kata-deploy: support build confidential kernel and shim-v2 for CCA

After supporting the Arm CCA, it will rely on the kernel kvm.h headers to build the runtime. The kernel-headers currently quite new with the traditional one, so that we rely on build the kernel header first and then inject it to the shim-v2 build container. Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org> Co-authored-by: Seunguk Shin <seunguk.shin@arm.com>
2025-10-21 11:58:41 +00:00 · 2024-11-20 14:04:41 +00:00
parent bfa7f2486d
commit 40dac78412
11 changed files with 111 additions and 13 deletions
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -65,6 +65,8 @@ PREFIX="${PREFIX:-/usr}"
 kernel_url=""
 #Linux headers for GPU guest fs module building
 linux_headers=""
+# Kernel Reference to download using git
+kernel_ref=""
 # Enable measurement of the guest rootfs at boot.
 measured_rootfs="false"

@@ -109,6 +111,7 @@ Options:
 	-m              : Enable measured rootfs.
 	-k <path>   	: Path to kernel to build.
 	-p <path>   	: Path to a directory with patches to apply to kernel.
+	-r <ref>        : Enable git mode to download kernel using ref.
 	-s          	: Skip .config checks
 	-t <hypervisor>	: Hypervisor_target.
 	-u <url>	: Kernel URL to be used to download the kernel tarball.
@@ -138,6 +141,26 @@ check_initramfs_or_die() {
 		die "Initramfs for measured rootfs not found at ${default_initramfs}"
 }

+get_git_kernel() {
+	local kernel_path="${2:-}"
+
+	if [ ! -d "${kernel_path}" ] ; then
+		mkdir -p "${kernel_path}"
+		pushd "${kernel_path}"
+		local kernel_git_url="https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
+		if [ -n "${kernel_url}" ]; then
+			kernel_git_url="${kernel_url}"
+		fi
+		git init
+		git remote add origin "${kernel_git_url}"
+		popd
+	fi
+	pushd "${kernel_path}"
+	git fetch --depth 1 origin "${kernel_ref}"
+	git checkout "${kernel_ref}"
+	popd
+}
+
 get_kernel() {
 	local version="${1:-}"

@@ -341,6 +364,10 @@ get_kernel_frag_path() {
 	results=$(grep "${not_in_string}" <<< "$results")
 	# Do not care about options that are in whitelist
 	results=$(grep -v -f ${default_config_whitelist} <<< "$results")
+	local version_config_whitelist="${default_config_whitelist%.*}-${kernel_version}.conf"
+	if [ -f ${version_config_whitelist} ]; then
+		results=$(grep -v -f ${version_config_whitelist} <<< "$results")
+	fi

 	[[ "${skip_config_checks}" == "true" ]] && echo "${config_path}" && return

@@ -441,7 +468,11 @@ setup_kernel() {
 		[ -n "$kernel_version" ] || die "failed to get kernel version: Kernel version is emtpy"

 		if [[ ${download_kernel} == "true" ]]; then
-			get_kernel "${kernel_version}" "${kernel_path}"
+			if [ -z "${kernel_ref}" ]; then
+				get_kernel "${kernel_version}" "${kernel_path}"
+			else
+				get_git_kernel "${kernel_version}" "${kernel_path}"
+			fi
 		fi

 		[ -n "$kernel_path" ] || die "failed to find kernel source path"
@@ -591,7 +622,7 @@ install_kata() {
 }

 main() {
-	while getopts "a:b:c:dD:eEfg:hH:k:mp:st:u:v:x" opt; do
+	while getopts "a:b:c:dD:eEfg:hH:k:mp:r:st:u:v:x" opt; do
 		case "$opt" in
 			a)
 				arch_target="${OPTARG}"
@@ -638,6 +669,9 @@ main() {
 			p)
 				patches_path="${OPTARG}"
 				;;
+			r)
+				kernel_ref="${OPTARG}"
+				;;
 			s)
 				skip_config_checks="true"
 				;;
--- a/tools/packaging/kernel/configs/fragments/arm64/confidential/cca.conf
+++ b/tools/packaging/kernel/configs/fragments/arm64/confidential/cca.conf
@@ -0,0 +1,9 @@
+CONFIG_VIRT_DRIVERS=y
+CONFIG_TSM_REPORTS=y
+CONFIG_ARM_CCA_GUEST=y
+CONFIG_HW_RANDOM=y
+CONFIG_HW_RANDOM_VIRTIO=y
+CONFIG_ACPI_PROCESSOR=y
+CONFIG_HOTPLUG_CPU=y
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_RODATA_FULL_DEFAULT_ENABLED=y
--- a/tools/packaging/kernel/configs/fragments/arm64/confidential/hotplug.conf
+++ b/tools/packaging/kernel/configs/fragments/arm64/confidential/hotplug.conf
@@ -0,0 +1,3 @@
+# Define hotplugs to be online immediately. Speeds things up, and makes things
+# work smoother on some arch's.
+CONFIG_MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO=y
--- a/tools/packaging/kernel/configs/fragments/arm64/confidential/rme.conf
+++ b/tools/packaging/kernel/configs/fragments/arm64/confidential/rme.conf
@@ -0,0 +1,3 @@
+CONFIG_ARCH_HAS_CC_PLATFORM=y
+CONFIG_ARCH_HAS_MEM_ENCRYPT=y
+CONFIG_ARCH_HAS_FORCE_DMA_UNENCRYPTED=y
--- a/tools/packaging/kernel/configs/fragments/whitelist-6.15.0-rc1-916aeec68dd4500a1cdf4ebf214c5620955daf3f.conf
+++ b/tools/packaging/kernel/configs/fragments/whitelist-6.15.0-rc1-916aeec68dd4500a1cdf4ebf214c5620955daf3f.conf
@@ -0,0 +1,9 @@
+# CONFIG_RANDOM_TRUST_CPU is removed from config since v6.2
+# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b9b01a5625b5a9e9d96d14d4a813a54e8a124f4b
+CONFIG_RANDOM_TRUST_CPU
+# CONFIG_ACPI_HOTPLUG_CPU is disabled arm64 and riscv since v6.8
+# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a02f66bb3cf475947b58dd3851b987b8ccd998c1
+CONFIG_ACPI_HOTPLUG_CPU
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is disabled since v6.14
+# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=44d46b76c3a4b514a0cc9dab147ed430e5c1d699
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-169
+170
--- a/tools/packaging/kernel/patches/6.15.x/no_patches.txt
+++ b/tools/packaging/kernel/patches/6.15.x/no_patches.txt