From f8a16c170a987540b98fb94276836661524b6cec Mon Sep 17 00:00:00 2001
From: Jim Cadden <jcadden@ibm.com>
Date: Mon, 10 May 2021 18:12:31 -0400
Subject: [PATCH] kernel: add confidential guest build option

Includes support for SEV guest kernels

Fixes #1870

Signed-off-by: Jim Cadden <jcadden@ibm.com>
---
 tools/packaging/kernel/build-kernel.sh        | 22 ++++++++++++++++++-
 .../kernel/configs/fragments/whitelist.conf   |  2 ++
 .../configs/fragments/x86_64/sev/sev.conf     |  6 +++++
 3 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf

diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index a99adc27df..e27e2c286e 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -49,6 +49,8 @@ experimental_kernel="false"
 force_setup_generate_config="false"
 #GPU kernel support
 gpu_vendor=""
+#Confidential guest type 
+conf_guest=""
 #
 patches_path=""
 #
@@ -98,6 +100,7 @@ Options:
 	-p <path>   	: Path to a directory with patches to apply to kernel.
 	-t <hypervisor>	: Hypervisor_target.
 	-v <version>	: Kernel version to use if kernel path not provided.
+	-x <type>	: Confidential guest protection type, such as sev
 EOT
 	exit "$exit_code"
 }
@@ -209,6 +212,12 @@ get_kernel_frag_path() {
 		all_configs="${all_configs} ${gpu_configs}"
 	fi
 
+	if [[ "${conf_guest}" != "" ]];then
+		info "Enabling config for '${conf_guest}' confidential guest protection"
+		local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)"
+		all_configs="${all_configs} ${conf_configs}"
+	fi
+
 	info "Constructing config from fragments: ${config_path}"
 
 
@@ -387,6 +396,10 @@ install_kata() {
 		suffix="-${gpu_vendor}-gpu${suffix}"
 	fi
 
+	if [[ ${conf_guest} != "" ]];then
+		suffix="-${conf_guest}${suffix}"
+	fi
+
 	vmlinuz="vmlinuz-${kernel_version}-${config_version}${suffix}"
 	vmlinux="vmlinux-${kernel_version}-${config_version}${suffix}"
 
@@ -424,7 +437,7 @@ install_kata() {
 }
 
 main() {
-	while getopts "a:c:defg:hk:p:t:v:" opt; do
+	while getopts "a:c:defg:hk:p:t:v:x:" opt; do
 		case "$opt" in
 			a)
 				arch_target="${OPTARG}"
@@ -461,6 +474,13 @@ main() {
 			v)
 				kernel_version="${OPTARG}"
 				;;
+			x)
+				conf_guest="${OPTARG}"
+				case "$conf_guest" in
+					sev) ;;
+					*) die "Confidential guest type '$conf_guest' not supported" ;;
+				esac
+				;;
 		esac
 	done
 
diff --git a/tools/packaging/kernel/configs/fragments/whitelist.conf b/tools/packaging/kernel/configs/fragments/whitelist.conf
index 98f79aa0c1..9e07ffccaa 100644
--- a/tools/packaging/kernel/configs/fragments/whitelist.conf
+++ b/tools/packaging/kernel/configs/fragments/whitelist.conf
@@ -8,3 +8,5 @@ CONFIG_NF_NAT_PROTO_SCTP
 CONFIG_NF_NAT_PROTO_UDPLITE
 CONFIG_REFCOUNT_FULL
 CONFIG_MEMCG_SWAP_ENABLED
+CONFIG_CRYPTO_DEV_SP_PSP
+CONFIG_CRYPTO_DEV_CCP
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf b/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf
new file mode 100644
index 0000000000..af29405c72
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf
@@ -0,0 +1,6 @@
+# AMD Secure Encrypted Virtualization (SEV)
+ 
+CONFIG_AMD_MEM_ENCRYPT=y
+CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y
+CONFIG_CRYPTO_DEV_SP_PSP=y
+CONFIG_CRYPTO_DEV_CCP=y