diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index 71982ce280..51a46d2729 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -806,8 +806,8 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi qemuConfig.IOThreads = []govmmQemu.IOThread{*ioThread} } // Add RNG device to hypervisor - // Skip for s390x as CPACF is used - if machine.Type != QemuCCWVirtio { + // Skip for s390x (as CPACF is used) or when Confidential Guest is enabled + if machine.Type != QemuCCWVirtio && !q.config.ConfidentialGuest { rngDev := config.RNGDev{ ID: rngID, Filename: q.config.EntropySource, diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index c887b289aa..72060acb82 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -226,8 +226,15 @@ get_kernel_frag_path() { local config_path="${arch_path}/.config" local arch_configs="$(ls ${arch_path}/*.conf)" - # Exclude configs if they have !$arch tag in the header - local common_configs="$(grep "\!${arch}" ${common_path}/*.conf -L)" + # By default, exclude configs if they have !$arch tag in the header + local exclude_tags="-e "\!${arch}"" + + # Also, let confidential guest opt-out some insecure configs + if [[ "${conf_guest}" != "" ]];then + exclude_tags="${exclude_tags} -e "\!${conf_guest}"" + fi + + local common_configs="$(grep ${exclude_tags} ${common_path}/*.conf -L)" local extra_configs="" if [ "${build_type}" != "" ];then diff --git a/tools/packaging/kernel/configs/README.md b/tools/packaging/kernel/configs/README.md index 61845a2851..0fa9c06c0e 100644 --- a/tools/packaging/kernel/configs/README.md +++ b/tools/packaging/kernel/configs/README.md @@ -50,7 +50,7 @@ into a fragment. If adding config entries for a new subsystem or feature, consider making a new fragment with an appropriately descriptive name. -If you want to disable an entire fragment for a specific architecture, you can add the tag `# !${arch}` in the first line of the fragment. You can also exclude multiple architectures on the same line. Note the `#` at the beginning of the line, this is required to avoid that the tag is interpreted as a configuration. +If you want to disable an entire fragment for a specific configuration, you can add the tag `# !${arch}` or `# !confidential` in the first line of the fragment. You can also exclude multiple tags on the same line. Note the `#` at the beginning of the line, this is required to avoid that the tag is interpreted as a configuration. Example of valid exclusion: ``` # !s390x !ppc64le diff --git a/tools/packaging/kernel/configs/fragments/common/mmio.conf b/tools/packaging/kernel/configs/fragments/common/mmio.conf index 5afc0b10b4..afaec1a379 100644 --- a/tools/packaging/kernel/configs/fragments/common/mmio.conf +++ b/tools/packaging/kernel/configs/fragments/common/mmio.conf @@ -1,3 +1,4 @@ +# !confidential # mmio devices are required for firecracker CONFIG_VIRTIO_MMIO=y CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y diff --git a/tools/packaging/kernel/configs/fragments/common/virtio-extras.conf b/tools/packaging/kernel/configs/fragments/common/virtio-extras.conf new file mode 100644 index 0000000000..dc7ab3f6a5 --- /dev/null +++ b/tools/packaging/kernel/configs/fragments/common/virtio-extras.conf @@ -0,0 +1,4 @@ +# !confidential +# This is used by the s390 arch at least. Leave it on globally. +CONFIG_HW_RANDOM=y +CONFIG_HW_RANDOM_VIRTIO=y diff --git a/tools/packaging/kernel/configs/fragments/common/virtio.conf b/tools/packaging/kernel/configs/fragments/common/virtio.conf index a96c2cebcf..8211b62d29 100644 --- a/tools/packaging/kernel/configs/fragments/common/virtio.conf +++ b/tools/packaging/kernel/configs/fragments/common/virtio.conf @@ -10,10 +10,6 @@ CONFIG_VIRTIO_PCI=y # Without this nested-VM Kata does not work (we have not worked out exactly why) CONFIG_VIRTIO_PCI_LEGACY=y -# This is used by the s390 arch at least. Leave it on globally. -CONFIG_HW_RANDOM=y -CONFIG_HW_RANDOM_VIRTIO=y - # FIXME - are we moving away from/choosing between SCSI and BLK support? # https://github.com/kata-containers/packaging/issues/483 CONFIG_SCSI=y diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index 492dff089a..7f1ddd5301 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -152 +153 diff --git a/versions.yaml b/versions.yaml index cd781c67a0..144ec0349b 100644 --- a/versions.yaml +++ b/versions.yaml @@ -196,11 +196,11 @@ assets: kernel: description: "Linux kernel optimised for virtual machines" url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/" - version: "v6.12.22" + version: "v6.12.28" confidential: description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support" url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/" - version: "v6.12.22" + version: "v6.12.28" kernel-arm-experimental: description: "Linux kernel with cpu/mem hotplug support on arm64"