From 511dd5feacbe3fe278763e55262ba11e694bf643 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Mon, 22 May 2023 18:43:36 +0200 Subject: [PATCH] local-build: add support to build IBM Z SE image This is to add an artifact for IBM Z SE(TEE) to main. Fixes: #6754 Signed-off-by: Hyounggyu Choi --- ci/lib.sh | 21 +++ tools/packaging/guest-image/build_se_image.sh | 165 ++++++++++++++++++ 2 files changed, 186 insertions(+) create mode 100755 tools/packaging/guest-image/build_se_image.sh diff --git a/ci/lib.sh b/ci/lib.sh index 29b640a6ae..3dca29b7ec 100644 --- a/ci/lib.sh +++ b/ci/lib.sh @@ -64,3 +64,24 @@ run_get_pr_changed_file_details() source "$tests_repo_dir/.ci/lib.sh" get_pr_changed_file_details } + +# Check if the 1st argument version is greater than and equal to 2nd one +# Version format: [0-9]+ separated by period (e.g. 2.4.6, 1.11.3 and etc.) +# +# Parameters: +# $1 - a version to be tested +# $2 - a target version +# +# Return: +# 0 if $1 is greater than and equal to $2 +# 1 otherwise +version_greater_than_equal() { + local current_version=$1 + local target_version=$2 + smaller_version=$(echo -e "$current_version\n$target_version" | sort -V | head -1) + if [ "${smaller_version}" = "${target_version}" ]; then + return 0 + else + return 1 + fi +} diff --git a/tools/packaging/guest-image/build_se_image.sh b/tools/packaging/guest-image/build_se_image.sh new file mode 100755 index 0000000000..e25ce84822 --- /dev/null +++ b/tools/packaging/guest-image/build_se_image.sh @@ -0,0 +1,165 @@ +#!/usr/bin/env bash +# Copyright (c) 2023 IBM Corp. +# +# SPDX-License-Identifier: Apache-2.0 + +[ -n "${DEBUG:-}" ] && set -x + +set -o errexit +set -o nounset +set -o pipefail + +readonly script_name="$(basename "${BASH_SOURCE[0]}")" +readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +readonly packaging_root_dir="$(cd "${script_dir}/../" && pwd)" +readonly kata_root_dir="$(cd "${packaging_root_dir}/../../" && pwd)" + +source "$kata_root_dir/ci/lib.sh" +source "${packaging_root_dir}/scripts/lib.sh" + +[ "$(uname -m)" = s390x ] || die "Building a Secure Execution image is currently only supported on s390x." + +finish() { + if [ -e "${parmfile}" ]; then + rm -f "${parmfile}" + fi +} + +trap finish EXIT + +usage() { + cat >&2 << EOF +Usage: + ${script_name} [options] + +Options: + --builddir=${builddir} + --destdir=${destdir} + +Environment variables: + HKD_PATH (required): Secure Execution host key document, generally specific to your machine. See + https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document + for information on how to retrieve and verify this document. + DEBUG : If set, display debug information. +EOF + exit "${1:-0}" +} + +# Build a IBM zSystem secure execution (SE) image +# +# Parameters: +# $1 - kernel_parameters +# $2 - a source directory where kernel and initrd are located +# $3 - a destination directory where a SE image is built +# +# Return: +# 0 if the image is successfully built +# 1 otherwise +build_secure_image() { + kernel_params="${1:-}" + install_src_dir="${2:-}" + install_dest_dir="${3:-}" + + if [ ! -f "${install_src_dir}/vmlinuz.container" ] || + [ ! -f "${install_src_dir}/kata-containers-initrd.img" ]; then + cat << EOF >&2 +Either kernel or initrd does not exist or is mistakenly named +A file name for kernel must be vmlinuz.container (raw binary) +A file name for initrd must be kata-containers-initrd.img +EOF + return 1 + fi + + cmdline="${kernel_params} panic=1 scsi_mod.scan=none swiotlb=262144" + parmfile="$(mktemp --suffix=-cmdline)" + echo "${cmdline}" > "${parmfile}" + chmod 600 "${parmfile}" + + [ -n "${HKD_PATH:-}" ] || (echo >&2 "No host key document specified." && return 1) + cert_list=($(ls -1 $HKD_PATH)) + declare hkd_options + eval "for cert in ${cert_list[*]}; do + hkd_options+=\"--host-key-document=\\\"\$HKD_PATH/\$cert\\\" \" + done" + + command -v genprotimg > /dev/null 2>&1 || die "A package s390-tools is not installed." + extra_arguments="" + genprotimg_version=$(genprotimg --version | grep -Po '(?<=version )[^-]+') + if ! version_greater_than_equal "${genprotimg_version}" "2.17.0"; then + extra_arguments="--x-pcf '0xe0'" + fi + + eval genprotimg \ + "${extra_arguments}" \ + "${hkd_options}" \ + --output="${install_dest_dir}/kata-containers-se.img" \ + --image="${install_src_dir}/vmlinuz.container" \ + --ramdisk="${install_src_dir}/kata-containers-initrd.img" \ + --parmfile="${parmfile}" \ + --no-verify # no verification for CI testing purposes + + build_result=$? + if [ $build_result -eq 0 ]; then + return 0 + else + return 1 + fi +} + +build_image() { + image_source_dir="${builddir}/secure-image" + mkdir -p "${image_source_dir}" + pushd "${tarball_dir}" + for tarball_id in kernel rootfs-initrd; do + tar xvf kata-static-${tarball_id}.tar.xz -C "${image_source_dir}" + done + popd + + protimg_source_dir="${image_source_dir}${prefix}/share/kata-containers" + local kernel_params="" + if ! build_secure_image "${kernel_params}" "${protimg_source_dir}" "${install_dir}"; then + usage 1 + fi +} + +main() { + readonly prefix="/opt/kata" + builddir="${PWD}" + tarball_dir="${builddir}/../.." + while getopts "h-:" opt; do + case "$opt" in + -) + case "${OPTARG}" in + builddir=*) + builddir=${OPTARG#*=} + ;; + destdir=*) + destdir=${OPTARG#*=} + ;; + *) + echo >&2 "ERROR: Invalid option -$opt${OPTARG}" + usage 1 + ;; + esac + ;; + h) usage 0 ;; + *) + echo "Invalid option $opt" >&2 + usage 1 + ;; + esac + done + readonly destdir + readonly builddir + + info "Build IBM zSystems & LinuxONE SE image" + + install_dir="${destdir}${prefix}/share/kata-containers" + readonly install_dir + + mkdir -p "${install_dir}" + + build_image +} + +main $*