From 4292c4c3b1aaafa09bd5f6e4bee7cc6766568098 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 8 May 2024 12:01:12 +0200 Subject: [PATCH 01/10] versions: build: Remove TDX specific OVMF (TDVF) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's remove everything related to the TDVF building / shipping from our repo, as we'll be relying on the one coming from the distro. Later on, we may need to re-add TDVF logic, as we're already using upstream edk2 repo / content, but when that's needed we'll simply revert this commit. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 4 ---- .../kata-deploy/local-build/kata-deploy-binaries.sh | 10 ---------- tools/packaging/static-build/ovmf/build-ovmf.sh | 3 --- versions.yaml | 6 ------ 4 files changed, 23 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index e307a7fc20..34f025ca1a 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -33,7 +33,6 @@ BASE_TARBALLS = serial-targets \ qemu-tdx-experimental-tarball \ stratovirt-tarball \ shim-v2-tarball \ - tdvf-tarball \ virtiofsd-tarball BASE_SERIAL_TARBALLS = rootfs-image-tarball \ rootfs-image-confidential-tarball \ @@ -166,9 +165,6 @@ runk-tarball: shim-v2-tarball: ${MAKE} $@-build -tdvf-tarball: - ${MAKE} $@-build - trace-forwarder-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index a34bc06a36..3a5b096e2b 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -119,7 +119,6 @@ options: rootfs-initrd-mariner runk shim-v2 - tdvf trace-forwarder virtiofsd EOF @@ -736,7 +735,6 @@ install_ovmf() { local component_name="ovmf" [ "${ovmf_type}" == "sev" ] && component_name="ovmf-sev" - [ "${ovmf_type}" == "tdx" ] && component_name="tdvf" latest_artefact="$(get_from_kata_deps "externals.ovmf.${ovmf_type}.version")" latest_builder_image="$(get_ovmf_image_name)" @@ -753,11 +751,6 @@ install_ovmf() { tar xvf "${builddir}/${tarball_name}" -C "${destdir}" } -# Install TDVF -install_tdvf() { - install_ovmf "tdx" "edk2-tdx.tar.gz" -} - # Install OVMF SEV install_ovmf_sev() { install_ovmf "sev" "edk2-sev.tar.gz" @@ -970,7 +963,6 @@ handle_build() { install_stratovirt install_runk install_shimv2 - install_tdvf install_trace_forwarder install_virtiofsd ;; @@ -1035,8 +1027,6 @@ handle_build() { shim-v2) install_shimv2 ;; - tdvf) install_tdvf ;; - trace-forwarder) install_trace_forwarder ;; virtiofsd) install_virtiofsd ;; diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index b873074587..49d3a51dc3 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -77,9 +77,6 @@ popd info "Install fd to destdir" install_dir="${DESTDIR}/${PREFIX}/share/ovmf" -if [ "${ovmf_build}" == "tdx" ]; then - install_dir="$DESTDIR/$PREFIX/share/tdvf" -fi mkdir -p "${install_dir}" if [ "${ovmf_build}" == "sev" ]; then diff --git a/versions.yaml b/versions.yaml index e0413a92dc..3ee117917f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -337,12 +337,6 @@ externals: version: "edk2-stable202302" package: "OvmfPkg/AmdSev/AmdSevX64.dsc" package_output_dir: "AmdSev" - tdx: - # yamllint disable-line rule:line-length - description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15" - version: "edk2-stable202302" - package: "OvmfPkg/IntelTdx/IntelTdxX64.dsc" - package_output_dir: "IntelTdx" td-shim: description: "Confidential Containers Shim Firmware" From ea82740b19e0388a96d10fb35ac549171ad22dc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 8 May 2024 12:11:13 +0200 Subject: [PATCH 02/10] versions: build: Remove TDX specific QEMU MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's remove everything related to the TDX specific QEMU building / shipping from our repo, as we'll be relying on the one coming from the distros. