From bc8464e04f5df72811c3b8fe99ae8a81b0e33329 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Fri, 11 Feb 2022 15:27:12 -0600 Subject: [PATCH 1/3] packaging/kernel: add option -s option Add -s option to skip .config checks Signed-off-by: Julio Montes --- tools/packaging/kernel/build-kernel.sh | 10 +++++++++- .../kernel/patches/tdx-guest-v5.15-4.x/no_patches.txt | 0 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 tools/packaging/kernel/patches/tdx-guest-v5.15-4.x/no_patches.txt diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 0aa831f65..a67b922cc 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -53,6 +53,8 @@ hypervisor_target="" arch_target="" # kernel_config_path="" +# +skip_config_checks="false" # destdir DESTDIR="${DESTDIR:-/}" #PREFIX= @@ -92,6 +94,7 @@ Options: -h : Display this help. -k : Path to kernel to build. -p : Path to a directory with patches to apply to kernel. + -s : Skip .config checks -t : Hypervisor_target. -v : Kernel version to use if kernel path not provided. -x : Confidential guest protection type, such as sev @@ -233,6 +236,8 @@ get_kernel_frag_path() { # Do not care about options that are in whitelist results=$(grep -v -f ${default_config_whitelist} <<< "$results") + [[ "${skip_config_checks}" == "true" ]] && echo "${config_path}" && return + # Did we request any entries that did not make it? local missing=$(echo $results | grep -v -q "${not_in_string}"; echo $?) if [ ${missing} -ne 0 ]; then @@ -438,7 +443,7 @@ install_kata() { } main() { - while getopts "a:b:c:defg:hk:p:t:v:x:" opt; do + while getopts "a:b:c:defg:hk:p:st:v:x:" opt; do case "$opt" in a) arch_target="${OPTARG}" @@ -472,6 +477,9 @@ main() { p) patches_path="${OPTARG}" ;; + s) + skip_config_checks="true" + ;; t) hypervisor_target="${OPTARG}" ;; diff --git a/tools/packaging/kernel/patches/tdx-guest-v5.15-4.x/no_patches.txt b/tools/packaging/kernel/patches/tdx-guest-v5.15-4.x/no_patches.txt new file mode 100644 index 000000000..e69de29bb From 987525291799dd0fd26e989c40f883e1a6e9d375 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Fri, 11 Feb 2022 15:33:18 -0600 Subject: [PATCH 2/3] versions: add url and tag for tdx kernel Add url and tag for tdx kernel Signed-off-by: Julio Montes --- versions.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/versions.yaml b/versions.yaml index 8e8ee9b36..828280a6f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -150,6 +150,10 @@ assets: description: "Linux kernel optimised for virtual machines" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" version: "v5.10.25" + tdx: + description: "Linux kernel that supports TDX" + url: "https://github.com/intel/tdx/archive/refs/tags" + tag: "tdx-guest-v5.15-4" kernel-experimental: description: "Linux kernel with virtio-fs support" From 1797b3eb049cf39f5081b46adf0f157e87ee3f42 Mon Sep 17 00:00:00 2001 From: Julio Montes Date: Fri, 11 Feb 2022 15:35:00 -0600 Subject: [PATCH 3/3] packaging/kernel: build TDX guest kernel Add support for building TDX kernel from github.com/intel/tdx To build a guest kernel that supports Intel TDx run: ``` ./build-kernel.sh -s -x tdx -d setup ./build-kernel.sh -s -x tdx -d install ``` fixes #3650 Signed-off-by: Julio Montes --- tools/packaging/kernel/build-kernel.sh | 29 ++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index a67b922cc..93e82d590 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -97,7 +97,7 @@ Options: -s : Skip .config checks -t : Hypervisor_target. -v : Kernel version to use if kernel path not provided. - -x : Confidential guest protection type, such as sev + -x : Confidential guest protection type, such as sev and tdx EOT exit "$exit_code" } @@ -115,6 +115,22 @@ arch_to_kernel() { esac } +get_tdx_kernel() { + local version="${1}" + local kernel_path=${2} + + mkdir -p ${kernel_path} + + kernel_url=$(get_from_kata_deps "assets.kernel.tdx.url") + kernel_tarball="${version}.tar.gz" + + if [ ! -f "${kernel_tarball}" ]; then + curl --fail -OL "${kernel_url}/${kernel_tarball}" + fi + + tar --strip-components=1 -xf ${kernel_tarball} -C ${kernel_path} +} + get_kernel() { local version="${1:-}" @@ -122,7 +138,10 @@ get_kernel() { [ -n "${kernel_path}" ] || die "kernel_path not provided" [ ! -d "${kernel_path}" ] || die "kernel_path already exist" - + if [ "${conf_guest}" == "tdx" ]; then + get_tdx_kernel ${version} ${kernel_path} + return + fi #Remove extra 'v' version=${version#v} @@ -472,7 +491,7 @@ main() { usage 0 ;; k) - kernel_path="${OPTARG}" + kernel_path="$(realpath ${OPTARG})" ;; p) patches_path="${OPTARG}" @@ -489,7 +508,7 @@ main() { x) conf_guest="${OPTARG}" case "$conf_guest" in - sev) ;; + sev|tdx) ;; *) die "Confidential guest type '$conf_guest' not supported" ;; esac ;; @@ -506,6 +525,8 @@ main() { if [ -z "$kernel_version" ]; then if [[ ${build_type} == "experimental" ]]; then kernel_version=$(get_from_kata_deps "assets.kernel-experimental.tag") + elif [[ "${conf_guest}" == "tdx" ]]; then + kernel_version=$(get_from_kata_deps "assets.kernel.tdx.tag") else kernel_version=$(get_from_kata_deps "assets.kernel.version") fi