diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index 115d8de43e..96cf1b2650 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -43,6 +43,7 @@ jobs: - agent - busybox - cloud-hypervisor + - coco-guest-components - firecracker - kernel - kernel-debug @@ -51,6 +52,7 @@ jobs: - kernel-cca-confidential - nydus - ovmf + - pause-image - qemu - virtiofsd env: @@ -151,6 +153,7 @@ jobs: matrix: asset: - rootfs-image + - rootfs-image-confidential - rootfs-image-nvidia-gpu - rootfs-initrd steps: @@ -216,7 +219,9 @@ jobs: matrix: asset: - busybox + - coco-guest-components - kernel-nvidia-gpu-modules + - pause-image steps: - uses: geekyeggo/delete-artifact@176a747ab7e287e3ff4787bf8a148716375ca118 # v6.0.0 with: @@ -288,6 +293,7 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + MEASURED_ROOTFS: yes - name: store-artifact shim-v2 uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 05dbfb052a..49d6f9611b 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -60,6 +60,7 @@ BASE_TARBALLS = serial-targets \ shim-v2-tarball \ virtiofsd-tarball BASE_SERIAL_TARBALLS = rootfs-image-tarball \ + rootfs-image-confidential-tarball \ rootfs-cca-confidential-image-tarball \ rootfs-cca-confidential-initrd-tarball \ rootfs-initrd-tarball diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index aa582672b6..73554e9132 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -710,7 +710,7 @@ install_kernel_helper() { DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" -f -u "${kernel_url}" "${extra_cmd}" } -#Install kernel asset (on x86_64 and s390x built with -x for TEE/confidential; other arches without -x) +#Install kernel asset (on x86_64, s390x, and aarch64 built with -x for TEE/confidential) install_kernel() { local extra_cmd="" case "${ARCH}" in @@ -719,6 +719,11 @@ install_kernel() { export MEASURED_ROOTFS="no" extra_cmd="-x" ;; + aarch64) + export CONFIDENTIAL_GUEST="yes" + export MEASURED_ROOTFS="yes" + extra_cmd="-x" + ;; x86_64) export CONFIDENTIAL_GUEST="yes" export MEASURED_ROOTFS="yes" diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 612353e5d5..97d3a6e5c3 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -578,8 +578,11 @@ install_kata() { if [[ ${gpu_vendor} != "" ]]; then suffix="-${gpu_vendor}-gpu${suffix}" elif [[ ${conf_guest} != "" ]]; then - # CCA on aarch64 uses -confidential suffix; x86_64/s390x unified kernel does not - if [[ "${arch_target}" == "aarch64" ]]; then + # CCA kernel on arm64 needs a -confidential suffix to coexist + # with the unified kernel; the regular kernel with -x does not + # get the suffix (matching x86_64/s390x unified kernel behavior). + # CCA builds are identified by -H (linux_headers) being set. + if [[ "${arch_target}" == "arm64" ]] && [[ -n "${linux_headers}" ]]; then suffix="-${conf_guest}${suffix}" fi fi diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index e702a30b33..6c412452bc 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -188 +189