From 8b4b2333587e194e1d5bbc6926c2aa1e40690cbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 23 May 2023 10:19:50 +0200 Subject: [PATCH 1/3] runtime: config: Fix image path for QEMU TDX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The rebase from `main` to `CCv0` ended up overwriting the image path that should be used for QEMU, in the CCv0 branch. Fixes: #6932 Signed-off-by: Fabiano FidĂȘncio --- src/runtime/config/configuration-qemu-tdx.toml.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/config/configuration-qemu-tdx.toml.in b/src/runtime/config/configuration-qemu-tdx.toml.in index d43c9cea18..e169b31f46 100644 --- a/src/runtime/config/configuration-qemu-tdx.toml.in +++ b/src/runtime/config/configuration-qemu-tdx.toml.in @@ -14,7 +14,7 @@ [hypervisor.qemu] path = "@QEMUTDXPATH@" kernel = "@KERNELTDXPATH@" -image = "@IMAGEPATH@" +image = "@IMAGETDXPATH@" # initrd = "@INITRDPATH@" machine_type = "@MACHINETYPE@" From efb0ac55c8be67d5a6609edfa697ca6bf8e1d918 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 24 May 2023 07:57:49 +0200 Subject: [PATCH 2/3] runtime: config: tdx: Enable service_offload MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This also as mistakenly overwritten by the `main` -> `CCv0` merge. Signed-off-by: Fabiano FidĂȘncio --- src/runtime/config/configuration-qemu-tdx.toml.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/config/configuration-qemu-tdx.toml.in b/src/runtime/config/configuration-qemu-tdx.toml.in index e169b31f46..384bea041f 100644 --- a/src/runtime/config/configuration-qemu-tdx.toml.in +++ b/src/runtime/config/configuration-qemu-tdx.toml.in @@ -664,7 +664,7 @@ experimental=@DEFAULTEXPFEATURES@ # # Offload the CRI image management service to the Kata agent. # (default: false) -#service_offload = true +service_offload = true # Container image decryption keys provisioning. # Applies only if service_offload is true. From 370811b0170f76a6cce4fd151d96a23d8837e0c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 24 May 2023 19:01:44 +0200 Subject: [PATCH 3/3] runtime: Fix TDVF configuration with QEMU TDX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of setting: ``` firmware = "/path/to/OVMF.fd" firmware_volume = "/path/to/OVMF_VARS.fd" ``` We should either be setting: ``` firmware = "/path/to/OVMF.fd" ``` Or: ``` firmware = "/path/to/OVMF_CODE.fd" firmware_volume = "/path/to/OVMF_VARS.fd" ``` I'm taking the approach to setting up the latter, as that's what's been tested as part of our TDX CI. Fixes: #4926 This patch is the same as #4927, but it ended up reverted somewhere in the CCv0 -> main process, or in the attempts to fix TDX after that. Signed-off-by: Fabiano FidĂȘncio --- src/runtime/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 931647de33..57ee327b41 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -152,7 +152,7 @@ SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) agent.enable_signature_verifica SNPKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_SNP) KERNELPARAMS += $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS) -FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF.fd +FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF_CODE.fd FIRMWARETDVFVOLUMEPATH := $(PREFIXDEPS)/share/tdvf/OVMF_VARS.fd # Name of default configuration file the runtime will use.