Merge pull request #6755 from BbolroC/add-se-artifacts-to-main

packaging: Add IBM Z SE artifacts to main
2025-10-21 11:58:41 +00:00 · 2023-12-08 05:17:38 +01:00
parent a5105b4227 3fab1690a4
commit 588f639a69
11 changed files with 1053 additions and 26 deletions
--- a/tools/packaging/guest-image/build_se_image.sh
+++ b/tools/packaging/guest-image/build_se_image.sh
@@ -0,0 +1,180 @@
+#!/usr/bin/env bash
+# Copyright (c) 2023 IBM Corp.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+[ -n "${DEBUG:-}" ] && set -x
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+readonly script_name="$(basename "${BASH_SOURCE[0]}")"
+readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly packaging_root_dir="$(cd "${script_dir}/../" && pwd)"
+readonly kata_root_dir="$(cd "${packaging_root_dir}/../../" && pwd)"
+
+source "$kata_root_dir/ci/lib.sh"
+source "${packaging_root_dir}/scripts/lib.sh"
+
+ARCH=${ARCH:-$(uname -m)}
+if [ $(uname -m) == "${ARCH}" ]; then
+	[ "${ARCH}" == "s390x" ] || die "Building a Secure Execution image is currently only supported on s390x."
+fi
+
+finish() {
+	if [ -e "${parmfile}" ]; then
+		rm -f "${parmfile}"
+	fi
+}
+
+trap finish EXIT
+
+usage() {
+	cat >&2 << EOF
+Usage:
+  ${script_name} [options]
+
+Options:
+  --builddir=${builddir}
+  --destdir=${destdir}
+
+Environment variables:
+  HKD_PATH (required): a path for a directory which includes at least one host key document
+                  for Secure Execution, generally specific to your machine. See
+                  https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
+                  for information on how to retrieve and verify this document.
+  SIGNING_KEY_CERT_PATH: a path for the IBM zSystem signing key certificate
+  INTERMEDIATE_CA_CERT_PATH: a path for the intermediate CA certificate signed by the root CA
+  DEBUG         : If set, display debug information.
+EOF
+	exit "${1:-0}"
+}
+
+# Build a IBM zSystem secure execution (SE) image
+#
+# Parameters:
+#	$1	- kernel_parameters
+#	$2	- a source directory where kernel and initrd are located
+#	$3	- a destination directory where a SE image is built
+#
+# Return:
+# 	0 if the image is successfully built
+#	1 otherwise
+build_secure_image() {
+	kernel_params="${1:-}"
+	install_src_dir="${2:-}"
+	install_dest_dir="${3:-}"
+	key_verify_option="--no-verify" # no verification for CI testing purposes
+
+	if [ -n "${SIGNING_KEY_CERT_PATH:-}" ] && [ -n "${INTERMEDIATE_CA_CERT_PATH:-}" ]; then
+		if [ -e "${SIGNING_KEY_CERT_PATH}" ] && [ -e "${INTERMEDIATE_CA_CERT_PATH}" ]; then
+			key_verify_option="--cert=${SIGNING_KEY_CERT_PATH} --cert=${INTERMEDIATE_CA_CERT_PATH}"
+		else
+			die "Specified certificate(s) not found"
+		fi
+	fi
+
+	if [ ! -f "${install_src_dir}/vmlinuz.container" ] ||
