github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-19 12:14:11 +00:00
Code Issues Projects Releases Wiki Activity

build: Add "confidential" kernel

Browse Source 
We're using a Kernel based on v6.7, which should include all te
patches needed for SEV / SNP / TDX.

By doing this, later on, we'll be able to stop building the specific
kernel for each one of the targets we have for the TEEs.

Let's note that we've introduced the "confidential" target for the
kernel builder script, while the TEE specific builds are being kept as
they're -- at least for now.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This commit is contained in:
Fabiano Fidêncio 2024-01-08 13:11:42 -03:00
parent 379e2f3da2
commit 8b2f43a2c2
No known key found for this signature in database
GPG Key ID: EE926C2BDACC177B
10 changed files with 37 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@ -35,6 +35,7 @@ jobs:
- firecracker - firecracker
- kata-ctl - kata-ctl
- kernel - kernel
- kernel-confidential
- kernel-sev - kernel-sev
- kernel-dragonball-experimental - kernel-dragonball-experimental
- kernel-tdx-experimental - kernel-tdx-experimental

4
tools/packaging/kata-deploy/local-build/Makefile
View File

@ -20,6 +20,7 @@ endif
ifeq ($(ARCH), x86_64) ifeq ($(ARCH), x86_64)
BASE_TARBALLS = serial-targets \ BASE_TARBALLS = serial-targets \
firecracker-tarball \ firecracker-tarball \
kernel-confidential-tarball \
kernel-dragonball-experimental-tarball \ kernel-dragonball-experimental-tarball \
kernel-nvidia-gpu-tarball \ kernel-nvidia-gpu-tarball \
kernel-nvidia-gpu-snp-tarball \ kernel-nvidia-gpu-snp-tarball \
@ -110,6 +111,9 @@ kernel-nvidia-gpu-tdx-experimental-tarball:
kernel-tarball: kernel-tarball:
${MAKE} $@-build ${MAKE} $@-build
kernel-confidential-tarball:
${MAKE} $@-build
kernel-tdx-experimental-tarball: kernel-tdx-experimental-tarball:
${MAKE} $@-build ${MAKE} $@-build

25
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@ -92,6 +92,7 @@ options:
firecracker firecracker
kata-ctl kata-ctl
kernel kernel
kernel-confidential
kernel-dragonball-experimental kernel-dragonball-experimental
kernel-experimental kernel-experimental
kernel-nvidia-gpu kernel-nvidia-gpu
@ -280,7 +281,7 @@ install_cached_kernel_tarball_component() {
"${final_tarball_path}" \ "${final_tarball_path}" \
|| return 1 || return 1
if [[ "${kernel_name}" != "kernel-sev" ]]; then if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel-confidential" ]]; then
return 0 return 0
fi fi
@ -289,13 +290,13 @@ install_cached_kernel_tarball_component() {
"${kernel_name}" \ "${kernel_name}" \
"${latest_artefact}" \ "${latest_artefact}" \
"${latest_builder_image}" \ "${latest_builder_image}" \
"kata-static-kernel-sev-modules.tar.xz" \ "kata-static-${kernel_name}-modules.tar.xz" \
"${workdir}/kata-static-kernel-sev-modules.tar.xz" \ "${workdir}/kata-static-${kernel_name}-modules.tar.xz" \
|| return 1 || return 1
if [[ -n "${module_dir}" ]]; then if [[ -n "${module_dir}" ]]; then
mkdir -p "${module_dir}" mkdir -p "${module_dir}"
tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C "${module_dir}" && return 0 tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C "${module_dir}" && return 0
fi fi
return 1 return 1
@ -315,6 +316,10 @@ install_kernel_helper() {
kernel_version="$(get_from_kata_deps assets.kernel.sev.version)" kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches" default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}" module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
fi fi
install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0 install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
@ -332,6 +337,15 @@ install_kernel() {
"-f" "-f"
} }
install_kernel_confidential() {
local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
install_kernel_helper \
"assets.kernel.confidential.version" \
"kernel" \
"-x confidential -u ${kernel_url}"
}
install_kernel_dragonball_experimental() { install_kernel_dragonball_experimental() {
install_kernel_helper \ install_kernel_helper \
"assets.kernel-dragonball-experimental.version" \ "assets.kernel-dragonball-experimental.version" \
@ -741,6 +755,7 @@ handle_build() {
install_initrd_sev install_initrd_sev
install_kata_ctl install_kata_ctl
install_kernel install_kernel
install_kernel_confidential
install_kernel_dragonball_experimental install_kernel_dragonball_experimental
install_kernel_tdx_experimental install_kernel_tdx_experimental
install_log_parser_rs install_log_parser_rs
@ -776,6 +791,8 @@ handle_build() {
kernel) install_kernel ;; kernel) install_kernel ;;
kernel-confidential) install_kernel_confidential ;;
kernel-dragonball-experimental) install_kernel_dragonball_experimental ;; kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
kernel-nvidia-gpu) install_kernel_nvidia_gpu ;; kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;

6
tools/packaging/kernel/build-kernel.sh
View File

@ -110,7 +110,7 @@ Options:
-t <hypervisor> : Hypervisor_target. -t <hypervisor> : Hypervisor_target.
-u <url> : Kernel URL to be used to download the kernel tarball. -u <url> : Kernel URL to be used to download the kernel tarball.
-v <version> : Kernel version to use if kernel path not provided. -v <version> : Kernel version to use if kernel path not provided.
-x <type> : Confidential guest protection type, such as sev, snp and tdx -x <type> : Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those).
EOF EOF
exit "$exit_code" exit "$exit_code"
} }
@ -457,7 +457,7 @@ build_kernel() {
arch_target=$(arch_to_kernel "${arch_target}") arch_target=$(arch_to_kernel "${arch_target}")
pushd "${kernel_path}" >>/dev/null pushd "${kernel_path}" >>/dev/null
make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG} make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
if [ "${conf_guest}" == "sev" ]; then if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then
make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
fi fi
[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ]) [ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
@ -603,7 +603,7 @@ main() {
x) x)
conf_guest="${OPTARG}" conf_guest="${OPTARG}"
case "$conf_guest" in case "$conf_guest" in
sev|snp|tdx) ;; confidential|sev|snp|tdx) ;;
*) die "Confidential guest type '$conf_guest' not supported" ;; *) die "Confidential guest type '$conf_guest' not supported" ;;
esac esac
;; ;;

1
tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf Symbolic link
View File

@ -0,0 +1 @@
../sev/sev.conf

1
tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf Symbolic link
View File

@ -0,0 +1 @@
../snp/snp.conf

1
tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf Symbolic link
View File

@ -0,0 +1 @@
../tdx/tdx.conf

2
tools/packaging/kernel/kata_config_version
View File

@ -1 +1 @@
120 121

0
tools/packaging/kernel/patches/6.7.x/no_patches.txt Normal file
View File

4
versions.yaml
View File

@ -170,6 +170,10 @@ assets:
description: "Linux kernel optimised for virtual machines" description: "Linux kernel optimised for virtual machines"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/" url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.1.62" version: "v6.1.62"
confidential:
description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.7"
sev: sev:
description: "Linux kernel that supports SEV and SNP" description: "Linux kernel that supports SEV and SNP"
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"