Merge pull request #12841 from kata-containers/topic/arm-add-qemu-coco-dev

runtime-rs: arm64: ci: Enable qemu-coco-dev tests

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -43,6 +43,7 @@ jobs:
           - agent
           - busybox
           - cloud-hypervisor
+          - coco-guest-components
           - firecracker
           - kernel
           - kernel-debug
@@ -51,6 +52,7 @@ jobs:
           - kernel-cca-confidential
           - nydus
           - ovmf
+          - pause-image
           - qemu
           - virtiofsd
     env:
@@ -151,6 +153,7 @@ jobs:
       matrix:
         asset:
           - rootfs-image
+          - rootfs-image-confidential
           - rootfs-image-nvidia-gpu
           - rootfs-initrd
     steps:
@@ -216,7 +219,9 @@ jobs:
       matrix:
         asset:
           - busybox
+          - coco-guest-components
           - kernel-nvidia-gpu-modules
+          - pause-image
     steps:
       - uses: geekyeggo/delete-artifact@176a747ab7e287e3ff4787bf8a148716375ca118 # v6.0.0
         with:
@@ -288,6 +293,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          MEASURED_ROOTFS: yes
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
@@ -297,6 +303,112 @@ jobs:
           retention-days: 15
           if-no-files-found: error
 
+  build-tools-asset:
+    name: build-tools-asset
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        asset:
+          - genpolicy
+        stage:
+          - ${{ inputs.stage }}
+    steps:
+      - name: Login to Kata Containers quay.io
+        if: ${{ inputs.push-to-registry == 'yes' }}
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: quay.io
+          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0 # This is needed in order to keep the commit ids history
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: Build ${{ matrix.asset }}
+        id: build
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          mkdir -p kata-tools-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-tools-build/.
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
+          ARTEFACT_REGISTRY: ghcr.io
+          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
+          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: kata-tools-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
+          path: kata-tools-build/kata-static-${{ matrix.asset }}.tar.zst
+          retention-days: 15
+          if-no-files-found: error
+
+  create-kata-tools-tarball:
+    name: create-kata-tools-tarball
+    runs-on: ubuntu-24.04-arm
+    needs: [build-tools-asset]
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          fetch-tags: true
+          persist-credentials: false
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+      - name: get-artifacts
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          pattern: kata-tools-artifacts-arm64-*${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+          merge-multiple: true
+      - name: merge-artifacts
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst
+        env:
+          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: Check kata-tools tarball size (GitHub release asset limit)
+        run: |
+          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
+          GITHUB_ASSET_MAX_BYTES=2147483648
+          tarball_size=$(stat -c "%s" kata-tools-static.tar.zst)
+          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
+            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
+            exit 1
+          fi
+          echo "tarball size: ${tarball_size} bytes"
+      - name: store-artifacts
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }}
+          path: kata-tools-static.tar.zst
+          retention-days: 15
+          if-no-files-found: error
+
   create-kata-tarball:
     name: create-kata-tarball
     runs-on: ubuntu-24.04-arm

.github/workflows/ci.yaml

@@ -217,7 +217,7 @@ jobs:
           tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
           push: true
           context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/
-          platforms: linux/amd64, linux/s390x
+          platforms: linux/amd64, linux/arm64, linux/s390x
           file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
 
   run-kata-monitor-tests:
@@ -277,6 +277,23 @@ jobs:
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
 
+  run-kata-coco-tests-on-arm64:
+    if: ${{ inputs.skip-test != 'yes' }}
+    needs:
+      - publish-kata-deploy-payload-arm64
+      - build-and-publish-tee-confidential-unencrypted-image
+    uses: ./.github/workflows/run-kata-coco-tests-arm64-k8s.yaml
+    with:
+      tarball-suffix: -${{ inputs.tag }}
+      registry: ghcr.io
+      repo: ${{ github.repository_owner }}/kata-deploy-ci
+      tag: ${{ inputs.tag }}-arm64
+      commit-hash: ${{ inputs.commit-hash }}
+      pr-number: ${{ inputs.pr-number }}
+      target-branch: ${{ inputs.target-branch }}
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+
   run-k8s-tests-on-nvidia-gpu:
     if: ${{ inputs.skip-test != 'yes' }}
     needs: publish-kata-deploy-payload-amd64

