diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 6ce74e637e..901bceb4e5 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -146,7 +146,8 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4) FIRMWAREPATH := FIRMWAREVOLUMEPATH := -FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF.fd +#FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF.fd +FIRMWARETDVFPATH := PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT FIRMWARETDVFVOLUMEPATH := FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd @@ -175,7 +176,8 @@ HYPERVISORS := $(HYPERVISOR_ACRN) $(HYPERVISOR_FC) $(HYPERVISOR_QEMU) $(HYPERVIS QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD) QEMUVALIDHYPERVISORPATHS := [\"$(QEMUPATH)\"] -QEMUTDXPATH := $(QEMUBINDIR)/$(QEMUTDXCMD) +#QEMUTDXPATH := $(QEMUBINDIR)/$(QEMUTDXCMD) +QEMUTDXPATH := PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT QEMUTDXVALIDHYPERVISORPATHS := [\"$(QEMUTDXPATH)\"] QEMUSNPPATH := $(QEMUBINDIR)/$(QEMUSNPCMD) diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index d11ddb8cc8..b48baff8f6 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -363,7 +363,6 @@ func (object Object) QemuParams(config *Config) []string { case TDXGuest: objectParams = append(objectParams, string(object.Type)) - objectParams = append(objectParams, "sept-ve-disable=on") objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) if object.Debug { objectParams = append(objectParams, "debug=on") @@ -2664,10 +2663,6 @@ type Knobs struct { // IOMMUPlatform will enable IOMMU for supported devices IOMMUPlatform bool - - // Whether private memory should be used or not - // This is required by TDX, at least. - Private bool } // IOThread allows IO to be performed on a separate thread. @@ -3032,9 +3027,6 @@ func (config *Config) appendMemoryKnobs() { numaMemParam = "node,memdev=" + dimmName } - if config.Knobs.Private { - objMemParam += ",private=on" - } if config.Knobs.MemShared { objMemParam += ",share=on" } diff --git a/src/runtime/pkg/govmm/qemu/qemu_test.go b/src/runtime/pkg/govmm/qemu/qemu_test.go index 3fcdbe0d6f..3471ec2828 100644 --- a/src/runtime/pkg/govmm/qemu/qemu_test.go +++ b/src/runtime/pkg/govmm/qemu/qemu_test.go @@ -586,7 +586,6 @@ func TestAppendMemoryFileBackedMem(t *testing.T) { knobs := Knobs{ FileBackedMem: true, MemShared: false, - Private: false, } objMemString := "-object memory-backend-file,id=dimm1,size=1G,mem-path=foobar" numaMemString := "-numa node,memdev=dimm1" @@ -600,36 +599,6 @@ func TestAppendMemoryFileBackedMem(t *testing.T) { } testConfigAppend(conf, knobs, memString+" "+knobsString, t) - - // Reset the conf and memString values - conf = &Config{ - Memory: Memory{ - Size: "1G", - Slots: 8, - MaxMem: "3G", - Path: "foobar", - }, - } - memString = "-m 1G,slots=8,maxmem=3G" - testConfigAppend(conf, conf.Memory, memString, t) - - knobs = Knobs{ - FileBackedMem: true, - MemShared: false, - Private: true, - } - objMemString = "-object memory-backend-file,id=dimm1,size=1G,mem-path=foobar,private=on" - numaMemString = "-numa node,memdev=dimm1" - memBackendString = "-machine memory-backend=dimm1" - - knobsString = objMemString + " " - if isDimmSupported(nil) { - knobsString += numaMemString - } else { - knobsString += memBackendString - } - - testConfigAppend(conf, knobs, memString+" "+knobsString, t) } func TestAppendMemoryFileBackedMemPrealloc(t *testing.T) { diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index ae07adbead..ecb1b2161e 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -615,17 +615,6 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi return err } - if q.config.ConfidentialGuest { - // At this point we're safe to just check for the protection field - // on the hypervisor specific code, as availableGuestProtection() - // has been called earlier and we know we have the value stored. - if q.arch.getProtection() == tdxProtection { - - // TDX relies on ",private=on" passed to the memory object. - knobs.Private = true - } - } - kernelPath, err := q.config.KernelAssetPath() if err != nil { return err diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index