+		[ ! -f "${install_src_dir}/kata-containers-initrd.img" ]; then
+		cat << EOF >&2
+Either kernel or initrd does not exist or is mistakenly named
+A file name for kernel must be vmlinuz.container (raw binary)
+A file name for initrd must be kata-containers-initrd.img
+EOF
+		return 1
+	fi
+
+	cmdline="${kernel_params} panic=1 scsi_mod.scan=none swiotlb=262144"
+	parmfile="$(mktemp --suffix=-cmdline)"
+	echo "${cmdline}" > "${parmfile}"
+	chmod 600 "${parmfile}"
+
+	[ -n "${HKD_PATH:-}" ] || (echo >&2 "No host key document specified." && return 1)
+	cert_list=($(ls -1 $HKD_PATH))
+	declare hkd_options
+	eval "for cert in ${cert_list[*]}; do
+		hkd_options+=\"--host-key-document=\\\"\$HKD_PATH/\$cert\\\" \"
+	done"
+
+	command -v genprotimg > /dev/null 2>&1 || die "A package s390-tools is not installed."
+	extra_arguments=""
+	genprotimg_version=$(genprotimg --version | grep -Po '(?<=version )[^-]+')
+	if ! version_greater_than_equal "${genprotimg_version}" "2.17.0"; then
+		extra_arguments="--x-pcf '0xe0'"
+	fi
+
+	eval genprotimg \
+		"${extra_arguments}" \
+		"${hkd_options}" \
+		--output="${install_dest_dir}/kata-containers-se.img" \
+		--image="${install_src_dir}/vmlinuz.container" \
+		--ramdisk="${install_src_dir}/kata-containers-initrd.img" \
+		--parmfile="${parmfile}" \
+		"${key_verify_option}"
+
+	build_result=$?
+	if [ $build_result -eq 0 ]; then
+		return 0
+	else
+		return 1
+	fi
+}
+
+build_image() {
+	image_source_dir="${builddir}/secure-image"
+	mkdir -p "${image_source_dir}"
+	pushd "${tarball_dir}"
+	for tarball_id in kernel rootfs-initrd; do
+		tar xvf kata-static-${tarball_id}.tar.xz -C "${image_source_dir}"
+	done
+	popd
+
+	protimg_source_dir="${image_source_dir}${prefix}/share/kata-containers"
+	local kernel_params="${SE_KERNEL_PARAMS:-}"
+	if ! build_secure_image "${kernel_params}" "${protimg_source_dir}" "${install_dir}"; then
+		usage 1
+	fi
+}
+
+main() {
+	readonly prefix="/opt/kata"
+	builddir="${PWD}"
+	tarball_dir="${builddir}/../.."
+	while getopts "h-:" opt; do
+		case "$opt" in
+		-)
+			case "${OPTARG}" in
+			builddir=*)
+				builddir=${OPTARG#*=}
+				;;
+			destdir=*)
+				destdir=${OPTARG#*=}
+				;;
+			*)
+				echo >&2 "ERROR: Invalid option -$opt${OPTARG}"
+				usage 1
+				;;
+			esac
+			;;
+		h) usage 0 ;;
+		*)
+			echo "Invalid option $opt" >&2
+			usage 1
+			;;
+		esac
+	done
+	readonly destdir
+	readonly builddir
+
+	info "Build IBM zSystems & LinuxONE SE image"
+
+	install_dir="${destdir}${prefix}/share/kata-containers"
+	readonly install_dir
+
+	mkdir -p "${install_dir}"
+
+	build_image
+}
+
+main $*
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -9,19 +9,16 @@ MK_DIR := $(dir $(MK_PATH))
 # Verbose build
 V := 1

-define BUILD
-	$(MK_DIR)/kata-deploy-binaries-in-docker.sh $(if $(V),,-s) --build=$1
-endef
+ifeq ($(CROSS_BUILD),)
+	CROSS_BUILD = false
+endif

-kata-tarball: | all-parallel merge-builds
+ifeq ($(CROSS_BUILD),false)
+	ARCH := $(shell uname -m)
+endif

-$(MK_DIR)/dockerbuild/install_yq.sh:
-	$(MK_DIR)/kata-deploy-copy-yq-installer.sh
-
-all-parallel: $(MK_DIR)/dockerbuild/install_yq.sh
-	${MAKE} -f $(MK_PATH) all -j $(shell nproc ${CI:+--ignore 1}) V=
-
-all: serial-targets \
+ifeq ($(ARCH), x86_64)
+BASE_TARBALLS = serial-targets \
 	firecracker-tarball \
 	kernel-dragonball-experimental-tarball \
 	kernel-nvidia-gpu-tarball \
@@ -39,16 +36,40 @@ all: serial-targets \
 	shim-v2-tarball \
 	tdvf-tarball \
 	virtiofsd-tarball
-
-serial-targets:
-	${MAKE} -f $(MK_PATH) -j 1 V= \
-	rootfs-image-tarball \
+BASE_SERIAL_TARBALLS = rootfs-image-tarball \
 	rootfs-image-tdx-tarball \
 	rootfs-initrd-mariner-tarball \
 	rootfs-initrd-sev-tarball \
 	rootfs-initrd-tarball \
 	cloud-hypervisor-tarball \
 	cloud-hypervisor-glibc-tarball
+else ifeq ($(ARCH), s390x)
+BASE_TARBALLS = serial-targets \
+	kernel-tarball \
+	qemu-tarball \
+	shim-v2-tarball \
+	virtiofsd-tarball
+BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-initrd-tarball
+endif
+
+define BUILD
+	$(MK_DIR)/kata-deploy-binaries-in-docker.sh $(if $(V),,-s) --build=$1
+endef
+
+kata-tarball: | all-parallel merge-builds
+
+$(MK_DIR)/dockerbuild/install_yq.sh:
+	$(MK_DIR)/kata-deploy-copy-yq-installer.sh
+
+all-parallel: $(MK_DIR)/dockerbuild/install_yq.sh
+	${MAKE} -f $(MK_PATH) all -j $(shell nproc ${CI:+--ignore 1}) V=
+
+all: ${BASE_TARBALLS}
+
+serial-targets:
+	${MAKE} -f $(MK_PATH) -j 1 V= \
+	${BASE_SERIAL_TARBALLS}

 %-tarball-build: $(MK_DIR)/dockerbuild/install_yq.sh
 	$(call BUILD,$*)
@@ -113,6 +134,9 @@ qemu-snp-experimental-tarball:
 qemu-tarball:
 	${MAKE} $@-build

+boot-image-se-tarball: kernel-tarball rootfs-initrd-tarball
+	${MAKE} $@-build
+
 qemu-tdx-experimental-tarball:
 	${MAKE} $@-build

--- a/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile
+++ b/tools/packaging/kata-deploy/local-build/dockerbuild/Dockerfile
@@ -5,6 +5,9 @@
 FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND=noninteractive
 ENV INSTALL_IN_GOPATH=false
+# Required for libxml2-dev
+ENV TZ=Etc/UTC
+ARG ARCH

 COPY install_yq.sh /usr/bin/install_yq.sh
 COPY install_oras.sh /usr/bin/install_oras.sh
@@ -40,15 +43,43 @@ RUN if [ ${IMG_USER} != "root" ] && [ ! -z ${HOST_DOCKER_GID} ]; then groupadd -
 RUN if [ ${IMG_USER} != "root" ] && [ ! -z ${HOST_DOCKER_GID} ]; then usermod -a -G docker_on_host ${IMG_USER};fi
 RUN sh -c "echo '${IMG_USER} ALL=NOPASSWD: ALL' >> /etc/sudoers"

+RUN if [ "${ARCH}" != "$(uname -m)" ] && [ "${ARCH}" == "s390x" ]; then sed -i 's/^deb/deb [arch=amd64]/g' /etc/apt/sources.list && \
+    dpkg --add-architecture "s390x" && \
+    echo "deb [arch=s390x] http://ports.ubuntu.com/ focal main multiverse universe" >> /etc/apt/sources.list && \
+    echo "deb [arch=s390x] http://ports.ubuntu.com/ focal-security main multiverse universe" >> /etc/apt/sources.list && \
+    echo "deb [arch=s390x] http://ports.ubuntu.com/ focal-backports main multiverse universe" >> /etc/apt/sources.list && \
+    echo "deb [arch=s390x] http://ports.ubuntu.com/ focal-updates main multiverse universe" >> /etc/apt/sources.list; fi
+
 #FIXME: gcc is required as agent is build out of a container build.
 RUN apt-get update && \
-  apt-get install --no-install-recommends -y \
-  build-essential \
-  cpio \
-  gcc \
-  unzip \
-  xz-utils && \
-  apt-get clean && rm -rf /var/lib/apt/lists
+    apt-get install --no-install-recommends -y \
+    build-essential \
+    cpio \
+    gcc \
+    unzip \
+    xz-utils && \
+    if [ "${ARCH}" != "$(uname -m)" ] && [ "${ARCH}" == "s390x" ]; then \
+        apt-get install -y --no-install-recommends \
+        gcc-s390x-linux-gnu \
+        g++-s390x-linux-gnu \
+        binutils-s390x-linux-gnu \
+        dpkg-dev \
+        apt-utils \
+        libssl-dev:s390x \
+        libcurl4-openssl-dev:s390x \
+        libjson-c-dev:s390x \
+        pkg-config:s390x \
+        libxml2-dev:s390x \
+        libjson-c-dev:s390x \
+        libglib2.0-0:s390x \
+        libglib2.0-dev:s390x; \
+    elif uname -m | grep -Eq 's390x'; then apt-get install -y s390-tools; fi && \
+    apt-get clean && rm -rf /var/lib/apt/lists
+
+RUN if [ "${ARCH}" != "$(uname -m)" ] && [ "${ARCH}" == "s390x" ]; then \
+        git clone -b v2.25.0 https://github.com/ibm-s390-linux/s390-tools.git && cd s390-tools && \
+        pushd genprotimg && pushd boot && make CROSS_COMPILE=s390x-linux-gnu- && popd && pushd src && \
+        make CROSS_COMPILE=s390x-linux-gnu- && popd && make install && popd || return; fi

