_patches.txt Normal file
View File

0
tools/packaging/qemu/patches/tag_patches/tdx-qemu-upstream-2023.9.21-v8.1.0/no_patches.txt Normal file
View File

17
tools/packaging/scripts/configure-hypervisor.sh
View File

@ -331,22 +331,7 @@ generate_qemu_options() {
# From Kata Containers 2.5.0-alpha2 all arches but powerpc have been # From Kata Containers 2.5.0-alpha2 all arches but powerpc have been
# using the new implementation of virtiofs daemon, which is not part # using the new implementation of virtiofs daemon, which is not part
# of QEMU. # of QEMU.
# For the power, at least for now, keep building virtiofsd while qemu_options+=(functionality:--disable-virtiofsd)
# building QEMU.
case "$arch" in
aarch64)
qemu_options+=(functionality:--disable-virtiofsd)
;;
x86_64)
qemu_options+=(functionality:--disable-virtiofsd)
;;
ppc64le)
qemu_options+=(functionality:--disable-virtiofsd)
;;
s390x)
qemu_options+=(functionality:--disable-virtiofsd)
;;
esac
qemu_options+=(functionality:--enable-virtfs) qemu_options+=(functionality:--enable-virtfs)

14
tools/packaging/static-build/qemu/build-static-qemu-experimental.sh
View File

@ -14,18 +14,12 @@ source "${script_dir}/../../scripts/lib.sh"
qemu_repo="${qemu_repo:-}" qemu_repo="${qemu_repo:-}"
qemu_version="${qemu_version:-}" qemu_version="${qemu_version:-}"
qemu_suffix="${qemu_suffix:-experimental}" qemu_suffix="${qemu_suffix:-}"
qemu_tarball_name="${qemu_tarball_name:-kata-static-qemu-experimental.tar.gz}" qemu_tarball_name="${qemu_tarball_name:-}"
if [ -z "$qemu_repo" ]; then
info "Get qemu information from runtime versions.yaml"
qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu-experimental.url")
[ -n "$qemu_url" ] || die "failed to get qemu url"
qemu_repo="${qemu_url}.git"
fi
[ -n "$qemu_repo" ] || die "failed to get qemu repo" [ -n "$qemu_repo" ] || die "failed to get qemu repo"
[ -n "$qemu_version" ] || qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu-experimental.version")
[ -n "$qemu_version" ] || die "failed to get qemu version" [ -n "$qemu_version" ] || die "failed to get qemu version"
[ -n "$qemu_suffix" ] || die "failed to get qemu suffix"
[ -n "$qemu_tarball_name" ] || die "failed to get qemu tarball name"
"${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${qemu_suffix}" "${qemu_tarball_name}" "${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${qemu_suffix}" "${qemu_tarball_name}"

9
versions.yaml
View File

@ -99,11 +99,6 @@ assets:
https://github.com/qemu/qemu/tags https://github.com/qemu/qemu/tags
.*/v?(\d\S+)\.tar\.gz .*/v?(\d\S+)\.tar\.gz
qemu-experimental:
description: "QEMU with virtiofs support"
url: "https://github.com/qemu/qemu"
version: "7a800cf9496fddddf71b21a00991e0ec757a170a"
qemu-tdx-experimental: qemu-tdx-experimental:
# yamllint disable-line rule:line-length # yamllint disable-line rule:line-length
description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15" description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"
@ -175,6 +170,10 @@ assets:
description: "Linux kernel optimised for virtual machines" description: "Linux kernel optimised for virtual machines"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/" url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.1.62" version: "v6.1.62"
confidential:
description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.7"
sev: sev:
description: "Linux kernel that supports SEV and SNP" description: "Linux kernel that supports SEV and SNP"
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"