.github/workflows/run-kata-coco-tests-arm64-k8s.yaml

@@ -0,0 +1,128 @@
+name: CI | Run kata coco tests on arm64 k8s
+on:
+  workflow_call:
+    inputs:
+      tarball-suffix:
+        required: false
+        type: string
+      registry:
+        required: true
+        type: string
+      repo:
+        required: true
+        type: string
+      tag:
+        required: true
+        type: string
+      pr-number:
+        required: true
+        type: string
+      commit-hash:
+        required: false
+        type: string
+      target-branch:
+        required: false
+        type: string
+        default: ""
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: false
+
+permissions: {}
+
+jobs:
+  run-k8s-tests-coco-arm64-k8s:
+    name: run-k8s-tests-coco-arm64-k8s (${{ matrix.vmm }}, ${{ matrix.k8s }})
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-coco-dev-runtime-rs
+        k8s:
+          - kubeadm
+    runs-on: arm64-k8s
+    environment:
+      name: ci
+      deployment: false
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      KUBERNETES: ${{ matrix.k8s }}
+      K8S_TEST_HOST_TYPE: all
+      TARGET_ARCH: "aarch64"
+      KBS: "true"
+      KBS_INGRESS: "nodeport"
+      AUTO_GENERATE_POLICY: "yes"
+      PULL_TYPE: "guest-pull"
+      SNAPSHOTTER: "nydus"
+      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+
+      - name: Uninstall previous `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
+
+      - name: Deploy CoCo KBS
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
+      - name: Install `bats`
+        run: bash tests/integration/kubernetes/gha-run.sh install-bats
+
+      - name: Run tests
+        timeout-minutes: 90
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
+      - name: Collect artifacts ${{ matrix.vmm }}
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
+        continue-on-error: true
+
+      - name: Archive artifacts ${{ matrix.vmm }}
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: k8s-coco-arm64-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
+          path: /tmp/artifacts
+          retention-days: 1
+
+      - name: Delete kata-deploy
+        if: always()
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup

docs/helm-configuration.md

@@ -109,7 +109,7 @@ Includes:
 - `qemu-se-runtime-rs` - IBM Secure Execution for Linux (SEL) Rust runtime (s390x)
 - `qemu-cca` - Arm Confidential Compute Architecture (arm64)
 - `qemu-coco-dev` - Confidential Containers development (amd64, s390x)
-- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, s390x)
+- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, arm64, s390x)
 
 ### [`try-kata-nvidia-gpu.values.yaml`](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml)
 

src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in

@@ -544,17 +544,17 @@ kernel_modules = []
 debug_console_enabled = false
 
 # Agent dial timeout in millisecond.
-# (default: 10)
-dial_timeout_ms = 10
+# (default: 100)
+dial_timeout_ms = 100
 
 # Agent reconnect timeout in millisecond.
-# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300)
+# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450)
 # If you find pod cannot connect to the agent when starting, please
 # consider increasing this value to increase the retry times.
 # You'd better not change the value of dial_timeout_ms, unless you have an
 # idea of what you are doing.
-# (default: 3000)
-reconnect_timeout_ms = 3000
+# (default: 45000)
+reconnect_timeout_ms = 45000
 
 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub)
 # to create their Unix sockets after being spawned by the agent.

src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in

@@ -521,17 +521,17 @@ kernel_modules = []
 debug_console_enabled = false
 
 # Agent dial timeout in millisecond.
-# (default: 10)
-dial_timeout_ms = 90
+# (default: 100)
+dial_timeout_ms = 100
 
 # Agent reconnect timeout in millisecond.
-# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300)
+# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450)
 # If you find pod cannot connect to the agent when starting, please
 # consider increasing this value to increase the retry times.
 # You'd better not change the value of dial_timeout_ms, unless you have an
 # idea of what you are doing.
-# (default: 3000)
-reconnect_timeout_ms = 5000
+# (default: 45000)
+reconnect_timeout_ms = 45000
 
 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub)
 # to create their Unix sockets after being spawned by the agent.

src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in

@@ -563,17 +563,17 @@ kernel_modules = []
 debug_console_enabled = false
 
 # Agent dial timeout in millisecond.
-# (default: 10)
-dial_timeout_ms = 10
+# (default: 100)
+dial_timeout_ms = 100
 
 # Agent reconnect timeout in millisecond.
-# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300)
+# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450)
 # If you find pod cannot connect to the agent when starting, please
 # consider increasing this value to increase the retry times.
 # You'd better not change the value of dial_timeout_ms, unless you have an
 # idea of what you are doing.
-# (default: 3000)
-reconnect_timeout_ms = 3000
+# (default: 45000)
+reconnect_timeout_ms = 45000
 
 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub)
 # to create their Unix sockets after being spawned by the agent.

