From a7d33cc0cbec485a94fdf0b7079ab3fa8b6da8c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano@fidencio.org>
Date: Thu, 20 Feb 2025 15:51:33 +0100
Subject: [PATCH 1/5] build: Ensure MEASURED_ROOTFS is only used for images
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We never ever tested MEASURED_ROOTFS with initrd, and I sincerely do not
know why we've been setting that to "yes" in the initrd cases.

Let's drop it, as it may be causing issues with the jobs that rely on
the rootfs-initrd-confidential.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
---
 .../kata-deploy/local-build/kata-deploy-binaries.sh         | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 11508233b..48d04099c 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -472,11 +472,7 @@ install_initrd() {
 
 #Install guest initrd for confidential guests
 install_initrd_confidential() {
-	if [ "${ARCH}" == "s390x" ]; then
-		export MEASURED_ROOTFS=no
-	else
-		export MEASURED_ROOTFS=yes
-	fi
+	export MEASURED_ROOTFS=no
 	export PULL_TYPE=default
 	install_initrd "confidential"
 }

From aaa7008cad768d4d8109d4cf7984e3e7b241d903 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano@fidencio.org>
Date: Thu, 20 Feb 2025 18:34:50 +0100
Subject: [PATCH 2/5] versions: Add a comment about "jammy" being 22.04
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I missed that when I added the other comments, so, for the sake of
consistency, let's just add it there as well.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
---
 versions.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/versions.yaml b/versions.yaml
index f685949fc..a42123dca 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -168,7 +168,7 @@ assets:
           version: "jammy"  # 22.04 LTS
         nvidia-gpu-confidential:
           name: "ubuntu"
-          version: "jammy"
+          version: "jammy"  # 22.04 LTS
       # Do not use Alpine on ppc64le & s390x, the agent cannot use musl because
       # there is no such Rust target
       ppc64le:

From aa30f9ab1f45fe7bf92228bc4c2209337737089b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano@fidencio.org>
Date: Thu, 20 Feb 2025 18:33:21 +0100
Subject: [PATCH 3/5] versions: Use jammy for x86_64 confidential initrd

Set confidential initrd to use jammy rootfs

Signed-off-by: Ryan Savino <ryan.savino@amd.com>
---
 versions.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/versions.yaml b/versions.yaml
index a42123dca..1bf3ca965 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -185,7 +185,7 @@ assets:
         version: "3.18"
         confidential:
           name: "ubuntu"
-          version: "focal"  # 20.04 LTS
+          version: "jammy"  # 22.04 LTS
         nvidia-gpu:
           name: "ubuntu"
           version: "jammy"  # 22.04 LTS

From a00a7c500abdfc0ab950a23eb15389b5135bc008 Mon Sep 17 00:00:00 2001
From: Ryan Savino <ryan.savino@amd.com>
Date: Sun, 23 Feb 2025 00:01:53 -0600
Subject: [PATCH 4/5] build: initrd rootfs init symlink directly to systemd
 when no AGENT_INIT

In some cases, /init is not following two levels of symlinks
i.e. /init to /sbin/init to /lib/systemd/systemd
Setting /init directly to /lib/systemd/systemd when AGENT_INIT is not mandated

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
---
 tools/osbuilder/initrd-builder/initrd_builder.sh | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/tools/osbuilder/initrd-builder/initrd_builder.sh b/tools/osbuilder/initrd-builder/initrd_builder.sh
index 47af6d0a9..f3c1c2883 100755
--- a/tools/osbuilder/initrd-builder/initrd_builder.sh
+++ b/tools/osbuilder/initrd-builder/initrd_builder.sh
@@ -74,7 +74,16 @@ OK "Agent is installed"
 
 # initramfs expects /init, create symlink only if ${ROOTFS}/init does not exist
 # Init may be provided by other packages, e.g. systemd or GPU initrd/rootfs
-[ -x "${ROOTFS}/init" ] || [ -L "${ROOTFS}/init" ] || sudo ln -sf /sbin/init "${ROOTFS}/init"
+if [ ! -x "${ROOTFS}/init" ] && [ ! -L "${ROOTFS}/init" ]; then
+  # ATTN: In some instances, /init is not following two or more levels of symlinks
+  # i.e. (/init to /sbin/init to /lib/systemd/systemd)
+  # Setting /init directly to /lib/systemd/systemd when AGENT_INIT is disabled
+  if [ "${AGENT_INIT}" = "yes" ]; then
+    sudo ln -sf /sbin/init "${ROOTFS}/init"
+  else
+    sudo ln -sf /lib/systemd/systemd "${ROOTFS}/init"
+  fi
+fi
 
 info "Creating ${IMAGE_DIR}/${IMAGE_NAME} based on rootfs at ${ROOTFS}"
 ( cd "${ROOTFS}" && sudo find . | sudo cpio -H newc -o | gzip -9 ) > "${IMAGE_DIR}"/"${IMAGE_NAME}"

From ceafa82f2efc83c673486dcf318694bfd48a850b Mon Sep 17 00:00:00 2001
From: Ryan Savino <ryan.savino@amd.com>
Date: Mon, 24 Feb 2025 03:47:54 -0600
Subject: [PATCH 5/5] tests: skip trusted storage tests for qemu-snp

skip tests for trusted storage until #10838 is resolved.

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
---
 tests/integration/kubernetes/k8s-guest-pull-image.bats | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tests/integration/kubernetes/k8s-guest-pull-image.bats b/tests/integration/kubernetes/k8s-guest-pull-image.bats
index 9bd6bbc3f..94cf07b7e 100644
--- a/tests/integration/kubernetes/k8s-guest-pull-image.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats
@@ -90,6 +90,7 @@ setup() {
 
 @test "Test we can pull an image inside the guest using trusted storage" {
 	[ "$(uname -m)" == "s390x" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838"
+    [ "${KATA_HYPERVISOR}" == "qemu-snp" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838"
     # The image pulled in the guest will be downloaded and unpacked in the `/run/kata-containers/image` directory.
     # The tests will use `cryptsetup` to encrypt a block device and mount it at `/run/kata-containers/image`.
 
@@ -138,6 +139,7 @@ setup() {
 
 @test "Test we cannot pull a large image that pull time exceeds createcontainer timeout inside the guest" {
 	[ "$(uname -m)" == "s390x" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838"
+    [ "${KATA_HYPERVISOR}" == "qemu-snp" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838"
 
     storage_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${storage_config_template}").XXX")
     local_device=$(create_loop_device)
@@ -181,6 +183,7 @@ setup() {
 
 @test "Test we can pull a large image inside the guest with large createcontainer timeout" {
 	[ "$(uname -m)" == "s390x" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838"
+    [ "${KATA_HYPERVISOR}" == "qemu-snp" ] && skip "See: https://github.com/kata-containers/kata-containers/issues/10838"
 
     if [ "${KATA_HYPERVISOR}" = "qemu-coco-dev" ] && [ "${KBS_INGRESS}" = "aks" ]; then
         skip "skip this specific one due to issue https://github.com/kata-containers/kata-containers/issues/10299"