diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index 41ca2cc8b3..a58ebb0886 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -35,6 +35,7 @@ jobs:
- firecracker
- kata-ctl
- kernel
+ - kernel-confidential
- kernel-sev
- kernel-dragonball-experimental
- kernel-tdx-experimental
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index b2de80dac2..21ad3626df 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -20,6 +20,7 @@ endif
ifeq ($(ARCH), x86_64)
BASE_TARBALLS = serial-targets \
firecracker-tarball \
+ kernel-confidential-tarball \
kernel-dragonball-experimental-tarball \
kernel-nvidia-gpu-tarball \
kernel-nvidia-gpu-snp-tarball \
@@ -110,6 +111,9 @@ kernel-nvidia-gpu-tdx-experimental-tarball:
kernel-tarball:
${MAKE} $@-build
+kernel-confidential-tarball:
+ ${MAKE} $@-build
+
kernel-tdx-experimental-tarball:
${MAKE} $@-build
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index f02302907d..8f0c2dd634 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -92,6 +92,7 @@ options:
firecracker
kata-ctl
kernel
+ kernel-confidential
kernel-dragonball-experimental
kernel-experimental
kernel-nvidia-gpu
@@ -280,7 +281,7 @@ install_cached_kernel_tarball_component() {
"${final_tarball_path}" \
|| return 1
- if [[ "${kernel_name}" != "kernel-sev" ]]; then
+ if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel-confidential" ]]; then
return 0
fi
@@ -289,13 +290,13 @@ install_cached_kernel_tarball_component() {
"${kernel_name}" \
"${latest_artefact}" \
"${latest_builder_image}" \
- "kata-static-kernel-sev-modules.tar.xz" \
- "${workdir}/kata-static-kernel-sev-modules.tar.xz" \
+ "kata-static-${kernel_name}-modules.tar.xz" \
+ "${workdir}/kata-static-${kernel_name}-modules.tar.xz" \
|| return 1
if [[ -n "${module_dir}" ]]; then
mkdir -p "${module_dir}"
- tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C "${module_dir}" && return 0
+ tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C "${module_dir}" && return 0
fi
return 1
@@ -315,6 +316,10 @@ install_kernel_helper() {
kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
+ elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
+ kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
+ default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
+ module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
fi
install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
@@ -332,6 +337,15 @@ install_kernel() {
"-f"
}
+install_kernel_confidential() {
+ local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
+
+ install_kernel_helper \
+ "assets.kernel.confidential.version" \
+ "kernel" \
+ "-x confidential -u ${kernel_url}"
+}
+
install_kernel_dragonball_experimental() {
install_kernel_helper \
"assets.kernel-dragonball-experimental.version" \
@@ -741,6 +755,7 @@ handle_build() {
install_initrd_sev
install_kata_ctl
install_kernel
+ install_kernel_confidential
install_kernel_dragonball_experimental
install_kernel_tdx_experimental
install_log_parser_rs
@@ -776,6 +791,8 @@ handle_build() {
kernel) install_kernel ;;
+ kernel-confidential) install_kernel_confidential ;;
+
kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;
diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index f1d1bb62c2..05cd63399f 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -110,7 +110,7 @@ Options:
-t <hypervisor> : Hypervisor_target.
-u <url> : Kernel URL to be used to download the kernel tarball.
-v <version> : Kernel version to use if kernel path not provided.
- -x <type> : Confidential guest protection type, such as sev, snp and tdx
+ -x <type> : Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those).
EOF
exit "$exit_code"
}
@@ -457,7 +457,7 @@ build_kernel() {
arch_target=$(arch_to_kernel "${arch_target}")
pushd "${kernel_path}" >>/dev/null
make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
- if [ "${conf_guest}" == "sev" ]; then
+ if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then
make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
fi
[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
@@ -603,7 +603,7 @@ main() {
x)
conf_guest="${OPTARG}"
case "$conf_guest" in
- sev|snp|tdx) ;;
+ confidential|sev|snp|tdx) ;;
*) die "Confidential guest type '$conf_guest' not supported" ;;
esac
;;
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
new file mode 120000
index 0000000000..9dda7d6ead
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
@@ -0,0 +1 @@
+../sev/sev.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
new file mode 120000
index 0000000000..83464ffe3b
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
@@ -0,0 +1 @@
+../snp/snp.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
new file mode 120000
index 0000000000..f4f9ffeb3e
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
@@ -0,0 +1 @@
+../tdx/tdx.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index 52bd8e43af..9289ddcee3 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-120
+121
diff --git a/tools/packaging/kernel/patches/6.7.x/no_patches.txt b/tools/packaging/kernel/patches/6.7.x/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/versions.yaml b/versions.yaml
index dcc308e8b0..564e42de03 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -170,6 +170,10 @@ assets:
description: "Linux kernel optimised for virtual machines"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.1.62"
+ confidential:
+ description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
+ url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
+ version: "v6.7"
sev:
description: "Linux kernel that supports SEV and SNP"
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"