build: Add "confidential" kernel

We're using a Kernel based on v6.7, which should include all te patches needed for SEV / SNP / TDX. By doing this, later on, we'll be able to stop building the specific kernel for each one of the targets we have for the TEEs. Let's note that we've introduced the "confidential" target for the kernel builder script, while the TEE specific builds are being kept as they're -- at least for now. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2025-04-27 11:31:05 +00:00 · 2024-01-08 13:11:42 -03:00 · 2024-01-08 13:11:42 -03:00 · 8b2f43a2c2
commit 8b2f43a2c2
parent 379e2f3da2
10 changed files with 37 additions and 8 deletions
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@ -35,6 +35,7 @@ jobs:
          - firecracker
          - kata-ctl
          - kernel
+          - kernel-confidential
          - kernel-sev
          - kernel-dragonball-experimental
          - kernel-tdx-experimental
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@ -20,6 +20,7 @@ endif
 ifeq ($(ARCH), x86_64)
 BASE_TARBALLS = serial-targets \
 	firecracker-tarball \
+	kernel-confidential-tarball \
 	kernel-dragonball-experimental-tarball \
 	kernel-nvidia-gpu-tarball \
 	kernel-nvidia-gpu-snp-tarball \
@ -110,6 +111,9 @@ kernel-nvidia-gpu-tdx-experimental-tarball:
 kernel-tarball:
 	${MAKE} $@-build

+kernel-confidential-tarball:
+	${MAKE} $@-build
+
 kernel-tdx-experimental-tarball:
 	${MAKE} $@-build

--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -92,6 +92,7 @@ options:
 	firecracker
 	kata-ctl
 	kernel
+	kernel-confidential
 	kernel-dragonball-experimental
 	kernel-experimental
 	kernel-nvidia-gpu
@ -280,7 +281,7 @@ install_cached_kernel_tarball_component() {
 		"${final_tarball_path}" \
 		|| return 1
 	
-	if [[ "${kernel_name}" != "kernel-sev" ]]; then
+	if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel-confidential" ]]; then
 		return 0
 	fi

@ -289,13 +290,13 @@ install_cached_kernel_tarball_component() {
 		"${kernel_name}" \
 		"${latest_artefact}" \
 		"${latest_builder_image}" \
-		"kata-static-kernel-sev-modules.tar.xz" \
-		"${workdir}/kata-static-kernel-sev-modules.tar.xz" \
+		"kata-static-${kernel_name}-modules.tar.xz" \
+		"${workdir}/kata-static-${kernel_name}-modules.tar.xz" \
 		|| return 1

 	if [[ -n "${module_dir}" ]]; then
 		mkdir -p "${module_dir}"
-		tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C  "${module_dir}" && return 0
+		tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C  "${module_dir}" && return 0
 	fi

 	return 1
@ -315,6 +316,10 @@ install_kernel_helper() {
 		kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
 		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
 		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
+	elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
+		kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
+		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
+		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
 	fi

 	install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
@ -332,6 +337,15 @@ install_kernel() {
 		"-f"
 }

+install_kernel_confidential() {
+	local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
+
+	install_kernel_helper \
+		"assets.kernel.confidential.version" \
+		"kernel" \
+		"-x confidential -u ${kernel_url}"
+}
+
 install_kernel_dragonball_experimental() {
 	install_kernel_helper \
 		"assets.kernel-dragonball-experimental.version" \
@ -741,6 +755,7 @@ handle_build() {
 		install_initrd_sev
 		install_kata_ctl
 		install_kernel
+		install_kernel_confidential
 		install_kernel_dragonball_experimental
 		install_kernel_tdx_experimental
 		install_log_parser_rs
@ -776,6 +791,8 @@ handle_build() {

 	kernel) install_kernel ;;

+	kernel-confidential) install_kernel_confidential ;;
+
 	kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;

 	kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@ -110,7 +110,7 @@ Options:
 	-t <hypervisor>	: Hypervisor_target.
 	-u <url>	: Kernel URL to be used to download the kernel tarball.
 	-v <version>	: Kernel version to use if kernel path not provided.
-	-x <type>	: Confidential guest protection type, such as sev, snp and tdx
+	-x <type>	: Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those).
 EOF
 	exit "$exit_code"
 }
@ -457,7 +457,7 @@ build_kernel() {
 	arch_target=$(arch_to_kernel "${arch_target}")
 	pushd "${kernel_path}" >>/dev/null
 	make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
-	if [ "${conf_guest}" == "sev" ]; then
+	if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then
 		make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
 	fi
 	[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
@ -603,7 +603,7 @@ main() {
 			x)
 				conf_guest="${OPTARG}"
 				case "$conf_guest" in
-					sev|snp|tdx) ;;
+					confidential|sev|snp|tdx) ;;
 					*) die "Confidential guest type '$conf_guest' not supported" ;;
 				esac
 				;;
--- a/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
@ -0,0 +1 @@
+../sev/sev.conf
--- a/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
@ -0,0 +1 @@
+../snp/snp.conf
--- a/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
@ -0,0 +1 @@
+../tdx/tdx.conf
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@ -1 +1 @@
-120
+121
--- a/tools/packaging/kernel/patches/6.7.x/no_patches.txt
+++ b/tools/packaging/kernel/patches/6.7.x/no_patches.txt
--- a/versions.yaml
+++ b/versions.yaml
@ -170,6 +170,10 @@ assets:
    description: "Linux kernel optimised for virtual machines"
    url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
    version: "v6.1.62"
+    confidential:
+      description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
+      url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
+      version: "v6.7"
    sev:
      description: "Linux kernel that supports SEV and SNP"
      url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"