src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in

@@ -539,17 +539,17 @@ kernel_modules = []
 debug_console_enabled = false
 
 # Agent dial timeout in millisecond.
-# (default: 10)
-dial_timeout_ms = 10
+# (default: 100)
+dial_timeout_ms = 100
 
 # Agent reconnect timeout in millisecond.
-# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300)
+# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450)
 # If you find pod cannot connect to the agent when starting, please
 # consider increasing this value to increase the retry times.
 # You'd better not change the value of dial_timeout_ms, unless you have an
 # idea of what you are doing.
-# (default: 3000)
-reconnect_timeout_ms = 3000
+# (default: 45000)
+reconnect_timeout_ms = 45000
 
 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub)
 # to create their Unix sockets after being spawned by the agent.

tests/gha-run-k8s-common.sh

@@ -707,7 +707,9 @@ function helm_helper() {
 					yq -i ".shims.${shim}.supportedArches = [\"arm64\"]" "${values_yaml}"
 				elif is_snp_hypervisor "${shim}" || is_tdx_hypervisor "${shim}" || is_confidential_gpu_hypervisor "${shim}"; then
 					yq -i ".shims.${shim}.supportedArches = [\"amd64\"]" "${values_yaml}"
-				elif [[ "${shim}" == "qemu-runtime-rs" ]]; then
+				# qemu-coco-dev-runtime-rs is checked explicitly because
+				# qemu-coco-dev (Go runtime) does not support arm64.
+				elif [[ "${shim}" == "qemu-runtime-rs" ]] || [[ "${shim}" == "qemu-coco-dev-runtime-rs" ]]; then
 					yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"arm64\", \"s390x\"]" "${values_yaml}"
 				elif is_non_tee_hypervisor "${shim}"; then
 					yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"s390x\"]" "${values_yaml}"

tests/integration/kubernetes/confidential_kbs.sh

@@ -227,7 +227,7 @@ kbs_install_cli() {
 
 	source /etc/os-release || source /usr/lib/os-release
 	case "${ID}" in
-		ubuntu)
+		debian|ubuntu)
 			local pkgs="build-essential pkg-config libssl-dev"
 
 			sudo apt-get update -y

tests/integration/kubernetes/gha-run.sh

@@ -453,7 +453,7 @@ function main() {
 		if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then
 			AUTO_GENERATE_POLICY="yes"
 		elif [[ "${KATA_HYPERVISOR}" = qemu-coco-dev* && \
-		        "${TARGET_ARCH}" = "x86_64" && \
+		        ( "${TARGET_ARCH}" = "x86_64" || "${TARGET_ARCH}" = "aarch64" ) && \
 		        "${PULL_TYPE}" != "experimental-force-guest-pull" ]]; then
 			AUTO_GENERATE_POLICY="yes"
 		elif [[ "${KATA_HYPERVISOR}" = qemu-nvidia-gpu-* ]]; then

tests/integration/kubernetes/k8s-policy-deployment-sc.bats

@@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
     auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
+    [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch."
     setup_common || die "setup_common failed"
 
     deployment_name="policy-redis-deployment"
@@ -100,6 +101,7 @@ test_deployment_policy_error() {
 
 teardown() {
     auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
+    [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch."
 
     # Pod debugging information. Don't print the "Message:" line because it contains a truncated policy log.
     info "Pod ${deployment_name}:"

tests/integration/kubernetes/k8s-policy-deployment.bats

@@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
     auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
+    [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch."
     setup_common || die "setup_common failed"
 
     deployment_name="policy-redis-deployment"
@@ -60,6 +61,7 @@ test_deployment_policy_error() {
 
 teardown() {
     auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
+    [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch."
 
     # Pod debugging information. Don't print the "Message:" line because it contains a truncated policy log.
     info "Pod ${deployment_name}:"

tests/integration/kubernetes/tests_common.sh

@@ -112,6 +112,12 @@ is_k3s_or_rke2() {
 	esac
 }
 
+# The arm64 runner owners keep containerd updates synced across all runners.
+is_arm64_host() {
+	[[ "$(uname -m)" == "aarch64" ]] && return 0
+	return 1
+}
+
 # Return the kubelet data directory, which varies by Kubernetes distribution.
 get_kubelet_data_dir() {
 	case "${KUBERNETES:-}" in
@@ -145,7 +151,7 @@ install_genpolicy_drop_ins() {
 	# 20-* OCI version overlay
 	if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then
 		cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/"
-	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || is_snp_hypervisor "${KATA_HYPERVISOR}" || is_tdx_hypervisor "${KATA_HYPERVISOR}" || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then
+	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || is_snp_hypervisor "${KATA_HYPERVISOR}" || is_tdx_hypervisor "${KATA_HYPERVISOR}" || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]] || is_arm64_host; then
 		cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/"
 	fi
 