cee9466926..6ad04e434a 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -41,8 +41,10 @@ teardown() { # Run on a specific node so we know from where to inspect the logs set_node "$pod_config" "$node" - # Add an "allow all" policy if policy testing is enabled. - add_allow_all_policy_to_yaml "$pod_config" +# Skip adding the policy, as it's causing the test to fail. +# See more details on: https://github.com/kata-containers/kata-containers/issues/9612 +# # Add an "allow all" policy if policy testing is enabled. +# add_allow_all_policy_to_yaml "$pod_config" # For debug sake echo "Pod $pod_config file:" @@ -52,4 +54,4 @@ teardown() { assert_logs_contain "$node" kata "$node_start_time" \ 'verity: .* metadata block .* is corrupted' -} \ No newline at end of file +} diff --git a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml index 5e17214e50..1d552e4d84 100644 --- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml @@ -58,6 +58,8 @@ spec: mountPath: /opt/kata/ - name: local-bin mountPath: /usr/local/bin/ + - name: host + mountPath: /host/ volumes: - name: crio-conf hostPath: @@ -72,6 +74,9 @@ spec: - name: local-bin hostPath: path: /usr/local/bin/ + - name: host + hostPath: + path: / updateStrategy: rollingUpdate: maxUnavailable: 1 diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index e307a7fc20..4473333df8 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -30,10 +30,8 @@ BASE_TARBALLS = serial-targets \ ovmf-tarball \ qemu-snp-experimental-tarball \ qemu-tarball \ - qemu-tdx-experimental-tarball \ stratovirt-tarball \ shim-v2-tarball \ - tdvf-tarball \ virtiofsd-tarball BASE_SERIAL_TARBALLS = rootfs-image-tarball \ rootfs-image-confidential-tarball \ @@ -139,9 +137,6 @@ qemu-tarball: boot-image-se-tarball: kernel-confidential-tarball rootfs-initrd-confidential-tarball ${MAKE} $@-build -qemu-tdx-experimental-tarball: - ${MAKE} $@-build - stratovirt-tarball: ${MAKE} $@-build @@ -166,9 +161,6 @@ runk-tarball: shim-v2-tarball: ${MAKE} $@-build -tdvf-tarball: - ${MAKE} $@-build - trace-forwarder-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index f4228e089d..682efb57d5 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -111,7 +111,6 @@ options: ovmf-sev qemu qemu-snp-experimental - qemu-tdx-experimental stratovirt rootfs-image rootfs-image-confidential @@ -120,7 +119,6 @@ options: rootfs-initrd-mariner runk shim-v2 - tdvf trace-forwarder virtiofsd EOF @@ -565,17 +563,6 @@ install_qemu() { "${qemu_builder}" } -install_qemu_tdx_experimental() { - export qemu_suffix="tdx-experimental" - export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz" - - install_qemu_helper \ - "assets.hypervisor.qemu-${qemu_suffix}.url" \ - "assets.hypervisor.qemu-${qemu_suffix}.tag" \ - "qemu-${qemu_suffix}" \ - "${qemu_experimental_builder}" -} - install_qemu_snp_experimental() { export qemu_suffix="snp-experimental" export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz" @@ -752,7 +739,6 @@ install_ovmf() { local component_name="ovmf" [ "${ovmf_type}" == "sev" ] && component_name="ovmf-sev" - [ "${ovmf_type}" == "tdx" ] && component_name="tdvf" latest_artefact="$(get_from_kata_deps "externals.ovmf.${ovmf_type}.version")" latest_builder_image="$(get_ovmf_image_name)" @@ -769,11 +755,6 @@ install_ovmf() { tar xvf "${builddir}/${tarball_name}" -C "${destdir}" } -# Install TDVF -install_tdvf() { - install_ovmf "tdx" "edk2-tdx.tar.gz" -} - # Install OVMF SEV install_ovmf_sev() { install_ovmf "sev" "edk2-sev.tar.gz" @@ -982,11 +963,9 @@ handle_build() { install_ovmf_sev install_qemu install_qemu_snp_experimental - install_qemu_tdx_experimental install_stratovirt install_runk install_shimv2 - install_tdvf install_trace_forwarder install_virtiofsd ;; @@ -1033,8 +1012,6 @@ handle_build() { qemu-snp-experimental) install_qemu_snp_experimental ;; - qemu-tdx-experimental) install_qemu_tdx_experimental ;; - stratovirt) install_stratovirt ;; rootfs-image) install_image ;; @@ -1051,8 +1028,6 @@ handle_build() { shim-v2) install_shimv2 ;; - tdvf) install_tdvf ;; - trace-forwarder) install_trace_forwarder ;; virtiofsd) install_virtiofsd ;; diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index 60876e10c9..76fa6aeabf 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -39,6 +39,16 @@ die() { exit 1 } +warn() { + msg="$*" + echo "WARN: $msg" >&2 +} + +info() { + msg="$*" + echo "INFO: $msg" >&2 +} + function host_systemctl() { nsenter --target 1 --mount systemctl "${@}" } @@ -148,6 +158,63 @@ function get_kata_containers_config_path() { echo "$config_path" } +function tdx_not_supported() { + distro="${1}" + version="${2}" + + warn "Distro ${distro} ${version} does not support TDX and the TDX related runtime classes will not work in your cluster!" +} + +function tdx_supported() { + distro="${1}" + version="${2}" + config="${3}" + + sed -i -e "s|PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT|$(get_tdx_qemu_path_from_distro ${distro})|g" ${config} + sed -i -e "s|PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT|$(get_tdx_ovmf_path_from_distro ${distro})|g" ${config} + + info "In order to use the tdx related runtime classes, ensure TDX is properly configured for ${distro} ${version} by following the instructions provided at: $(get_tdx_distro_instructions ${distro})" +} + +function get_tdx_distro_instructions() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "https://github.com/canonical/tdx/tree/noble-24.04" + ;; + centos) + echo "https://sigs.centos.org/virt/tdx" + ;; + esac +} + +function get_tdx_qemu_path_from_distro() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "/usr/bin/qemu-system-x86_64" + ;; + centos) + echo "/usr/libexec/qemu-kvm" + ;; + esac +} + +function get_tdx_ovmf_path_from_distro() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "/usr/share/ovmf/OVMF.fd" + ;; + centos) + echo "/usr/share/edk2/ovmf/OVMF.inteltdx.fd" + ;; + esac +} + function install_artifacts() { echo "copying kata artifacts onto host" cp -au /opt/kata-artifacts/opt/kata/* /opt/kata/ @@ -181,6 +248,35 @@ function install_artifacts() { if [ -n "${allowed_hypervisor_annotations}" ]; then sed -i -e "s/^enable_annotations = \[\(.*\)\]/enable_annotations = [\1, $allowed_hypervisor_annotations]/" "${kata_config_file}" fi + + if grep -q "tdx" <<< "$shim"; then + source /host/etc/os-release || source /host/usr/lib/os-release + case ${ID} in + ubuntu) + case ${VERSION_ID} in + 24.04) + tdx_supported ${ID} ${VERSION_ID} ${kata_config_file} + ;; + *) + tdx_not_supported ${ID} ${VERSION_ID} + ;; + esac + ;; + centos) + case ${VERSION_ID} in + 9) + tdx_supported ${ID} ${VERSION_ID} ${kata_config_file} + ;; + *) + tdx_not_supported ${ID} ${VERSION_ID} + ;; + esac + ;; + *) + tdx_not_supported_warning + ;; + esac + fi done # Allow Mariner to use custom configuration. diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index b873074587..49d3a51dc3 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -77,9 +77,6 @@ popd info "Install fd to destdir" install_dir="${DESTDIR}/${PREFIX}/share/ovmf" -if [ "${ovmf_build}" == "tdx" ]; then - install_dir="$DESTDIR/$PREFIX/share/tdvf" -fi mkdir -p "${install_dir}" if [ "${ovmf_build}" == "sev" ]; then diff --git a/tools/packaging/static-build/td-shim/Dockerfile b/tools/packaging/static-build/td-shim/Dockerfile deleted file mode 100644 index ed9270ca4a..0000000000 --- a/tools/packaging/static-build/td-shim/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright (c) 2022 Intel -# -# SPDX-License-Identifier: Apache-2.0 - -FROM ubuntu:20.04 -ENV DEBIAN_FRONTEND=noninteractive -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -ARG RUST_TOOLCHAIN - -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - clang \ - curl \ - gcc \ - git \ - llvm \ - nasm && \ - apt-get clean && rm -rf /var/lib/lists/ && \ - curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} && \ - source "$HOME/.cargo/env" && \ - rustup component add rust-src && \ - cargo install cargo-xbuild diff --git a/tools/packaging/static-build/td-shim/build-td-shim.sh b/tools/packaging/static-build/td-shim/build-td-shim.sh deleted file mode 100755 index cbc336d666..0000000000 --- a/tools/packaging/static-build/td-shim/build-td-shim.