From 7057ff1cd543fb91a404dab702ecb397485769b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 1 Nov 2024 11:04:49 +0100 Subject: [PATCH 1/8] build: kernel: Always pass -f to the kernel builder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -f forces the (re)generaton of the config when doing the setup, which helps a lot on local development whilst not causing any harm in the CI builds. Signed-off-by: Fabiano Fidêncio --- .../packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 1eed6ae61a..95d21293fc 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -564,7 +564,7 @@ install_kernel_helper() { info "build ${kernel_name}" info "Kernel version ${kernel_version}" - DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" ${extra_cmd} + DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" -f "${extra_cmd}" } #Install kernel asset @@ -572,7 +572,7 @@ install_kernel() { install_kernel_helper \ "assets.kernel.version" \ "kernel" \ - "-f" + "" } install_kernel_confidential() { From cc4006297a2d32b91f9c08536231ff2021e28833 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 1 Nov 2024 11:07:33 +0100 Subject: [PATCH 2/8] build: kernel: Pass the yaml base path instead of the version path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit By doing this we can ensure this can be re-used, if needed (and it'll be needed), for also getting the URL. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 95d21293fc..90e887d85f 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -534,12 +534,12 @@ install_cached_kernel_tarball_component() { #Install kernel asset install_kernel_helper() { - local kernel_version_yaml_path="${1}" + local kernel_yaml_path="${1}" local kernel_name="${2}" local extra_cmd="${3:-}" local extra_tarballs="" - export kernel_version="$(get_from_kata_deps .${kernel_version_yaml_path})" + export kernel_version="$(get_from_kata_deps .${kernel_yaml_path}.version)" export kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)" if [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then @@ -570,7 +570,7 @@ install_kernel_helper() { #Install kernel asset install_kernel() { install_kernel_helper \ - "assets.kernel.version" \ + "assets.kernel" \ "kernel" \ "" } @@ -581,21 +581,21 @@ install_kernel_confidential() { export MEASURED_ROOTFS=yes install_kernel_helper \ - "assets.kernel.confidential.version" \ + "assets.kernel.confidential" \ "kernel-confidential" \ "-x -u ${kernel_url}" } install_kernel_dragonball_experimental() { install_kernel_helper \ - "assets.kernel-dragonball-experimental.version" \ + "assets.kernel-dragonball-experimental" \ "kernel-dragonball-experimental" \ "-e -t dragonball" } install_kernel_nvidia_gpu_dragonball_experimental() { install_kernel_helper \ - "assets.kernel-dragonball-experimental.version" \ + "assets.kernel-dragonball-experimental" \ "kernel-dragonball-experimental" \ "-e -t dragonball -g nvidia -H deb" } @@ -605,7 +605,7 @@ install_kernel_nvidia_gpu() { local kernel_url="$(get_from_kata_deps .assets.kernel.url)" install_kernel_helper \ - "assets.kernel.version" \ + "assets.kernel" \ "kernel-nvidia-gpu" \ "-g nvidia -u ${kernel_url} -H deb" } @@ -615,7 +615,7 @@ install_kernel_nvidia_gpu_confidential() { local kernel_url="$(get_from_kata_deps .assets.kernel.confidential.url)" install_kernel_helper \ - "assets.kernel.confidential.version" \ + "assets.kernel.confidential" \ "kernel-nvidia-gpu-confidential" \ "-x -g nvidia -u ${kernel_url} -H deb" } From 9a0b50104218702a8b9046bd0c0653911bb50d7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 1 Nov 2024 11:30:31 +0100 Subject: [PATCH 3/8] build: kernel: Remove tee specific function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As, thankfully, we're relying on upstream kernels for TEEs. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kernel/build-kernel.sh | 27 -------------------------- 1 file changed, 27 deletions(-) diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 5cc0bb1139..bb8f4dfe2d 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -134,28 +134,6 @@ check_initramfs_or_die() { die "Initramfs for measured rootfs not found at ${default_initramfs}" } -get_tee_kernel() { - local version="${1}" - local kernel_path="${2}" - local tee="${3}" - - mkdir -p ${kernel_path} - - if [ -z "${kernel_url}" ]; then - kernel_url=$(get_from_kata_deps ".assets.kernel.