Merge pull request #11257 from mythi/coco-guest-hardening

confidential guest kernel hardening changes

src/runtime/virtcontainers/qemu.go

@@ -806,8 +806,8 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
 		qemuConfig.IOThreads = []govmmQemu.IOThread{*ioThread}
 	}
 	// Add RNG device to hypervisor
-	// Skip for s390x as CPACF is used
+	// Skip for s390x (as CPACF is used) or when Confidential Guest is enabled
-	if machine.Type != QemuCCWVirtio {
+	if machine.Type != QemuCCWVirtio && !q.config.ConfidentialGuest {
 		rngDev := config.RNGDev{
 			ID:       rngID,
 			Filename: q.config.EntropySource,

tools/packaging/kernel/build-kernel.sh

@@ -226,8 +226,15 @@ get_kernel_frag_path() {
 	local config_path="${arch_path}/.config"
 
 	local arch_configs="$(ls ${arch_path}/*.conf)"
-	# Exclude configs if they have !$arch tag in the header
+	# By default, exclude configs if they have !$arch tag in the header
-	local common_configs="$(grep "\!${arch}" ${common_path}/*.conf -L)"
+	local exclude_tags="-e "\!${arch}""
+
+	# Also, let confidential guest opt-out some insecure configs
+	if [[ "${conf_guest}" != "" ]];then
+		exclude_tags="${exclude_tags} -e "\!${conf_guest}""
+	fi
+
+	local common_configs="$(grep ${exclude_tags} ${common_path}/*.conf -L)"
 
 	local extra_configs=""
 	if [ "${build_type}" != "" ];then

tools/packaging/kernel/configs/README.md

@@ -50,7 +50,7 @@ into a fragment.
 If adding config entries for a new subsystem or feature, consider making a new
 fragment with an appropriately descriptive name.
 
-If you want to disable an entire fragment for a specific architecture, you can add the tag `# !${arch}` in the first line of the fragment. You can also exclude multiple architectures on the same line. Note the `#` at the beginning of the line, this is required to avoid that the tag is interpreted as a configuration.
+If you want to disable an entire fragment for a specific configuration, you can add the tag `# !${arch}` or `# !confidential` in the first line of the fragment. You can also exclude multiple tags on the same line. Note the `#` at the beginning of the line, this is required to avoid that the tag is interpreted as a configuration.
 Example of valid exclusion:
 ```
 # !s390x !ppc64le

tools/packaging/kernel/configs/fragments/common/mmio.conf

@@ -1,3 +1,4 @@
+# !confidential
 # mmio devices are required for firecracker
 CONFIG_VIRTIO_MMIO=y
 CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES=y

tools/packaging/kernel/configs/fragments/common/virtio-extras.conf

@@ -0,0 +1,4 @@
+# !confidential
+# This is used by the s390 arch at least. Leave it on globally.
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_VIRTIO=y

tools/packaging/kernel/configs/fragments/common/virtio.conf

@@ -10,10 +10,6 @@ CONFIG_VIRTIO_PCI=y
 # Without this nested-VM Kata does not work (we have not worked out exactly why)
 CONFIG_VIRTIO_PCI_LEGACY=y
 
-# This is used by the s390 arch at least. Leave it on globally.
-CONFIG_HW_RANDOM=y
-CONFIG_HW_RANDOM_VIRTIO=y
-
 # FIXME - are we moving away from/choosing between SCSI and BLK support?
 # https://github.com/kata-containers/packaging/issues/483
 CONFIG_SCSI=y

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-152
+153

versions.yaml

@@ -196,11 +196,11 @@ assets:
   kernel:
     description: "Linux kernel optimised for virtual machines"
     url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
-    version: "v6.12.22"
+    version: "v6.12.28"
     confidential:
       description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
       url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
-      version: "v6.12.22"
+      version: "v6.12.28"
 
   kernel-arm-experimental:
     description: "Linux kernel with cpu/mem hotplug support on arm64"