 ENV USER ${IMG_USER}
 USER ${IMG_USER}
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@@ -75,6 +75,7 @@ docker build -q -t build-kata-deploy \
 	--build-arg http_proxy="${http_proxy}" \
 	--build-arg https_proxy="${https_proxy}" \
 	--build-arg HOST_DOCKER_GID=${docker_gid} \
+	--build-arg ARCH="${ARCH}" \
 	"${script_dir}/dockerbuild/"

 CI="${CI:-}"
@@ -119,6 +120,9 @@ docker run \
 	--env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER}" \
 	--env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \
 	--env USE_CACHE="${USE_CACHE}" \
+	--env AA_KBC="${AA_KBC:-}" \
+	--env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \
+	--env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \
 	--env CROSS_BUILD="${CROSS_BUILD}" \
 	--env TARGET_ARCH="${TARGET_ARCH}" \
 	--env ARCH="${ARCH}" \
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -35,6 +35,7 @@ readonly virtiofsd_builder="${static_build_dir}/virtiofsd/build.sh"
 readonly nydus_builder="${static_build_dir}/nydus/build.sh"
 readonly rootfs_builder="${repo_root_dir}/tools/packaging/guest-image/build_image.sh"
 readonly tools_builder="${static_build_dir}/tools/build.sh"
+readonly se_image_builder="${repo_root_dir}/tools/packaging/guest-image/build_se_image.sh"

 ARCH=${ARCH:-$(uname -m)}
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
@@ -85,6 +86,7 @@ options:
 	agent
 	agent-opa
 	agent-ctl
+	boot-image-se
 	cloud-hypervisor
 	cloud-hypervisor-glibc
 	firecracker
@@ -258,6 +260,11 @@ install_initrd_sev() {
 	install_initrd "sev"
 }

+install_se_image() {
+	info "Create IBM SE image configured with AA_KBC=${AA_KBC}"
+	"${se_image_builder}" --destdir="${destdir}"
+}
+
 #Install kernel component helper
 install_cached_kernel_tarball_component() {
 	local kernel_name=${1}
@@ -762,6 +769,8 @@ handle_build() {
 	agent-opa) install_agent_opa ;;

 	agent-ctl) install_agent_ctl ;;
+	
+	boot-image-se) install_se_image ;;

 	cloud-hypervisor) install_clh ;;

--- a/tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
+++ b/tools/packaging/kata-deploy/runtimeclasses/kata-runtimeClasses.yaml
@@ -92,6 +92,19 @@ scheduling:
 ---
 kind: RuntimeClass
 apiVersion: node.k8s.io/v1
+metadata:
+    name: kata-qemu-se
+handler: kata-qemu-se
+overhead:
+    podFixed:
+        memory: "2048Mi"
+        cpu: "1.0"
+scheduling:
+  nodeSelector:
+    katacontainers.io/kata-runtime: "true"
+---
+kind: RuntimeClass
+apiVersion: node.k8s.io/v1
 metadata:
    name: kata-qemu-tdx
 handler: kata-qemu-tdx