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 4 ---- .../local-build/kata-deploy-binaries.sh | 15 --------------- versions.yaml | 5 ----- 3 files changed, 24 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 34f025ca1a..4473333df8 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -30,7 +30,6 @@ BASE_TARBALLS = serial-targets \ ovmf-tarball \ qemu-snp-experimental-tarball \ qemu-tarball \ - qemu-tdx-experimental-tarball \ stratovirt-tarball \ shim-v2-tarball \ virtiofsd-tarball @@ -138,9 +137,6 @@ qemu-tarball: boot-image-se-tarball: kernel-confidential-tarball rootfs-initrd-confidential-tarball ${MAKE} $@-build -qemu-tdx-experimental-tarball: - ${MAKE} $@-build - stratovirt-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 3a5b096e2b..0d4919204d 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -110,7 +110,6 @@ options: ovmf-sev qemu qemu-snp-experimental - qemu-tdx-experimental stratovirt rootfs-image rootfs-image-confidential @@ -548,17 +547,6 @@ install_qemu() { "${qemu_builder}" } -install_qemu_tdx_experimental() { - export qemu_suffix="tdx-experimental" - export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz" - - install_qemu_helper \ - "assets.hypervisor.qemu-${qemu_suffix}.url" \ - "assets.hypervisor.qemu-${qemu_suffix}.tag" \ - "qemu-${qemu_suffix}" \ - "${qemu_experimental_builder}" -} - install_qemu_snp_experimental() { export qemu_suffix="snp-experimental" export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz" @@ -959,7 +947,6 @@ handle_build() { install_ovmf_sev install_qemu install_qemu_snp_experimental - install_qemu_tdx_experimental install_stratovirt install_runk install_shimv2 @@ -1009,8 +996,6 @@ handle_build() { qemu-snp-experimental) install_qemu_snp_experimental ;; - qemu-tdx-experimental) install_qemu_tdx_experimental ;; - stratovirt) install_stratovirt ;; rootfs-image) install_image ;; diff --git a/versions.yaml b/versions.yaml index 3ee117917f..e7ca137303 100644 --- a/versions.yaml +++ b/versions.yaml @@ -99,11 +99,6 @@ assets: https://github.com/qemu/qemu/tags .*/v?(\d\S+)\.tar\.gz - qemu-tdx-experimental: - description: ¨QEMU with TDX support" - url: "https://github.com/intel/qemu-tdx" - tag: "tdx-qemu-next-2023.9.21-v8.1.0" - qemu-snp-experimental: description: "QEMU with SNP support" url: "https://github.com/confidential-containers/qemu.git" From f2d40da8e49c8c889f47485ca8adc416d1186546 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 8 May 2024 12:18:06 +0200 Subject: [PATCH 03/10] versions: build: Remove unused td-shim entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We haven't been using nor testing with td-shim, as Cloud Hypervisor does not officially support TDX yet, and TDVF is supposed to be used with QEMU, instead of td-shim. Signed-off-by: Fabiano Fidêncio --- .../packaging/static-build/td-shim/Dockerfile | 23 --------- .../static-build/td-shim/build-td-shim.sh | 42 ---------------- tools/packaging/static-build/td-shim/build.sh | 48 ------------------- versions.yaml | 6 --- 4 files changed, 119 deletions(-) delete mode 100644 tools/packaging/static-build/td-shim/Dockerfile delete mode 100755 tools/packaging/static-build/td-shim/build-td-shim.sh delete mode 100755 tools/packaging/static-build/td-shim/build.sh diff --git a/tools/packaging/static-build/td-shim/Dockerfile b/tools/packaging/static-build/td-shim/Dockerfile deleted file mode 100644 index ed9270ca4a..0000000000 --- a/tools/packaging/static-build/td-shim/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# Copyright (c) 2022 Intel -# -# SPDX-License-Identifier: Apache-2.0 - -FROM ubuntu:20.04 -ENV DEBIAN_FRONTEND=noninteractive -SHELL ["/bin/bash", "-o", "pipefail", "-c"] -ARG RUST_TOOLCHAIN - -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - ca-certificates \ - clang \ - curl \ - gcc \ - git \ - llvm \ - nasm && \ - apt-get clean && rm -rf /var/lib/lists/ && \ - curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} && \ - source "$HOME/.cargo/env" && \ - rustup component add rust-src && \ - cargo install cargo-xbuild diff --git a/tools/packaging/static-build/td-shim/build-td-shim.sh b/tools/packaging/static-build/td-shim/build-td-shim.sh deleted file mode 100755 index cbc336d666..0000000000 --- a/tools/packaging/static-build/td-shim/build-td-shim.