Merge pull request #7768 from fidencio/topic/update-tdx-to-the-6.2-kernel-based-stack

tdx: Update the components needed for using the 6.2 kernel stack

src/runtime/pkg/govmm/qemu/qemu.go

@@ -141,9 +141,16 @@ const (
 func isDimmSupported(config *Config) bool {
 	switch runtime.GOARCH {
 	case "amd64", "386", "ppc64le", "arm64":
-		if config != nil && config.Machine.Type == MachineTypeMicrovm {
+		if config != nil {
-			// microvm does not support NUMA
+			if config.Machine.Type == MachineTypeMicrovm {
-			return false
+				// microvm does not support NUMA
+				return false
+			}
+			if config.Knobs.MemFDPrivate {
+				// TDX guests rely on MemFD Private, which
+				// does not have NUMA support yet
+				return false
+			}
 		}
 		return true
 	default:
@@ -2628,6 +2635,9 @@ type Knobs struct {
 	// MemPrealloc will allocate all the RAM upfront
 	MemPrealloc bool
 
+	// Private Memory FD meant for private memory map/unmap.
+	MemFDPrivate bool
+
 	// FileBackedMem requires Memory.Size and Memory.Path of the VM to
 	// be set.
 	FileBackedMem bool
@@ -2992,10 +3002,13 @@ func (config *Config) appendMemoryKnobs() {
 		return
 	}
 	var objMemParam, numaMemParam string
+
 	dimmName := "dimm1"
 	if config.Knobs.HugePages {
 		objMemParam = "memory-backend-file,id=" + dimmName + ",size=" + config.Memory.Size + ",mem-path=/dev/hugepages"
 		numaMemParam = "node,memdev=" + dimmName
+	} else if config.Knobs.MemFDPrivate {
+		objMemParam = "memory-backend-memfd-private,id=" + dimmName + ",size=" + config.Memory.Size
 	} else if config.Knobs.FileBackedMem && config.Memory.Path != "" {
 		objMemParam = "memory-backend-file,id=" + dimmName + ",size=" + config.Memory.Size + ",mem-path=" + config.Memory.Path
 		numaMemParam = "node,memdev=" + dimmName

src/runtime/pkg/govmm/qemu/qemu_test.go

@@ -632,6 +632,29 @@ func TestAppendMemoryFileBackedMemPrealloc(t *testing.T) {
 	testConfigAppend(conf, knobs, memString+" "+knobsString, t)
 }
 
+func TestAppendMemoryBackedMemFdPrivate(t *testing.T) {
+	conf := &Config{
+		Memory: Memory{
+			Size:  "1G",
+			Slots: 8,
+		},
+	}
+	memString := "-m 1G,slots=8"
+	testConfigAppend(conf, conf.Memory, memString, t)
+
+	knobs := Knobs{
+		MemFDPrivate: true,
+		MemShared:    false,
+	}
+	objMemString := "-object memory-backend-memfd-private,id=dimm1,size=1G"
+	memBackendString := "-machine memory-backend=dimm1"
+
+	knobsString := objMemString + " "
+	knobsString += memBackendString
+
+	testConfigAppend(conf, knobs, memString+" "+knobsString, t)
+}
+
 func TestNoRebootKnob(t *testing.T) {
 	conf := &Config{}
 

src/runtime/virtcontainers/qemu.go

@@ -604,6 +604,30 @@ func (q *qemu) CreateVM(ctx context.Context, id string, network Network, hypervi
 		return err
 	}
 
+	if q.config.ConfidentialGuest {
+		// At this point we're safe to just check for the protection field
+		// on the hypervisor specific code, as availableGuestProtection()
+		// has been called earlier and we know we have the value stored.
+		if q.arch.getProtection() == tdxProtection {
+			knobs.MemFDPrivate = true
+
+			// In case Nydus or VirtioFS is used, which may become a reality
+			// in the future, whenever we get those hardened for TDX, those
+			// knobs below would be automatically set.  Let's make sure we
+			// pre-emptively disable them, and with that we can avoid some
+			// headaches in the future.
+			knobs.FileBackedMem = false
+			knobs.MemShared = false
+
+			// SMP is currently broken with TDX 1.5, and
+			// we must ensure we use something like:
+			// `...,sockets=1,cores=numvcpus,threads=1,...`
+			smp.Sockets = 1
+			smp.Cores = q.config.NumVCPUs
+			smp.Threads = 1
+		}
+	}
+
 	kernelPath, err := q.config.KernelAssetPath()
 	if err != nil {
 		return err

src/runtime/virtcontainers/qemu_arch_base.go

@@ -71,6 +71,9 @@ type qemuArch interface {
 	// memoryTopology returns the memory topology using the given amount of memoryMb and hostMemoryMb
 	memoryTopology(memoryMb, hostMemoryMb uint64, slots uint8) govmmQemu.Memory
 
+	// protection returns platform protection
+	getProtection() guestProtection
+
 	// appendConsole appends a console to devices
 	appendConsole(ctx context.Context, devices []govmmQemu.Device, path string) ([]govmmQemu.Device, error)
 
@@ -280,6 +283,10 @@ func (q *qemuArchBase) machine() govmmQemu.Machine {
 	return q.qemuMachine
 }
 
+func (q *qemuArchBase) getProtection() guestProtection {
+	return q.protection
+}
+
 func (q *qemuArchBase) qemuPath() string {
 	return q.qemuExePath
 }

tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh

@@ -32,6 +32,11 @@ TARGET_ARCH=${TARGET_ARCH:-$(uname -m)}
 TARGET_OS=${TARGET_OS:-linux}
 TARGET_ARCH=${TARGET_ARCH:-$ARCH}
 
+# We've seen issues related to the /home/runner/.docker/buildx/activity/default file
+# constantly being with the wrong permissions.
+# Let's just remove the file before we build.
+rm -f $HOME/.docker/buildx/activity/default
+
 [ "${CROSS_BUILD}" == "true" ] && BUILDX="buildx" && PLATFORM="--platform=${TARGET_OS}/${TARGET_ARCH}"
 if [ "${CROSS_BUILD}" == "true" ]; then
        # check if the current docker support docker buildx

tools/packaging/kernel/configs/fragments/whitelist.conf

@@ -2,6 +2,10 @@
 # without generating an error in fragment merging
 CONFIG_ARCH_RANDOM
 CONFIG_ARM64_CRYPTO
+CONFIG_GENERIC_MSI_IRQ_DOMAIN
+CONFIG_PCI_MSI_IRQ_DOMAIN
+CONFIG_CLK_LGM_CGU
+CONFIG_MEMCG_SWAP
 CONFIG_NF_NAT_IPV4
 CONFIG_NF_NAT_NEEDED
 CONFIG_NF_NAT_PROTO_DCCP

tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf

@@ -1,13 +1,10 @@
 # Intel Trust Domain Extensions (Intel TDX)
 
-CONFIG_CLK_LGM_CGU=y
-CONFIG_DMA_RESTRICTED_POOL=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
 CONFIG_INTEL_IOMMU_SVM=y
 CONFIG_INTEL_TDX_GUEST=y
 CONFIG_OF=y
-CONFIG_OF_RESERVED_MEM=y
 CONFIG_X86_5LEVEL=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_X86_PLATFORM_DEVICES=y

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-112
+113

versions.yaml

@@ -106,9 +106,9 @@ assets:
 
     qemu-tdx-experimental:
       # yamllint disable-line rule:line-length
-      description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww01"
+      description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"
       url: "https://github.com/kata-containers/qemu"
-      tag: "ad4c7f529a279685da84297773b4ec8080153c2d-plus-TDX-v1.3"
+      tag: "b67b00e6b4c7831a3f5bc684bc0df7a9bfd1bd56-plus-TDX-v1.10"
 
     qemu-snp-experimental:
       description: "QEMU with experimental SNP support (no UPM)"
@@ -191,9 +191,9 @@ assets:
 
   kernel-tdx-experimental:
     # yamllint disable-line rule:line-length
-    description: "Linux kernel with TDX support -- based on https://github.com/intel/tdx-tools/releases/tag/2023ww01"
+    description: "Linux kernel with TDX support -- based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"
     url: "https://github.com/kata-containers/linux/archive/refs/tags"
-    version: "5.19-TDX-v2.2"
+    version: "6.2-TDX-v1.8"
 
 externals:
   description: "Third-party projects used by the system"
@@ -315,8 +315,8 @@ externals:
       package_output_dir: "AmdSev"
     tdx:
       # yamllint disable-line rule:line-length
-      description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww01"
+      description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"
-      version: "edk2-stable202211"
+      version: "edk2-stable202302"
       package: "OvmfPkg/IntelTdx/IntelTdxX64.dsc"
       package_output_dir: "IntelTdx"