From 321b061a533667964b8cd0a0a1616cfb9f3f29e4 Mon Sep 17 00:00:00 2001 From: Unmesh Deodhar Date: Tue, 31 Jan 2023 11:45:57 -0600 Subject: [PATCH 1/2] packaging: Adding caching capability for SEV kernel and initrd Cache and reuse initrd binary whenever possible. Fixes: #6176 Signed-off-by: Unmesh Deodhar --- .../kata-deploy/local-build/kata-deploy-binaries.sh | 12 +++++++++--- tools/packaging/static-build/cache_components.sh | 9 ++++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index f81f6b1aa1..ea572df1a8 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -237,14 +237,20 @@ install_cc_image() { local component="rootfs-image" local root_hash_vanilla="root_hash_vanilla.txt" local root_hash_tdx="" + local initramfs_last_commit="" if [ -n "${tee}" ]; then + jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-image-${tee}-cc-$(uname -m)/${cached_artifacts_path}" if [ "${tee}" == "tdx" ]; then - jenkins="${jenkins_url}/job/kata-containers-2.0-rootfs-image-${tee}-cc-$(uname -m)/${cached_artifacts_path}" component="${tee}-rootfs-image" root_hash_vanilla="" root_hash_tdx="root_hash_${tee}.txt" fi - fi + if [ "${tee}" == "sev" ]; then + component="${tee}-rootfs-initrd" + root_hash_vanilla="" + initramfs_last_commit="$(get_initramfs_image_name)" + fi + fi local osbuilder_last_commit="$(echo $(get_last_modification "${repo_root_dir}/tools/osbuilder") | sed s/-dirty//)" local guest_image_last_commit="$(get_last_modification "${repo_root_dir}/tools/packaging/guest-image")" @@ -259,7 +265,7 @@ install_cc_image() { install_cached_component \ "${component}" \ "${jenkins}" \ - "${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${rust_version}-${image_type}-${AA_KBC}" \ + "${osbuilder_last_commit}-${guest_image_last_commit}$-${initramfs_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${rust_version}-${image_type}-${AA_KBC}" \ "" \ "${final_tarball_name}" \ "${final_tarball_path}" \ diff --git a/tools/packaging/static-build/cache_components.sh b/tools/packaging/static-build/cache_components.sh index 4ba95f589d..602c700a2a 100755 --- a/tools/packaging/static-build/cache_components.sh +++ b/tools/packaging/static-build/cache_components.sh @@ -92,6 +92,7 @@ cache_rootfs_artifacts() { local rust_version="$(get_from_kata_deps "languages.rust.meta.newest-version")" local rootfs_tarball_name="kata-static-cc-rootfs-image.tar.xz" local aa_kbc="offline_fs_kbc" + local initramfs_last_commit="" local image_type="image" local root_hash_vanilla="${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt" local root_hash_tdx="" @@ -103,8 +104,14 @@ cache_rootfs_artifacts() { root_hash_vanilla="" root_hash_tdx="${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt" fi + if [ "${TEE}" == "sev" ]; then + rootfs_tarball_name="kata-static-cc-sev-rootfs-initrd.tar.xz" + aa_kbc="online_sev_kbc" + image_type="initrd" + initramfs_last_commit="$(get_initramfs_image_name)" + fi fi - local current_rootfs_version="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${rust_version}-${image_type}-${aa_kbc}" + local current_rootfs_version="${osbuilder_last_commit}-${guest_image_last_commit}-${initramfs_last_commit}-${agent_last_commit}-${libs_last_commit}-${attestation_agent_version}-${gperf_version}-${libseccomp_version}-${pause_version}-${rust_version}-${image_type}-${aa_kbc}" create_cache_asset "${rootfs_tarball_name}" "${current_rootfs_version}" "" "${root_hash_vanilla}" "${root_hash_tdx}" } From 