From 2a59505df590769ec28b582b5a9770d4ba92791d Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 30 Jul 2025 11:56:50 +0300 Subject: [PATCH] versions: update kernel-confidential to Linux v6.16 Linux v6.16 brings some useful features for the confidential guests. Most importantly, it adds an ABI to extend runtime measurement registers (RTMR) for the TEE platforms supporting it. This is currently enabled on Intel TDX only. The kernel version bump from v6.12.x to v6.16 forces some CONFIG_* changes too: MEMORY_HOTPLUG_DEFAULT_ONLINE was dropped in favor of more config choices. The equivalent option is MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO. X86_5LEVEL was made unconditional. Since this was only a TDX configuration, dropping it completely as part of v6.16 is fine. CRYPTO_NULL2 was merged with CRYPTO_NULL. This was only added in confidential guest fragments (cryptsetup) so we can drop it in this update. CRYPTO_FIPS now depends on CRYPTO_SELFTESTS which further depends on EXPERT which we don't have. Enable both in a separate config fragment for confidential guests. This can be moved to a common setting once other targets bump to post v6.16. CRYPTO_SHA256_SSE3 arch optimizations were reworked and are now enabled by default. Instead of adding it to whitelist.conf, just drop it completely since it was only enabled as part of "measured boot" feature for confidential guests. Signed-off-by: Mikko Ylinen --- .../common/confidential_containers/cryptsetup.conf | 1 - .../packaging/kernel/configs/fragments/common/hotplug.conf | 3 +++ tools/packaging/kernel/configs/fragments/whitelist.conf | 2 ++ .../kernel/configs/fragments/x86_64/confidential/fips.conf | 7 +++++++ .../packaging/kernel/configs/fragments/x86_64/crypto.conf | 1 - .../packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf | 1 - tools/packaging/kernel/kata_config_version | 2 +- tools/packaging/kernel/patches/6.16.x/no_patches.txt | 0 versions.yaml | 2 +- 9 files changed, 14 insertions(+), 5 deletions(-) create mode 100644 tools/packaging/kernel/configs/fragments/x86_64/confidential/fips.conf create mode 100644 tools/packaging/kernel/patches/6.16.x/no_patches.txt diff --git a/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf index a3e04e9b17..dae3142f1b 100644 --- a/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf +++ b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf @@ -12,7 +12,6 @@ CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_USER=y CONFIG_CRYPTO_NULL=y -CONFIG_CRYPTO_NULL2=y CONFIG_CRYPTO_CRYPTD=y CONFIG_CRYPTO_AUTHENC=y CONFIG_CRYPTO_CBC=y diff --git a/tools/packaging/kernel/configs/fragments/common/hotplug.conf b/tools/packaging/kernel/configs/fragments/common/hotplug.conf index af84a24d72..c179970316 100644 --- a/tools/packaging/kernel/configs/fragments/common/hotplug.conf +++ b/tools/packaging/kernel/configs/fragments/common/hotplug.conf @@ -9,3 +9,6 @@ CONFIG_PCIEPORTBUS=y # Define hotplugs to be online immediately. Speeds things up, and makes things # work smoother on some arch's. CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y + +# Linux v6.14+ dropped MEMORY_HOTPLUG_DEFAULT_ONLINE. The equivalent is: +CONFIG_MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO=y diff --git a/tools/packaging/kernel/configs/fragments/whitelist.conf b/tools/packaging/kernel/configs/fragments/whitelist.conf index 2ddf89e98c..195ac78154 100644 --- a/tools/packaging/kernel/configs/fragments/whitelist.conf +++ b/tools/packaging/kernel/configs/fragments/whitelist.conf @@ -39,3 +39,5 @@ CONFIG_MITIGATION_PAGE_TABLE_ISOLATION CONFIG_VFIO_AP CONFIG_VFIO_MDEV CONFIG_BLK_DEV_WRITE_MOUNTED +CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE +CONFIG_MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/fips.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/fips.conf new file mode 100644 index 0000000000..d3985544c1 --- /dev/null +++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/fips.conf @@ -0,0 +1,7 @@ +# To keep CRYPTO_FIPS enabled, the following dependencies +# are needed. This is done for confidential guest build +# target only since it's needed by v6.16+ kernels. Move +# to a common fragment once non-confidential guest kernels +# follow. +CONFIG_CRYPTO_SELFTESTS=y +CONFIG_EXPERT=y diff --git a/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf index 5cd7070f3b..a7d97ca5de 100644 --- a/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf +++ b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf @@ -1,3 +1,2 @@ # x86 cryptographic instructions to improve AES encryption and SHA256 hashing. -CONFIG_CRYPTO_SHA256_SSSE3=y CONFIG_CRYPTO_AES_NI_INTEL=y diff --git a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf index b0b4dfa10e..c7c0e7ca29 100644 --- a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf +++ b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf @@ -7,6 +7,5 @@ CONFIG_INTEL_TDX_GUEST=y CONFIG_OF=y CONFIG_TDX_GUEST_DRIVER=y CONFIG_VIRT_DRIVERS=y -CONFIG_X86_5LEVEL=y CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_X86_PLATFORM_DEVICES=y diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index a76256037d..9386c220a1 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -160 +161 diff --git a/tools/packaging/kernel/patches/6.16.x/no_patches.txt b/tools/packaging/kernel/patches/6.16.x/no_patches.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/versions.yaml b/versions.yaml index 000904f492..e890d267a0 100644 --- a/versions.yaml +++ b/versions.yaml @@ -200,7 +200,7 @@ assets: confidential: description: "Linux kernel with x86_64 TEEs (SNP and TDX) support" url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/" - version: "v6.12.36" + version: "v6.16" kernel-arm-experimental: description: "Linux kernel with cpu/mem hotplug support on arm64"