${tee}.url") - fi - - local kernel_tarball="${version}.tar.gz" - - # Depending on where we're getting the tarball from it may have a - # different name, such as linux-${version}.tar.gz or simply - # ${version}.tar.gz. Let's try both before failing. - curl --fail -L "${kernel_url}/linux-${kernel_tarball}" -o ${kernel_tarball} || curl --fail -OL "${kernel_url}/${kernel_tarball}" - - mkdir -p ${kernel_path} - tar --strip-components=1 -xf ${kernel_tarball} -C ${kernel_path} -} - get_kernel() { local version="${1:-}" @@ -163,11 +141,6 @@ get_kernel() { [ -n "${kernel_path}" ] || die "kernel_path not provided" [ ! -d "${kernel_path}" ] || die "kernel_path already exist" - if [ "${conf_guest}" != "" ]; then - get_tee_kernel ${version} ${kernel_path} ${conf_guest} - return - fi - #Remove extra 'v' version=${version#v} From ee1a17cffc5f2a0c3f548565985e99ff9cef3f00 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 1 Nov 2024 12:47:48 +0100 Subject: [PATCH 4/8] build: kernel: Take kernel_url into consideration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's make sure the kernel_url is actually used whenever it's passed to the function. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kernel/build-kernel.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index bb8f4dfe2d..8e8221cbc3 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -166,9 +166,13 @@ get_kernel() { rm -f "${kernel_tarball}" fi if [ ! -f "${kernel_tarball}" ]; then + kernel_tarball_url="https://www.kernel.org/pub/linux/kernel/v${major_version}.x/${kernel_tarball}" + if [ -n "${kernel_url}" ]; then + kernel_tarball_url="${kernel_url}${kernel_tarball}" + fi info "Download kernel version ${version}" - info "Download kernel" - curl --fail -OL "https://www.kernel.org/pub/linux/kernel/v${major_version}.x/${kernel_tarball}" + info "Download kernel from: ${kernel_tarball_url}" + curl --fail -OL "${kernel_tarball_url}" else info "kernel tarball already downloaded" fi From 9f2d4b2956c917769fe8a115fa1ba619da29d22d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 1 Nov 2024 11:11:26 +0100 Subject: [PATCH 5/8] build: kernel: Always pass the url to the builder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This doesn't change much on how we're doing things Today, but it simplifies a lot cases that may be added later on (and will be) like building -rc kernels. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries.sh | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 90e887d85f..8a36bc1ebb 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -540,10 +540,12 @@ install_kernel_helper() { local extra_tarballs="" export kernel_version="$(get_from_kata_deps .${kernel_yaml_path}.version)" + export kernel_url="$(get_from_kata_deps .${kernel_yaml_path}.url)" export kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)" if [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then kernel_version="$(get_from_kata_deps .assets.kernel.confidential.version)" + kernel_url="$(get_from_kata_deps .assets.kernel.confidential.url)" fi if [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then @@ -564,7 +566,7 @@ install_kernel_helper() { info "build ${kernel_name}" info "Kernel version ${kernel_version}" - DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" -f "${extra_cmd}" + DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" -f -u "${kernel_url}" "${extra_cmd}" } #Install kernel asset @@ -576,14 +578,12 @@ install_kernel() { } install_kernel_confidential() { - local kernel_url="$(get_from_kata_deps .assets.kernel.confidential.url)" - export MEASURED_ROOTFS=yes install_kernel_helper \ "assets.kernel.confidential" \ "kernel-confidential" \ - "-x -u ${kernel_url}" + "-x" } install_kernel_dragonball_experimental() { @@ -602,22 +602,18 @@ install_kernel_nvidia_gpu_dragonball_experimental() { #Install GPU enabled kernel asset install_kernel_nvidia_gpu() { - local kernel_url="$(get_from_kata_deps .assets.kernel.url)" - install_kernel_helper \ "assets.kernel" \ "kernel-nvidia-gpu" \ - "-g nvidia -u ${kernel_url} -H deb" + "-g nvidia -H deb" } #Install GPU and TEE enabled kernel asset install_kernel_nvidia_gpu_confidential() { - local kernel_url="$(get_from_kata_deps .assets.kernel.confidential.url)" - install_kernel_helper \ "assets.kernel.confidential" \ "kernel-nvidia-gpu-confidential" \ - "-x -g nvidia -u ${kernel_url} -H deb" + "-x -g nvidia -H deb" } install_qemu_helper() { From a52ea32b05c55d0a93cd67985f5e8a67056d122c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 1 Nov 2024 12:50:44 +0100 Subject: [PATCH 6/8] build: kernel: Learn how to deal with release candidates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit So far we were not prepared to deal with release candidates as those: * Do not have a sha256sum in the sha256sums provided by the kernel cdn * Come from a different URL (directly from Linus) * Have a different suffix (.tar.gz, instead of .tar.xz) Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries.sh | 11 ++++- tools/packaging/kernel/build-kernel.sh | 46 ++++++++++++------- 2 files changed, 40 insertions(+), 17 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 