tools/packaging/kata-deploy/binary/src/config.rs

@@ -734,7 +734,7 @@ fn parse_custom_runtimes() -> Result<Vec<CustomRuntime>> {
 fn get_default_shims_for_arch(arch: &str) -> &'static str {
     match arch {
         "x86_64" => "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx qemu-snp qemu-snp-runtime-rs qemu-tdx qemu-tdx-runtime-rs",
-        "aarch64" => "clh cloud-hypervisor dragonball fc qemu qemu-runtime-rs qemu-nvidia-gpu qemu-cca",
+        "aarch64" => "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-nvidia-gpu qemu-cca",
         "s390x" => "qemu qemu-runtime-rs qemu-se qemu-se-runtime-rs qemu-coco-dev qemu-coco-dev-runtime-rs",
         "ppc64le" => "qemu",
         _ => "qemu", // Fallback to qemu for unknown architectures

tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml

@@ -135,6 +135,7 @@ shims:
     enabled: true
     supportedArches:
       - amd64
+      - arm64
       - s390x
     allowedHypervisorAnnotations: []
     containerd:

tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml

@@ -322,6 +322,7 @@ shims:
     enabled: ~
     supportedArches:
       - amd64
+      - arm64
       - s390x
     allowedHypervisorAnnotations: []
     containerd:

tools/packaging/kata-deploy/local-build/Makefile

@@ -60,6 +60,7 @@ BASE_TARBALLS = serial-targets \
 	shim-v2-tarball \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-image-confidential-tarball \
 	rootfs-cca-confidential-image-tarball \
 	rootfs-cca-confidential-initrd-tarball \
 	rootfs-initrd-tarball

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -710,7 +710,7 @@ install_kernel_helper() {
 	DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" -f -u "${kernel_url}" "${extra_cmd}"
 }
 
-#Install kernel asset (on x86_64 and s390x built with -x for TEE/confidential; other arches without -x)
+#Install kernel asset (on x86_64, s390x, and aarch64 built with -x for TEE/confidential)
 install_kernel() {
 	local extra_cmd=""
 	case "${ARCH}" in
@@ -719,6 +719,11 @@ install_kernel() {
 			export MEASURED_ROOTFS="no"
 			extra_cmd="-x"
 			;;
+		aarch64)
+			export CONFIDENTIAL_GUEST="yes"
+			export MEASURED_ROOTFS="yes"
+			extra_cmd="-x"
+			;;
 		x86_64)
 			export CONFIDENTIAL_GUEST="yes"
 			export MEASURED_ROOTFS="yes"

tools/packaging/kernel/build-kernel.sh

@@ -578,8 +578,11 @@ install_kata() {
 	if [[ ${gpu_vendor} != "" ]]; then
 		suffix="-${gpu_vendor}-gpu${suffix}"
 	elif [[ ${conf_guest} != "" ]]; then
-		# CCA on aarch64 uses -confidential suffix; x86_64/s390x unified kernel does not
-		if [[ "${arch_target}" == "aarch64" ]]; then
+		# CCA kernel on arm64 needs a -confidential suffix to coexist
+		# with the unified kernel; the regular kernel with -x does not
+		# get the suffix (matching x86_64/s390x unified kernel behavior).
+		# CCA builds are identified by -H (linux_headers) being set.
+		if [[ "${arch_target}" == "arm64" ]] && [[ -n "${linux_headers}" ]]; then
 			suffix="-${conf_guest}${suffix}"
 		fi
 	fi

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-188
+189

tools/packaging/static-build/tools/Dockerfile

@@ -61,10 +61,21 @@ RUN ARCH=$(uname -m) && \
     rm /tmp/oras.tar.gz && \
     oras version
 
-# Tools only build for x86_64
-RUN rustup target add x86_64-unknown-linux-musl
+RUN ARCH=$(uname -m) && \
+    case "${ARCH}" in \
+        x86_64) MUSL_TARGET="x86_64-unknown-linux-musl" ;; \
+        aarch64) MUSL_TARGET="aarch64-unknown-linux-musl" ;; \
+        *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \
+    esac && \
+    rustup target add "${MUSL_TARGET}"
 
-RUN kernelname=$(uname -s | tr '[:upper:]' '[:lower:]'); \
-    curl -fsSOL "https://go.dev/dl/go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \
-    tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \
-    rm "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz"
+RUN ARCH=$(uname -m) && \
+    case "${ARCH}" in \
+        x86_64) GO_ARCH="amd64" ;; \
+        aarch64) GO_ARCH="arm64" ;; \
+        *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \
+    esac && \
+    kernelname=$(uname -s | tr '[:upper:]' '[:lower:]') && \
+    curl -fsSOL "https://go.dev/dl/go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" && \
+    tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" && \
+    rm "go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz"