ci: Refactor boot-image-se build and update shim components

- Add FAKE_SE_IMAGE mode support in SE image build scripts for CI without real SE setup
- Simplify workflow by removing build-asset-boot-image-se job
- Integrate fake-boot-image-se into build matrix instead of separate job
- Skip attestation for fake-boot-image-se builds
- Update qemu-se and qemu-se-runtime-rs shim components to use:
  - rootfs-initrd-confidential instead of rootfs-image-confidential
  - boot-image-se component

This change streamlines the s390x SE build process and makes it easier
to test without requiring actual Secure Execution infrastructure.
This fixes deployment issues on non-TEE systems where TEE-specific artifacts
(like boot-image-se for IBM SEL) are not included in the kata-deploy image,
while ensuring TEE systems still get all required components.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
Hyounggyu Choi
2026-05-26 12:04:51 +02:00
parent 25491fc20c
commit 640fa488a5
6 changed files with 43 additions and 60 deletions

View File

@@ -47,6 +47,7 @@ jobs:
asset:
- agent
- coco-guest-components
- fake-boot-image-se
- kernel
- pause-image
- qemu
@@ -80,10 +81,16 @@ jobs:
- name: Build ${{ matrix.asset }}
id: build
run: |
make "${KATA_ASSET}-tarball"
if [ "${KATA_ASSET}" = "fake-boot-image-se" ]; then
make FAKE_SE_IMAGE=true boot-image-se-tarball
TARBALL_NAME="boot-image-se"
else
make "${KATA_ASSET}-tarball"
TARBALL_NAME="${KATA_ASSET}"
fi
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-build/.
mkdir -p kata-build && cp "${build_dir}"/kata-static-"${TARBALL_NAME}"*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
@@ -96,7 +103,7 @@ jobs:
- name: Parse OCI image name and digest
id: parse-oci-segments
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
if: ${{ env.PERFORM_ATTESTATION == 'yes' && matrix.asset != 'fake-boot-image-se' }}
env:
ASSET: ${{ matrix.asset }}
run: |
@@ -113,7 +120,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
if: ${{ env.PERFORM_ATTESTATION == 'yes' }}
if: ${{ env.PERFORM_ATTESTATION == 'yes' && matrix.asset != 'fake-boot-image-se' }}
with:
subject-name: ${{ steps.parse-oci-segments.outputs.oci-name }}
subject-digest: ${{ steps.parse-oci-segments.outputs.oci-digest }}
@@ -123,7 +130,7 @@ jobs:
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.zst
path: kata-build/kata-static-${{ matrix.asset == 'fake-boot-image-se' && 'boot-image-se' || matrix.asset }}.tar.zst
retention-days: 15
if-no-files-found: error
@@ -238,60 +245,11 @@ jobs:
retention-days: 15
if-no-files-found: error
build-asset-boot-image-se:
name: build-asset-boot-image-se
runs-on: s390x
needs: [build-asset, build-asset-rootfs]
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Place a host key document
run: |
mkdir -p "host-key-document"
cp "${CI_HKD_PATH}" "host-key-document"
env:
CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
- name: Build boot-image-se
run: |
make install-prebuilt-artifacts
make DEPS= boot-image-se-tarball
build_dir=$(readlink -f build)
sudo cp -r "${build_dir}" "kata-build"
sudo chown -R "$(id -u)":"$(id -g)" "kata-build"
env:
HKD_PATH: "host-key-document"
- name: store-artifact boot-image-se
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: kata-artifacts-s390x${{ inputs.tarball-suffix }}
path: kata-build/kata-static-boot-image-se.tar.zst
retention-days: 1
if-no-files-found: error
# We don't need the binaries installed in the rootfs as part of the release tarball, so can delete them now we've built the rootfs
remove-rootfs-binary-artifacts:
name: remove-rootfs-binary-artifacts
runs-on: ubuntu-22.04
needs: [build-asset-rootfs, build-asset-boot-image-se]
needs: build-asset-rootfs
strategy:
matrix:
asset:
@@ -384,7 +342,6 @@ jobs:
needs:
- build-asset
- build-asset-rootfs
- build-asset-boot-image-se
- build-asset-shim-v2
permissions:
contents: read