8a36bc1ebb..eb73b7332a 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -151,8 +151,17 @@ get_kernel_modules_dir() { local numeric_final_version=${version} # Every first release of a kernel is x.y, while the resulting folder would be x.y.0 + local rc=$(echo ${version} | grep -oE "\-rc[0-9]+$") + if [ -n "${rc}" ]; then + numeric_final_version="${numeric_final_version%"${rc}"}" + fi + local dots=$(echo ${version} | grep -o '\.' | wc -l) - [ "${dots}" == "1" ] && numeric_final_version="${version}.0" + [ "${dots}" == "1" ] && numeric_final_version="${numeric_final_version}.0" + + if [ -n "${rc}" ]; then + numeric_final_version="${numeric_final_version}${rc}" + fi local kernel_modules_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/${kernel_name}/builddir/kata-linux-${version}-${kernel_kata_config_version}/lib/modules/${numeric_final_version}" case ${kernel_name} in diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 8e8221cbc3..e908e2c240 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -144,26 +144,38 @@ get_kernel() { #Remove extra 'v' version=${version#v} - major_version=$(echo "${version}" | cut -d. -f1) - kernel_tarball="linux-${version}.tar.xz" + local major_version=$(echo "${version}" | cut -d. -f1) + local rc=$(echo "${version}" | grep -oE "\-rc[0-9]+$") - if [[ -f "${kernel_tarball}.sha256" ]] && (grep -qF "${kernel_tarball}" "${kernel_tarball}.sha256"); then - info "Restore valid ${kernel_tarball}.sha256 to sha256sums.asc" - cp -f "${kernel_tarball}.sha256" sha256sums.asc - else - shasum_url="https://cdn.kernel.org/pub/linux/kernel/v${major_version}.x/sha256sums.asc" - info "Download kernel checksum file: sha256sums.asc from ${shasum_url}" - curl --fail -OL "${shasum_url}" - if (grep -F "${kernel_tarball}" sha256sums.asc >"${kernel_tarball}.sha256"); then - info "sha256sums.asc is valid, ${kernel_tarball}.sha256 generated" + local tar_suffix="tar.xz" + if [ -n "${rc}" ]; then + tar_suffix="tar.gz" + fi + kernel_tarball="linux-${version}.${tar_suffix}" + + if [ -z "${rc}" ]; then + if [[ -f "${kernel_tarball}.sha256" ]] && (grep -qF "${kernel_tarball}" "${kernel_tarball}.sha256"); then + info "Restore valid ${kernel_tarball}.sha256 to sha256sums.asc" + cp -f "${kernel_tarball}.sha256" sha256sums.asc else - die "sha256sums.asc is invalid" + shasum_url="https://cdn.kernel.org/pub/linux/kernel/v${major_version}.x/sha256sums.asc" + info "Download kernel checksum file: sha256sums.asc from ${shasum_url}" + curl --fail -OL "${shasum_url}" + if (grep -F "${kernel_tarball}" sha256sums.asc >"${kernel_tarball}.sha256"); then + info "sha256sums.asc is valid, ${kernel_tarball}.sha256 generated" + else + die "sha256sums.asc is invalid" + fi fi + else + info "Release candidate kernels are not part of the official sha256sums.asc -- skipping sha256sum validation" fi - if [ -f "${kernel_tarball}" ] && ! sha256sum -c "${kernel_tarball}.sha256"; then - info "invalid kernel tarball ${kernel_tarball} removing " - rm -f "${kernel_tarball}" + if [ -f "${kernel_tarball}" ]; then + if [ -n "${rc}" ] && ! sha256sum -c "${kernel_tarball}.sha256"; then + info "invalid kernel tarball ${kernel_tarball} removing " + rm -f "${kernel_tarball}" + fi fi if [ ! -f "${kernel_tarball}" ]; then kernel_tarball_url="https://www.kernel.org/pub/linux/kernel/v${major_version}.x/${kernel_tarball}" @@ -177,7 +189,9 @@ get_kernel() { info "kernel tarball already downloaded" fi - sha256sum -c "${kernel_tarball}.sha256" + if [ -z "${rc}" ]; then + sha256sum -c "${kernel_tarball}.sha256" + fi tar xf "${kernel_tarball}" From f7b31ccd6c3eaba8f93a22caf45f17eee4686b02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 5 Nov 2024 12:26:38 +0100 Subject: [PATCH 7/8] kernel: bump kata_config_version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Due to the changes done in the previous commits. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kernel/kata_config_version | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index 93e7803245..897bdc8200 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -138 +139 From 2b16160ff1f49e7d7ddb8946293f0d1c3a883f4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 1 Nov 2024 14:57:38 +0100 Subject: [PATCH 8/8] versions: kernel-dragonball: Fix URL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SSIA Signed-off-by: Fabiano Fidêncio --- versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index 5798e4339e..0691915e6a 100644 --- a/versions.yaml +++ b/versions.yaml @@ -207,7 +207,7 @@ assets: kernel-dragonball-experimental: description: "Linux kernel with Dragonball VMM optimizations like upcall" - url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" + url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/" version: "v6.1.62" externals: