From caabd54b6e65d8fe69caf13ab426587371a800e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 13:59:39 +0200 Subject: [PATCH 1/9] packaging: Allow building Cloud Hypervisor for CC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're adding a new target for building Cloud Hypervisor for CC, but it's important to note that the only difference between this one and the "vanilla" build is the installation path. The reasons we're taking this approach are: * Cloud Hypervisor, for the `main` and `stable` branches, is already built with TDX support. * The first target for the CC release doesn't include TEE support. Fixes: #4566 Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 3 +++ .../local-build/kata-deploy-binaries.sh | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 73204e106d..d9229b38dc 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -70,6 +70,9 @@ install-tarball: image: kata-tarball $(MK_DIR)kata-deploy-build-and-upload-image.sh $(CURDIR)/kata-static.tar.xz +cc-cloud-hypervisor-tarball: + ${MAKE} $@-build + cc-rootfs-image-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 7a29c40f08..41fba87929 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -85,6 +85,19 @@ EOF exit "${return_code}" } +# Install static CC cloud-hypervisor asset +install_cc_clh() { + if [[ "${ARCH}" == "x86_64" ]]; then + export features="tdx" + fi + + info "build static CC cloud-hypervisor" + "${clh_builder}" + info "Install static CC cloud-hypervisor" + mkdir -p "${destdir}/${cc_prefix}/bin/" + sudo install -D --owner root --group root --mode 0744 cloud-hypervisor/cloud-hypervisor "${destdir}/${cc_prefix}/bin/cloud-hypervisor" +} + #Install cc capable guest image install_cc_image() { info "Create CC image" @@ -200,6 +213,8 @@ handle_build() { install_virtiofsd ;; + cc-cloud-hypervisor) install_cc_clh ;; + cc-rootfs-image) install_cc_image ;; cc-shim-v2) install_cc_shimv2 ;; From c4cc16efcd946f225c6b010e5dd916f7fc86a326 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 14:08:22 +0200 Subject: [PATCH 2/9] packaging: Allow building the Kernel for CC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're adding a new target for building the Kernel for CC, but it's important to note that the only difference between this one and the "vanilla" build is the installation path. The reason we're taking this approach is because the first release target for CC doesn't include TEE support. Fixes: #4567 Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 3 +++ .../kata-deploy/local-build/kata-deploy-binaries.sh | 8 ++++++++ 2 files changed, 11 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index d9229b38dc..97a1a580e9 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -73,6 +73,9 @@ image: kata-tarball cc-cloud-hypervisor-tarball: ${MAKE} $@-build +cc-kernel-tarball: + ${MAKE} $@-build + cc-rootfs-image-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 41fba87929..7bc556dbc6 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -108,6 +108,12 @@ install_cc_image() { "${rootfs_builder}" --imagetype=image --prefix="${cc_prefix}" --destdir="${destdir}" } +#Install CC kernel asset +install_cc_kernel() { + export kernel_version="$(yq r $versions_yaml assets.kernel.version)" + DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -f -v "${kernel_version}" +} + #Install all components that are not assets install_cc_shimv2() { GO_VERSION="$(yq r ${versions_yaml} languages.golang.meta.newest-version)" @@ -215,6 +221,8 @@ handle_build() { cc-cloud-hypervisor) install_cc_clh ;; + cc-kernel) install_cc_kernel ;; + cc-rootfs-image) install_cc_image ;; cc-shim-v2) install_cc_shimv2 ;; From b307531c29d951c18f993c41ff344721f6e42b89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 14:16:36 +0200 Subject: [PATCH 3/9] packaging: Allow building QEMU for CC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're adding a new target for building QEMU for CC, but it's important to note that the only difference between this one and the "vanilla" build is the installation path. The reason we're taking this approach is because the first release target for CC doesn't include TEE support. We had to also include a new builder for QEMU, a specific one for CC, as for now that's the easiest way to override the prefix in a way that we'll be easily able to expand the script to support TEE capable builds in the very near future. Fixes: #4568 Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/Makefile | 3 ++ .../local-build/kata-deploy-binaries.sh | 12 +++++++ .../static-build/qemu/build-static-qemu-cc.sh | 31 +++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100755 tools/packaging/static-build/qemu/build-static-qemu-cc.sh diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 97a1a580e9..ba9190db88 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -76,6 +76,9 @@ cc-cloud-hypervisor-tarball: cc-kernel-tarball: ${MAKE} $@-build +cc-qemu-tarball: + ${MAKE} $@-build + cc-rootfs-image-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 7bc556dbc6..743e066e9e 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -31,6 +31,7 @@ readonly virtiofsd_builder="${static_build_dir}/virtiofsd/build-static-virtiofsd readonly rootfs_builder="${repo_root_dir}/tools/packaging/guest-image/build_image.sh" readonly cc_prefix="/opt/confidential-containers" +readonly qemu_cc_builder="${static_build_dir}/qemu/build-static-qemu-cc.sh" ARCH=$(uname -m) @@ -114,6 +115,15 @@ install_cc_kernel() { DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -f -v "${kernel_version}" } +# Install static CC qemu asset +install_cc_qemu() { + info "build static CC qemu" + export qemu_repo="$(yq r $versions_yaml assets.hypervisor.qemu.url)" + export qemu_version="$(yq r $versions_yaml assets.hypervisor.qemu.version)" + "${qemu_cc_builder}" + tar xvf "${builddir}/kata-static-qemu-cc.tar.gz" -C "${destdir}" +} + #Install all components that are not assets install_cc_shimv2() { GO_VERSION="$(yq r ${versions_yaml} languages.golang.meta.newest-version)" @@ -223,6 +233,8 @@ handle_build() { cc-kernel) install_cc_kernel ;; + cc-qemu) install_cc_qemu ;; + cc-rootfs-image) install_cc_image ;; cc-shim-v2) install_cc_shimv2 ;; diff --git a/tools/packaging/static-build/qemu/build-static-qemu-cc.sh b/tools/packaging/static-build/qemu/build-static-qemu-cc.sh new file mode 100755 index 0000000000..44a4056d32 --- /dev/null +++ b/tools/packaging/static-build/qemu/build-static-qemu-cc.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + +source "${script_dir}/../../scripts/lib.sh" + +qemu_repo="${qemu_repo:-}" +qemu_version="${qemu_version:-}" + +export prefix="/opt/confidential-containers/" + +if [ -z "$qemu_repo" ]; then + info "Get qemu information from runtime versions.yaml" + qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu.url") + [ -n "$qemu_url" ] || die "failed to get qemu url" + qemu_repo="${qemu_url}.git" +fi +[ -n "$qemu_repo" ] || die "failed to get qemu repo" + +[ -n "$qemu_version" ] || qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version") +[ -n "$qemu_version" ] || die "failed to get qemu version" + +"${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "" "kata-static-qemu-cc.tar.gz" From 186cec68891ed71fc99f15fcb890bcdb11b34049 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 15:12:53 +0200 Subject: [PATCH 4/9] packaging: Allow building virtiofsd for CC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We're adding a new target for building virtiofsd for CC, but it's important to note that the only difference between this one and the "vanilla" build is the installation path. Moreover, virtiofsd will **NOT** be used by the CC effort, but as the very first release target doesn't include TEE support, let's not force those who want to give it a try to setup devicemapper. Fixes: #4569 Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 3 +++ .../kata-deploy/local-build/kata-deploy-binaries.sh | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index ba9190db88..cd1f06f640 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -84,3 +84,6 @@ cc-rootfs-image-tarball: cc-shim-v2-tarball: ${MAKE} $@-build + +cc-virtiofsd-tarball: + ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 743e066e9e..50ef1572f3 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -132,6 +132,15 @@ install_cc_shimv2() { DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="DEFSERVICEOFFLOAD=true" "${shimv2_builder}" } +# Install static CC virtiofsd asset +install_cc_virtiofsd() { + info "build static CC virtiofsd" + "${virtiofsd_builder}" + info "Install static CC virtiofsd" + mkdir -p "${destdir}/${cc_prefix}/libexec/" + sudo install -D --owner root --group root --mode 0744 virtiofsd/virtiofsd "${destdir}/${cc_prefix}/libexec/virtiofsd" +} + #Install guest image install_image() { info "Create image" @@ -239,6 +248,8 @@ handle_build() { cc-shim-v2) install_cc_shimv2 ;; + cc-virtiofsd) install_cc_virtiofsd ;; + cloud-hypervisor) install_clh ;; firecracker) install_firecracker ;; From dc5f0c7d0c383d3c1439c07e47bed86fcd3fe74e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 15:19:02 +0200 Subject: [PATCH 5/9] packaging: Add a `cc` target to build all the CC related tarballs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Quite similar to the `all` target, let's add a `cc` target so we can build all the CC related tarballs. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index cd1f06f640..758defcb6c 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -70,6 +70,13 @@ install-tarball: image: kata-tarball $(MK_DIR)kata-deploy-build-and-upload-image.sh $(CURDIR)/kata-static.tar.xz +cc: cc-cloud-hypervisor-tarball \ + cc-kernel-tarball \ + cc-qemu-tarball \ + cc-rootfs-image-tarball \ + cc-shim-v2-tarball \ + cc-virtiofsd-tarball + cc-cloud-hypervisor-tarball: ${MAKE} $@-build From 226abc4a474150ed259c831f3e96e0049b805099 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 15:35:28 +0200 Subject: [PATCH 6/9] packaging: Add a `cc-parallel` target to build cc related tarballs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Quite similar to the `all-parallel` target, let's add a `cc-parallel` target so we can build all the CC related tarballs in parallel. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 758defcb6c..1cd7d50dcc 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -70,6 +70,9 @@ install-tarball: image: kata-tarball $(MK_DIR)kata-deploy-build-and-upload-image.sh $(CURDIR)/kata-static.tar.xz +cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh + ${MAKE} -f $(MK_PATH) cc -j$$(( $$(nproc) - 1 )) V= + cc: cc-cloud-hypervisor-tarball \ cc-kernel-tarball \ cc-qemu-tarball \ From 1ba29c3e0ca2ae9c754d9ddffbf9249e7340f9df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 16:51:08 +0200 Subject: [PATCH 7/9] packaging: Add a `cc-tarball` target to build cc related tarballs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Quite similar to the `kata-tarball` target, let's add a `cc-tarball` target so we can build all the CC related tarballs in a single command, with all the tarballs being merged together in the end. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 1cd7d50dcc..d54ba7c127 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -70,6 +70,8 @@ install-tarball: image: kata-tarball $(MK_DIR)kata-deploy-build-and-upload-image.sh $(CURDIR)/kata-static.tar.xz +cc-tarball: | cc-parallel merge-builds + cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh ${MAKE} -f $(MK_PATH) cc -j$$(( $$(nproc) - 1 )) V= From 07bdf75913563efad2f9829c5c8c019704b29538 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 19:00:51 +0200 Subject: [PATCH 8/9] packaging: Add a `cc` option for kata-deploy-binaries.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Similar to what we have with the `all` option, let's also add a `cc` one, allowing others to easily call the script and build all the `cc` related components. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/kata-deploy-binaries.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 50ef1572f3..21460872f0 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -238,6 +238,15 @@ handle_build() { install_virtiofsd ;; + cc) + install_cc_clh + install_cc_kernel + install_cc_qemu + install_cc_image + install_cc_shimv2 + install_cc_virtiofsd + ;; + cc-cloud-hypervisor) install_cc_clh ;; cc-kernel) install_cc_kernel ;; From 097fe823e5432b81478d63c6c4fe64ae159fafc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 30 Jun 2022 19:02:06 +0200 Subject: [PATCH 9/9] packaging: Show the new options of kata-deploy-binaries.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We've added a bunch of new options related to Confidential Containers builds as part of the kata-deploy-binaries.sh. Let's make sure those are displayed to the users of the script when it's called with --help. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/kata-deploy-binaries.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 21460872f0..84f90e4093 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -81,6 +81,13 @@ options: rootfs-initrd shim-v2 virtiofsd + cc + cc-cloud-hypervisor + cc-kernel + cc-qemu + cc-rootfs-image + cc-shimv2 + cc-virtiofsd EOF exit "${return_code}"