github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-04 19:16:23 +00:00
Code Issues Projects Releases Wiki Activity

tools: let confidential guest kernel builds to exclude fragments

Browse Source 
build-kernel.sh supports exluding fragments from the common base
set based on the kernel target architecture.

However, there are also cases where the base set must be stripped
down for other reason. For example, confidential guest builds want to
exclude some drivers the untrusted host may try to add devices (e.g.,
virtio-rng).

Make build-kernel.sh to skip fragments tagged using '!confidential'
when confidential guest kernels are built.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
This commit is contained in:
Mikko Ylinen 2025-05-09 14:45:33 +03:00
parent 78ff72a386
commit 31d6839eb5
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
tools/packaging/kernel/build-kernel.sh
View File

@ -226,8 +226,15 @@ get_kernel_frag_path() {
local config_path="${arch_path}/.config"
local arch_configs="$(ls ${arch_path}/*.conf)"
# Exclude configs if they have !$arch tag in the header
local common_configs="$(grep "\!${arch}" ${common_path}/*.conf -L)"
# By default, exclude configs if they have !$arch tag in the header
local exclude_tags="-e "\!${arch}""
# Also, let confidential guest opt-out some insecure configs
if [[ "${conf_guest}" != "" ]];then
exclude_tags="${exclude_tags} -e "\!${conf_guest}""
fi
local common_configs="$(grep ${exclude_tags} ${common_path}/*.conf -L)"
local extra_configs=""
if [ "${build_type}" != "" ];then

2
tools/packaging/kernel/configs/README.md
View File

@ -50,7 +50,7 @@ into a fragment.
If adding config entries for a new subsystem or feature, consider making a new
fragment with an appropriately descriptive name.
If you want to disable an entire fragment for a specific architecture, you can add the tag `# !${arch}` in the first line of the fragment. You can also exclude multiple architectures on the same line. Note the `#` at the beginning of the line, this is required to avoid that the tag is interpreted as a configuration.
If you want to disable an entire fragment for a specific configuration, you can add the tag `# !${arch}` or `# !confidential` in the first line of the fragment. You can also exclude multiple tags on the same line. Note the `#` at the beginning of the line, this is required to avoid that the tag is interpreted as a configuration.
Example of valid exclusion:
```
# !s390x !ppc64le