2313b7fa8c21b353b3f1fe8d9bd3e1e572b30521 Mon Sep 17 00:00:00 2001 From: Unmesh Deodhar Date: Tue, 14 Feb 2023 16:08:04 -0600 Subject: [PATCH 2/2] packaging: Adding caching capability for SEV kernel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cache and reuse kernel tarball whenever possible. Fixes: #6176 Signed-off-by: Unmesh Deodhar Signed-off-by: Fabiano FidĂȘncio --- .../local-build/kata-deploy-binaries.sh | 44 +++++++++++++++---- .../static-build/cache_components.sh | 9 ++++ 2 files changed, 44 insertions(+), 9 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index ea572df1a8..ba213d0d15 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -394,24 +394,50 @@ install_cc_virtiofsd() { sudo install -D --owner root --group root --mode 0744 virtiofsd/virtiofsd "${destdir}/${cc_prefix}/libexec/virtiofsd" } -#Install CC kernel assert, with TEE support -install_cc_tee_kernel() { - export KATA_BUILD_CC=yes +# Install cached kernel compoenent +install_cached_kernel_component() { tee="${1}" kernel_version="${2}" + module_dir="${3:-}" - [[ "${tee}" != "tdx" && "${tee}" != "sev" ]] && die "Non supported TEE" - - export kernel_version=${kernel_version} - - install_cached_component \ + install_cached_compnent \ "kernel" \ "${jenkins_url}/job/kata-containers-2.0-kernel-${tee}-cc-$(uname -m)/${cached_artifacts_path}" \ "${kernel_version}" \ "$(get_kernel_image_name)" \ "${final_tarball_name}" \ "${final_tarball_path}" \ - && return 0 + || return 1 + + [ "${tee}" == "tdx" ] && return 0 + + # SEV specific code path + install_cached_component \ + "kernel-modules" \ + "${jenkins_url}/job/kata-containers-2.0-kernel-sev-cc-$(uname -m)/${cached_artifacts_path}" \ + "${kernel_version}" \ + "$(get_kernel_image_name)" \ + "kata-static-cc-sev-kernel-modules.tar.xz" \ + "${workdir}/kata-static-cc-sev-kernel-modules.tar.xz" \ + || return 1 + + tar xvf "${workdir}/kata-static-cc-sev-kernel-modules.tar.xz" -C "${module_dir}" && return 0 + + return 1 +} + +#Install CC kernel assert, with TEE support +install_cc_tee_kernel() { + export KATA_BUILD_CC=yes + tee="${1}" + kernel_version="${2}" + module_dir="${3:-}" + + [[ "${tee}" != "tdx" && "${tee}" != "sev" ]] && die "Non supported TEE" + + export kernel_version=${kernel_version} + + install_cached_kernel_component "${tee}" "${kernel_version}" "${module_dir}" && return 0 info "build initramfs for TEE kernel" "${initramfs_builder}" diff --git a/tools/packaging/static-build/cache_components.sh b/tools/packaging/static-build/cache_components.sh index 602c700a2a..fb28dee90a 100755 --- a/tools/packaging/static-build/cache_components.sh +++ b/tools/packaging/static-build/cache_components.sh @@ -45,6 +45,15 @@ cache_kernel_artifacts() { [ "${TEE}" == "sev" ] && current_kernel_version="$(get_from_kata_deps "assets.kernel.${TEE}.version")" fi create_cache_asset "${kernel_tarball_name}" "${current_kernel_version}" "${current_kernel_image}" + + if [ "${TEE}" == "sev" ]; then + module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version#v}-${get_config_version}/lib/modules/${kernel_version#v}" + pushd "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/" + tar cvfJ "kata-static-cc-sev-kernel-modules.tar.xz" "${module_dir}/kernel/drivers/virt/coco/efi_secret/" + popd + create_cache_asset "kata-static-cc-kernel-modules.tar.xz" "${current_kernel_version}" "${current_kernel_image}" + fi + } cache_firmware_artifacts() {