View File

@@ -21,7 +21,7 @@ source "${packaging_root_dir}/scripts/lib.sh"
source "${script_dir}/lib_se.sh"
ARCH=${ARCH:-$(uname -m)}
if [[ "$(uname -m)" == "${ARCH}" ]]; then
if [[ "${FAKE_SE_IMAGE:-}" != "true" && "$(uname -m)" == "${ARCH}" ]]; then
[[ "${ARCH}" == "s390x" ]] || die "Building a Secure Execution image is currently only supported on s390x."
fi
usage() {
@@ -34,19 +34,30 @@ Options:
--destdir=\${destdir}
Environment variables:
HKD_PATH (required): a path for a directory which includes at least one host key document
HKD_PATH (required unless FAKE_SE_IMAGE=true): a path for a directory which includes at least one host key document
for Secure Execution, generally specific to your machine. See
https://www.ibm.com/docs/en/linux-on-systems?topic=tasks-verify-host-key-document
for information on how to retrieve and verify this document.
SIGNING_KEY_CERT_PATH: a path for the IBM zSystem signing key certificate
INTERMEDIATE_CA_CERT_PATH: a path for the intermediate CA certificate signed by the root CA
HOST_KEY_CRL_PATH: a path for the host key CRL
FAKE_SE_IMAGE : If set to "true", creates a dummy kata-containers-se.img via touch command
instead of using genprotimg. Useful for testing without real SE setup.
DEBUG : If set, display debug information.
EOF
exit "${1:-0}"
}
build_image() {
# Check if FAKE_SE_IMAGE mode is enabled
if [[ "${FAKE_SE_IMAGE:-}" == "true" ]]; then
echo "FAKE_SE_IMAGE mode enabled: Skipping tarball extraction"
if ! build_secure_image "" "" "${install_dir}"; then
usage 1
fi
return 0
fi
image_source_dir="${builddir}/secure-image"
mkdir -p "${image_source_dir}"
pushd "${tarball_dir}"

View File

@@ -29,6 +29,16 @@ build_secure_image() {
kernel_params="${1:-}"
install_src_dir="${2:-}"
install_dest_dir="${3:-}"
# Check if FAKE_SE_IMAGE mode is enabled
if [[ "${FAKE_SE_IMAGE:-}" == "true" ]]; then
echo "FAKE_SE_IMAGE mode enabled: Creating dummy kata-containers-se.img via touch command"
echo "FAKE_SE_IMAGE mode: Skipping kernel, initrd, parmfile, and host key document checks"
mkdir -p "${install_dest_dir}"
touch "${install_dest_dir}/kata-containers-se.img"
return 0
fi
key_verify_option="--no-verify" # no verification for CI testing purposes
if [[ -n "${SIGNING_KEY_CERT_PATH:-}" ]] && [[ -n "${INTERMEDIATE_CA_CERT_PATH:-}" ]] && [[ -n "${HOST_KEY_CRL_PATH:-}" ]]; then

View File

@@ -183,7 +183,11 @@ qemu-tarball:
# DEPS is rebound per target below; prereqs expand at parse time, so each rule
# freezes the current DEPS. `make DEPS=` from the command line zeros all of them.
ifeq ($(FAKE_SE_IMAGE),true)
DEPS :=
else
DEPS := kernel-tarball rootfs-initrd-confidential-tarball
endif
boot-image-se-tarball: $(DEPS)
${MAKE} $@-build

View File

@@ -161,6 +161,7 @@ docker run \
--env AA_KBC="${AA_KBC:-}" \
--env HKD_PATH="$(realpath "${HKD_PATH:-}" 2> /dev/null || true)" \
--env SE_KERNEL_PARAMS="${SE_KERNEL_PARAMS:-}" \
--env FAKE_SE_IMAGE="${FAKE_SE_IMAGE:-}" \
--env CROSS_BUILD="${CROSS_BUILD}" \
--env TARGET_ARCH="${TARGET_ARCH}" \
--env ARCH="${ARCH}" \

View File

@@ -28,10 +28,10 @@
"x86_64": ["shim-v2-rust", "qemu-tdx-experimental", "virtiofsd", "kernel", "rootfs-image-confidential", "ovmf-tdx"]
},
"qemu-se": {
"s390x": ["shim-v2-go", "qemu", "virtiofsd", "kernel", "rootfs-image-confidential"]
"s390x": ["shim-v2-go", "qemu", "virtiofsd", "kernel", "rootfs-initrd-confidential", "boot-image-se"]
},
"qemu-se-runtime-rs": {
"s390x": ["shim-v2-rust", "qemu", "virtiofsd", "kernel", "rootfs-image-confidential"]
"s390x": ["shim-v2-rust", "qemu", "virtiofsd", "kernel", "rootfs-initrd-confidential", "boot-image-se"]
},
"qemu-nvidia-gpu": {
"x86_64": ["shim-v2-go", "qemu", "virtiofsd", "kernel-nvidia-gpu", "rootfs-image-nvidia-gpu", "ovmf"]