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash -# -# Copyright (c) 2022 Intel -# -# SPDX-License-Identifier: Apache-2.0 - -set -o errexit -set -o nounset -set -o pipefail - -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -source "${script_dir}/../../scripts/lib.sh" - -tdshim_repo="${tdshim_repo:-}" -DESTDIR=${DESTDIR:-${PWD}} -PREFIX="${PREFIX:-/opt/kata}" - -[ -n "${tdshim_repo}" ] || die "Failed to get TD-shim repo" -[ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" - -info "Build ${tdshim_repo} version: ${tdshim_version}" - -source ${HOME}/.cargo/env - -build_root=$(mktemp -d) -pushd ${build_root} -git clone --single-branch "${tdshim_repo}" -pushd td-shim -git checkout "${tdshim_version}" -bash sh_script/build_final.sh boot_kernel - -install_dir="${DESTDIR}/${PREFIX}/share/td-shim" -mkdir -p ${install_dir} -install target/x86_64-unknown-uefi/release/final-boot-kernel.bin ${install_dir}/td-shim.bin -popd #td-shim -popd #${build_root} - -local_dir=${PWD} -pushd ${DESTDIR} -tar -czvf "${local_dir}/td-shim.tar.gz" "./$PREFIX" -rm -rf $(dirname ./$PREFIX) -popd #${DESTDIR} diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh deleted file mode 100755 index 457059a8d0..0000000000 --- a/tools/packaging/static-build/td-shim/build.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2022 Intel -# -# SPDX-License-Identifier: Apache-2.0 - -set -o errexit -set -o nounset -set -o pipefail - -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -readonly tdshim_builder="${script_dir}/build-td-shim.sh" - -source "${script_dir}/../../scripts/lib.sh" - -DESTDIR=${DESTDIR:-${PWD}} -PREFIX=${PREFIX:-/opt/kata} -kata_version="${kata_version:-}" -tdshim_repo="${tdshim_repo:-}" -tdshim_version="${tdshim_version:-}" -tdshim_toolchain="${tdshim_toolchain:-}" -package_output_dir="${package_output_dir:-}" - -[ -n "${tdshim_repo}" ] || tdshim_repo=$(get_from_kata_deps "externals.td-shim.url") -[ -n "${tdshim_version}" ] || tdshim_version=$(get_from_kata_deps "externals.td-shim.version") -[ -n "${tdshim_toolchain}" ] || tdshim_toolchain=$(get_from_kata_deps "externals.td-shim.toolchain") - -[ -n "${tdshim_repo}" ] || die "Failed to get TD-shim repo" -[ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" -[ -n "${tdshim_toolchain}" ] || die "Failed to get TD-shim toolchain to be used to build the project" - -container_image="${TDSHIM_CONTAINER_BUILDER:-${BUILDER_REGISTRY}:td-shim-${tdshim_toolchain}-$(get_last_modification ${script_dir})-$(uname -m)}" - -sudo docker pull ${container_image} || (sudo docker build \ - --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ - -t "${container_image}" \ - "${script_dir}" && \ - # No-op unless PUSH_TO_REGISTRY is exported as "yes" - push_to_registry "${container_image}") - -sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ - -w "${PWD}" \ - --env DESTDIR="${DESTDIR}" \ - --env PREFIX="${PREFIX}" \ - --env tdshim_repo="${tdshim_repo}" \ - --env tdshim_version="${tdshim_version}" \ - "${container_image}" \ - bash -c "${tdshim_builder}" diff --git a/versions.yaml b/versions.yaml index e7ca137303..8a60b11101 100644 --- a/versions.yaml +++ b/versions.yaml @@ -333,12 +333,6 @@ externals: package: "OvmfPkg/AmdSev/AmdSevX64.dsc" package_output_dir: "AmdSev" - td-shim: - description: "Confidential Containers Shim Firmware" - url: "https://github.com/confidential-containers/td-shim" - version: "cf9592ef70bd6ba4c7ab1330d278a743f5ba3133" - toolchain: "nightly-2022-05-15" - virtiofsd: description: "vhost-user virtio-fs device backend written in Rust" url: "https://gitlab.com/virtio-fs/virtiofsd" From 84b94dc2b14de74813a937d6d35a00cf70a8b55a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 8 May 2024 13:35:48 +0200 Subject: [PATCH 04/10] kata-deploy: Expose /host to the daemon-set MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We'll need to have access to the host os-release file (either under `/etc/os-release` or under `/usr/lib/os-release`), and the simplest approach that comes to my mind to do is doing what a debug pod would do, mounting `/` as `/host` and then allowing us to have access to those files, and then corectly set the TDX specific QEMU and OVMF (TDVF) paths for the tdx available configurations. Signed-off-by: Fabiano Fidêncio --- .../packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml index 5e17214e50..1d552e4d84 100644 --- a/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml +++ b/tools/packaging/kata-deploy/kata-deploy/base/kata-deploy.yaml @@ -58,6 +58,8 @@ spec: mountPath: /opt/kata/ - name: local-bin mountPath: /usr/local/bin/ + - name: host + mountPath: /host/ volumes: - name: crio-conf hostPath: @@ -72,6 +74,9 @@ spec: - name: local-bin hostPath: path: /usr/local/bin/ + - name: host + hostPath: + path: / updateStrategy: rollingUpdate: maxUnavailable: 1 From f48450b36024e3c2914ff461dd1690a516547732 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 8 May 2024 15:56:21 +0200 Subject: [PATCH 05/10] runtime: config: tdx: Add QEMU / OVMF placeholder var MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's add the PLACEHOLDER_FOR_DISTRO_{QEMU,OVMF}_WITH_TDX_SUPPORT variables instead of actually setting a path, so we can easily replace those as part of our deployment scripts. Signed-off-by: Fabiano Fidêncio --- src/runtime/Makefile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 6ce74e637e..901bceb4e5 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -146,7 +146,8 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4) FIRMWAREPATH := FIRMWAREVOLUMEPATH := -FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF.fd +#FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF.fd +FIRMWARETDVFPATH := PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT FIRMWARETDVFVOLUMEPATH := FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd @@ -175,7 +176,8 @@ HYPERVISORS := $(HYPERVISOR_ACRN) $(HYPERVISOR_FC) $(HYPERVISOR_QEMU) $(HYPERVIS QEMUPATH := $(QEMUBINDIR)/$(QEMUCMD) QEMUVALIDHYPERVISORPATHS := [\"$(QEMUPATH)\"] -QEMUTDXPATH := $(QEMUBINDIR)/$(QEMUTDXCMD) +#QEMUTDXPATH := $(QEMUBINDIR)/$(QEMUTDXCMD) +QEMUTDXPATH := PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT QEMUTDXVALIDHYPERVISORPATHS := [\"$(QEMUTDXPATH)\"] QEMUSNPPATH := $(QEMUBINDIR)/$(QEMUSNPCMD) From a9720495deb203210eb4c520f52caa6f15721314 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 8 May 2024 16:27:24 +0200 Subject: [PATCH 06/10] kata-deploy: Ensure the distro QEMU and OVMF are used for TDX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Here we're checking the distro's `/etc/os-release` or `/usr/lib/os-release` in order to get which distro we're deploying the Kata Containers artefacts to, and then to properly adjust the QEMU and OVMF with TDX support that's been shipped with the distros. Together with that, we're also printing the instructions provided by the distro on how to enable and use TDX. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/scripts/kata-deploy.sh | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index 60876e10c9..76fa6aeabf 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -39,6 +39,16 @@ die() { exit 1 } +warn() { + msg="$*" + echo "WARN: $msg" >&2 +} + +info() { + msg="$*" + echo "INFO: $msg" >&2 +} + function host_systemctl() { nsenter --target 1 --mount systemctl "${@}" } @@ -148,6 +158,63 @@ function get_kata_containers_config_path() { echo "$config_path" } +function tdx_not_supported() { + distro="${1}" + version="${2}" + + warn "Distro ${distro} ${version} does not support TDX and the TDX related runtime classes will not work in your cluster!" +} + +function tdx_supported() { + distro="${1}" + version="${2}" + config="${3}" + + sed -i -e "s|PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT|$(get_tdx_qemu_path_from_distro ${distro})|g" ${config} + sed -i -e "s|PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT|$(get_tdx_ovmf_path_from_distro ${distro})|g" ${config} + + info "In order to use the tdx related runtime classes, ensure TDX is properly configured for ${distro} ${version} by following the instructions provided at: $(get_tdx_distro_instructions ${distro})" +} + +function get_tdx_distro_instructions() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "https://github.com/canonical/tdx/tree/noble-24.04" + ;; + centos) + echo "https://sigs.centos.org/virt/tdx" + ;; + esac +} + +function get_tdx_qemu_path_from_distro() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "/usr/bin/qemu-system-x86_64" + ;; + centos) + echo "/usr/libexec/qemu-kvm" + ;; + esac +} + +function get_tdx_ovmf_path_from_distro() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "/usr/share/ovmf/OVMF.fd" + ;; + centos) + echo "/usr/share/edk2/ovmf/OVMF.inteltdx.fd" + ;; + esac +} + function install_artifacts() { echo "copying kata artifacts onto host" cp -au /opt/kata-artifacts/opt/kata/* /opt/kata/ @@ -181,6 +248,35 @@ function install_artifacts() { if [ -n "${allowed_hypervisor_annotations}" ]; then sed -i -e "s/^enable_annotations = \[\(.*\)\]/enable_annotations = [\1, $allowed_hypervisor_annotations]/" "${kata_config_file}" fi + + if grep -q "tdx" <<< "$shim"; then + source /host/etc/os-release || source /host/usr/lib/os-release + case ${ID} in + ubuntu) + case ${VERSION_ID} in + 24.04) + tdx_supported ${ID} ${VERSION_ID} ${kata_config_file} + ;; + *) + tdx_not_supported ${ID} ${VERSION_ID} + ;; + esac + ;; + centos) + case ${VERSION_ID} in + 9) + tdx_supported ${ID} ${VERSION_ID} ${kata_config_file} + ;; + *) + tdx_not_supported ${ID} ${VERSION_ID} + ;; + esac + ;; + *) + tdx_not_supported_warning + ;; + esac + fi done # Allow Mariner to use custom configuration. From 1c3037fd25f784df1d20124ddac3db72b7961df2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 23 Apr 2024 16:53:13 +0200 Subject: [PATCH 07/10] Revert "govmm: tdx: Expose the private=on|off knob" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 582b5b6b1928ba61e48692ce9c015a28c22e8301. The `private=on` bit has never made its way upstream, and was removed from the latest iteration that we're using. With that in mind, let's revert its addition, and later on its usage in the code. Signed-off-by: Fabiano Fidêncio --- src/runtime/pkg/govmm/qemu/qemu.go | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index d11ddb8cc8..4b8a21c3c2 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -2664,10 +2664,6 @@ type Knobs struct { // IOMMUPlatform will enable IOMMU for supported devices IOMMUPlatform bool - - // Whether private memory should be used or not - // This is required by TDX, at least. - Private bool } // IOThread allows IO to be performed on a separate thread. From 416d00228c19650698f8f6cb9fd5e731babe2732 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 23 Apr 2024 16:53:53 +0200 Subject: [PATCH 08/10] Revert "qemu: tdx: Adapt command line" (partially) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit b7cccfa019f6bb49bad5b72d4a23fe5ef4523df0. The `private=on` bit has never made its way upstream, and was removed from the latest iteration that we're using. With that in mind, let's revert its usage in the code. Signed-off-by: Fabiano Fidêncio --- src/runtime/pkg/govmm/qemu/qemu.go | 3 --- src/runtime/pkg/govmm/qemu/qemu_test.go | 31 ------------------------- src/runtime/virtcontainers/qemu.go | 11 --------- 3 files changed, 45 deletions(-) diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index 4b8a21c3c2..88e191de1d 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -3028,9 +3028,6 @@ func (config *Config) appendMemoryKnobs() { numaMemParam = "node,memdev=" + dimmName } - if config.Knobs.Private { - objMemParam += ",private=on" - } if config.Knobs.MemShared { objMemParam += ",share=on" } diff --git a/src/runtime/pkg/govmm/qemu/qemu_test.go b/src/runtime/pkg/govmm/qemu/qemu_test.go index 3fcdbe0d6f..3471ec2828 100644 --- a/src/runtime/pkg/govmm/qemu/qemu_test.go +++ b/src/runtime/pkg/govmm/qemu/qemu_test.go @@ -586,7 +586,6 @@ func TestAppendMemoryFileBackedMem(t *testing.T) { knobs := Knobs{ FileBackedMem: true, MemShared: false, - Private: false, } objMemString := "-object memory-backend-file,id=dimm1,size=1G,mem-path=foobar" numaMemString := "-numa node,memdev=dimm1" @@ -600,36 +599,6 @@ func TestAppendMemoryFileBackedMem(t *testing.T) { } testConfigAppend(conf, knobs, memString+" "+knobsString, t) - - // Reset the conf and memString values - conf = &Config{ - Memory: Memory{ - Size: "1G", - Slots: 8, - MaxMem: "3G", - Path: "foobar", - }, - } - memString = "-m 1G,slots=8,maxmem=3G" - testConfigAppend(conf, conf.Memory, memString, t) - - knobs = Knobs{ - FileBackedMem: true, - MemShared: false, - Private: true, - } - objMemString = "-object memory-backend-file,id=dimm1,size=1G,mem-path=foobar,private=on" - numaMemString = "-numa node,memdev=dimm1" - memBackendString = "-machine memory-backend=dimm1" - - knobsString = objMemString + " " - if isDimmSupported(nil) { - knobsString += numaMemString - } else { - knobsString += memBackendString - } - - testConfigAppend(conf, knobs, memString+" "+knobsString, t) } func TestAppendMemoryFileBackedMemPrealloc(t *testing.T) { diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go index ae07adbead..ecb1b2161e 100644 --- a/src/runtime/virtcontainers/qemu.go +++ b/src/runtime/virtcontainers/qemu.go @@ -615,17 +615,6 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi return err } - if q.config.ConfidentialGuest { - // At this point we're safe to just check for the protection field - // on the hypervisor specific code, as availableGuestProtection() - // has been called earlier and we know we have the value stored. - if q.arch.getProtection() == tdxProtection { - - // TDX relies on ",private=on" passed to the memory object. - knobs.Private = true - } - } - kernelPath, err := q.config.KernelAssetPath() if err != nil { return err From 77f457c0e112a7088c95f3c96240f619fe159244 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 8 May 2024 21:23:07 +0200 Subject: [PATCH 09/10] runtime: tdx: Drop sept-ve-disable=on MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This was needed when we were using an old (and not maintained anymore) host stack. Considering what we have as part of the distros, Today, this can simply be dropped, as I cannot find any reference of this one being needed in any up-to-date documentation. Signed-off-by: Fabiano Fidêncio --- src/runtime/pkg/govmm/qemu/qemu.go | 1 - 1 file changed, 1 deletion(-) diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go index 88e191de1d..b48baff8f6 100644 --- a/src/runtime/pkg/govmm/qemu/qemu.go +++ b/src/runtime/pkg/govmm/qemu/qemu.go @@ -363,7 +363,6 @@ func (object Object) QemuParams(config *Config) []string { case TDXGuest: objectParams = append(objectParams, string(object.Type)) - objectParams = append(objectParams, "sept-ve-disable=on") objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID)) if object.Debug { objectParams = append(objectParams, "debug=on") From aba56a8adb3b1de08e1f8bfae4e31d01681fd5e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 9 May 2024 07:58:13 +0200 Subject: [PATCH 10/10] tests: measured-rootfs: Skip policy addition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's skip the policy addition for now, in order to get the TDX CI back up and running, and then we can re-enable it as soon as we get https://github.com/kata-containers/kata-containers/issues/9612 fixed. Signed-off-by: Fabiano Fidêncio --- tests/integration/kubernetes/k8s-measured-rootfs.bats | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index cee9466926..6ad04e434a 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -41,8 +41,10 @@ teardown() { # Run on a specific node so we know from where to inspect the logs set_node "$pod_config" "$node" - # Add an "allow all" policy if policy testing is enabled. - add_allow_all_policy_to_yaml "$pod_config" +# Skip adding the policy, as it's causing the test to fail. +# See more details on: https://github.com/kata-containers/kata-containers/issues/9612 +# # Add an "allow all" policy if policy testing is enabled. +# add_allow_all_policy_to_yaml "$pod_config" # For debug sake echo "Pod $pod_config file:" @@ -52,4 +54,4 @@ teardown() { assert_logs_contain "$node" kata "$node_start_time" \ 'verity: .* metadata block .* is corrupted' -} \ No newline at end of file +}