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2022 Intel -# -# SPDX-License-Identifier: Apache-2.0 - -set -o errexit -set -o nounset -set -o pipefail - -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -source "${script_dir}/../../scripts/lib.sh" - -tdshim_repo="${tdshim_repo:-}" -DESTDIR=${DESTDIR:-${PWD}} -PREFIX="${PREFIX:-/opt/kata}" - -[ -n "${tdshim_repo}" ] || die "Failed to get TD-shim repo" -[ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" - -info "Build ${tdshim_repo} version: ${tdshim_version}" - -source ${HOME}/.cargo/env - -build_root=$(mktemp -d) -pushd ${build_root} -git clone --single-branch "${tdshim_repo}" -pushd td-shim -git checkout "${tdshim_version}" -bash sh_script/build_final.sh boot_kernel - -install_dir="${DESTDIR}/${PREFIX}/share/td-shim" -mkdir -p ${install_dir} -install target/x86_64-unknown-uefi/release/final-boot-kernel.bin ${install_dir}/td-shim.bin -popd #td-shim -popd #${build_root} - -local_dir=${PWD} -pushd ${DESTDIR} -tar -czvf "${local_dir}/td-shim.tar.gz" "./$PREFIX" -rm -rf $(dirname ./$PREFIX) -popd #${DESTDIR} diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh deleted file mode 100755 index 457059a8d0..0000000000 --- a/tools/packaging/static-build/td-shim/build.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2022 Intel -# -# SPDX-License-Identifier: Apache-2.0 - -set -o errexit -set -o nounset -set -o pipefail - -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -readonly tdshim_builder="${script_dir}/build-td-shim.sh" - -source "${script_dir}/../../scripts/lib.sh" - -DESTDIR=${DESTDIR:-${PWD}} -PREFIX=${PREFIX:-/opt/kata} -kata_version="${kata_version:-}" -tdshim_repo="${tdshim_repo:-}" -tdshim_version="${tdshim_version:-}" -tdshim_toolchain="${tdshim_toolchain:-}" -package_output_dir="${package_output_dir:-}" - -[ -n "${tdshim_repo}" ] || tdshim_repo=$(get_from_kata_deps "externals.td-shim.url") -[ -n "${tdshim_version}" ] || tdshim_version=$(get_from_kata_deps "externals.td-shim.version") -[ -n "${tdshim_toolchain}" ] || tdshim_toolchain=$(get_from_kata_deps "externals.td-shim.toolchain") - -[ -n "${tdshim_repo}" ] || die "Failed to get TD-shim repo" -[ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" -[ -n "${tdshim_toolchain}" ] || die "Failed to get TD-shim toolchain to be used to build the project" - -container_image="${TDSHIM_CONTAINER_BUILDER:-${BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${script_dir})-$(uname -m)}" - -sudo docker pull ${container_image} || (sudo docker build \ - --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ - -t "${container_image}" \ - "${script_dir}" && \ - # No-op unless PUSH_TO_REGISTRY is exported as "yes" - push_to_registry "${container_image}") - -sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ - -w "${PWD}" \ - --env DESTDIR="${DESTDIR}" \ - --env PREFIX="${PREFIX}" \ - --env tdshim_repo="${tdshim_repo}" \ - --env tdshim_version="${tdshim_version}" \ - "${container_image}" \ - bash -c "${tdshim_builder}" diff --git a/versions.yaml b/versions.yaml index e0413a92dc..8a60b11101 100644 --- a/versions.yaml +++ b/versions.yaml @@ -99,11 +99,6 @@ assets: https://github.com/qemu/qemu/tags .*/v?(\d\S+)\.tar\.gz - qemu-tdx-experimental: - description: ¨QEMU with TDX support" - url: "https://github.com/intel/qemu-tdx" - tag: "tdx-qemu-next-2023.9.21-v8.1.0" - qemu-snp-experimental: description: "QEMU with SNP support" url: "https://github.com/confidential-containers/qemu.git" @@ -337,18 +332,6 @@ externals: version: "edk2-stable202302" package: "OvmfPkg/AmdSev/AmdSevX64.dsc" package_output_dir: "AmdSev" - tdx: - # yamllint disable-line rule:line-length - description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15" - version: "edk2-stable202302" - package: "OvmfPkg/IntelTdx/IntelTdxX64.dsc" - package_output_dir: "IntelTdx" - - td-shim: - description: "Confidential Containers Shim Firmware" - url: "https://github.com/confidential-containers/td-shim" - version: "cf9592ef70bd6ba4c7ab1330d278a743f5ba3133" - toolchain: "nightly-2022-05-15" virtiofsd: description: "vhost-user virtio-fs device backend written in Rust"