gpu: Add NVIDIA GPU Confidential kernel target

This is a follow up to the work of minimizing targets, unifying TDX,SNP builds for NVIDIA GPUs

Fixes: #8828

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -41,6 +41,7 @@ jobs:
           - kernel-dragonball-experimental
           - kernel-tdx-experimental
           - kernel-nvidia-gpu
+          - kernel-nvidia-gpu-confidential
           - kernel-nvidia-gpu-snp
           - kernel-nvidia-gpu-tdx-experimental
           - nydus

tools/packaging/kata-deploy/local-build/Makefile

@@ -23,6 +23,7 @@ BASE_TARBALLS = serial-targets \
 	kernel-confidential-tarball \
 	kernel-dragonball-experimental-tarball \
 	kernel-nvidia-gpu-tarball \
+	kernel-nvidia-gpu-confidential-tarball \
 	kernel-nvidia-gpu-snp-tarball \
 	kernel-nvidia-gpu-tdx-experimental-tarball \
 	kernel-tarball \
@@ -105,6 +106,9 @@ kernel-dragonball-experimental-tarball:
 kernel-nvidia-gpu-tarball:
 	${MAKE} $@-build
 
+kernel-nvidia-gpu-confidential-tarball:
+	${MAKE} $@-build
+
 kernel-nvidia-gpu-snp-tarball:
 	${MAKE} $@-build
 

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -99,6 +99,7 @@ options:
 	kernel-nvidia-gpu
 	kernel-nvidia-gpu-snp
 	kernel-nvidia-gpu-tdx-experimental
+	kernel-nvidia-gpu-confidential
 	kernel-sev-tarball
 	kernel-tdx-experimental
 	nydus
@@ -317,7 +318,7 @@ install_kernel_helper() {
 		kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
 		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
 		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
-	elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
+	elif [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then
 		kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
 		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
 		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
@@ -364,6 +365,16 @@ install_kernel_nvidia_gpu() {
 		"-g nvidia -u ${kernel_url} -H deb"
 }
 
+#Install GPU and TEE enabled kernel asset
+install_kernel_nvidia_gpu_confidential() {
+	local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
+
+	install_kernel_helper \
+		"assets.kernel.confidential.version" \
+		"kernel-nvidia-gpu-confidential" \
+		"-x confidential -g nvidia -u ${kernel_url} -H deb"
+}
+
 #Install GPU and SNP enabled kernel asset
 install_kernel_nvidia_gpu_snp() {
 	local kernel_url="$(get_from_kata_deps assets.kernel.sev.url)"
@@ -811,6 +822,8 @@ handle_build() {
 
 	kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;
 
+	kernel-nvidia-gpu-confidential) install_kernel_nvidia_gpu_confidential ;;
+
 	kernel-nvidia-gpu-snp) install_kernel_nvidia_gpu_snp;;
 
 	kernel-nvidia-gpu-tdx-experimental) install_kernel_nvidia_gpu_tdx_experimental;;

tools/packaging/kernel/build-kernel.sh

@@ -475,7 +475,7 @@ build_kernel_headers() {
 	pushd "${kernel_path}" >>/dev/null
 
 	if [ "$linux_headers" == "deb" ]; then
-		make -j $(nproc ${CI:+--ignore 1}) deb-pkg ARCH="${arch_target}"
+		make -j $(nproc ${CI:+--ignore 1}) bindeb-pkg ARCH="${arch_target}"
 	fi
 	if [ "$linux_headers" == "rpm" ]; then
 		make -j $(nproc ${CI:+--ignore 1}) rpm-pkg ARCH="${arch_target}"

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-121
+122

tools/packaging/static-build/kernel/Dockerfile

@@ -15,6 +15,7 @@ RUN apt-get update && \
 	    build-essential \
 	    ca-certificates \
 	    curl \
+	    debhelper \
 	    flex \
 	    git \
 	    iptables \