From b06bc82284cc20b16b10095b8f2786dff509b449 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 1 Aug 2022 09:05:45 +0200 Subject: [PATCH 1/5] versions: Track and add support for building TD-shim MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TD-shim is a simplified TDX virtual firmware, used by Cloud Hypervisor, in order to create a TDX capable VM. TD-shim is heavily under development, and is hosted as part of the Confidential Containers project: https://github.com/confidential-containers/td-shim The version chosen for this commit, is a version that's being tested inside Intel, but we, most likely, will need to change it before we have it officially packaged as part of an official release. Fixes: #4779 Signed-off-by: Fabiano Fidêncio --- .../packaging/static-build/td-shim/Dockerfile | 23 ++++++++++ .../static-build/td-shim/build-td-shim.sh | 41 +++++++++++++++++ tools/packaging/static-build/td-shim/build.sh | 45 +++++++++++++++++++ versions.yaml | 6 +++ 4 files changed, 115 insertions(+) create mode 100644 tools/packaging/static-build/td-shim/Dockerfile create mode 100755 tools/packaging/static-build/td-shim/build-td-shim.sh create mode 100755 tools/packaging/static-build/td-shim/build.sh diff --git a/tools/packaging/static-build/td-shim/Dockerfile b/tools/packaging/static-build/td-shim/Dockerfile new file mode 100644 index 0000000000..ed9270ca4a --- /dev/null +++ b/tools/packaging/static-build/td-shim/Dockerfile @@ -0,0 +1,23 @@ +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +FROM ubuntu:20.04 +ENV DEBIAN_FRONTEND=noninteractive +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +ARG RUST_TOOLCHAIN + +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + clang \ + curl \ + gcc \ + git \ + llvm \ + nasm && \ + apt-get clean && rm -rf /var/lib/lists/ && \ + curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} && \ + source "$HOME/.cargo/env" && \ + rustup component add rust-src && \ + cargo install cargo-xbuild diff --git a/tools/packaging/static-build/td-shim/build-td-shim.sh b/tools/packaging/static-build/td-shim/build-td-shim.sh new file mode 100755 index 0000000000..ed933c007e --- /dev/null +++ b/tools/packaging/static-build/td-shim/build-td-shim.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +source "${script_dir}/../../scripts/lib.sh" + +tdshim_repo="${tdshim_repo:-}" +DESTDIR=${DESTDIR:-${PWD}} +PREFIX="${PREFIX:-/opt/kata}" + +[ -n "${tdshim_repo}" ] || die "Failed to get TD-shim repo" +[ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" + +info "Build ${tdshim_repo} version: ${tdshim_version}" + +source ${HOME}/.cargo/env + +build_root=$(mktemp -d) +pushd ${build_root} +git clone --single-branch "${tdshim_repo}" +pushd td-shim +git checkout "${tdshim_version}" +bash sh_script/build_final.sh boot_kernel + +install_dir="${DESTDIR}/${PREFIX}/share/td-shim" +mkdir -p ${install_dir} +install target/x86_64-unknown-uefi/release/final-boot-kernel.bin ${install_dir}/td-shim.bin +popd #td-shim +popd #${build_root} + +pushd ${DESTDIR} +tar -czvf "td-shim.tar.gz" "./$PREFIX" +rm -rf $(dirname ./$PREFIX) +popd #${DESTDIR} diff --git a/tools/packaging/static-build/td-shim/build.sh b/tools/packaging/static-build/td-shim/build.sh new file mode 100755 index 0000000000..580c4a3376 --- /dev/null +++ b/tools/packaging/static-build/td-shim/build.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +readonly repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)" +readonly tdshim_builder="${script_dir}/build-td-shim.sh" + +source "${script_dir}/../../scripts/lib.sh" + +DESTDIR=${DESTDIR:-${PWD}} +PREFIX=${PREFIX:-/opt/kata} +container_image="kata-td-shim-builder" +kata_version="${kata_version:-}" +tdshim_repo="${tdshim_repo:-}" +tdshim_version="${tdshim_version:-}" +tdshim_toolchain="${tdshim_toolchain:-}" +package_output_dir="${package_output_dir:-}" + +[ -n "${tdshim_repo}" ] || tdshim_repo=$(get_from_kata_deps "externals.td-shim.url" "${kata_version}") +[ -n "${tdshim_version}" ] || tdshim_version=$(get_from_kata_deps "externals.td-shim.version" "${kata_version}") +[ -n "${tdshim_toolchain}" ] || tdshim_toolchain=$(get_from_kata_deps "externals.td-shim.toolchain" "${kata_version}") + +[ -n "${tdshim_repo}" ] || die "Failed to get TD-shim repo" +[ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit" +[ -n "${tdshim_toolchain}" ] || die "Failed to get TD-shim toolchain to be used to build the project" + +sudo docker build \ + --build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \ + -t "${container_image}" "${script_dir}" + +sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ + -w "${PWD}" \ + --env DESTDIR="${DESTDIR}" \ + --env PREFIX="${PREFIX}" \ + --env tdshim_repo="${tdshim_repo}" \ + --env tdshim_version="${tdshim_version}" \ + "${container_image}" \ + bash -c "${tdshim_builder}" diff --git a/versions.yaml b/versions.yaml index e3e04e89c4..cc844f483f 100644 --- a/versions.yaml +++ b/versions.yaml @@ -262,6 +262,12 @@ externals: package: "OvmfPkg/AmdSev/AmdSevX64.dsc" package_output_dir: "AmdSev" + td-shim: + description: "Confidential Containers Shim Firmware" + url: "https://github.com/confidential-containers/td-shim" + version: "5f62a0e367b1845a54e534d103ed4a697a599ac3" + toolchain: "nightly-2022-04-07" + virtiofsd: description: "vhost-user virtio-fs device backend written in Rust" url: "https://gitlab.com/virtio-fs/virtiofsd" From 4d33b0541d3a4ffd7b0ef7fddfea3f848449fa1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 28 Jul 2022 21:29:33 +0200 Subject: [PATCH 2/5] packaging: Don't hardcode "edk2" as the cloned repo's dir. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As TDVF comes from a different repo, the edk2-staging one, we cannot simply hardcode the name. Instead, let's get the name of the directory from name of the git repo. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build-ovmf.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index 83537686c9..a257df3d43 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -1,6 +1,7 @@ #!/bin/bash # # Copyright (c) 2022 IBM +# Copyright (c) 2022 Intel # # SPDX-License-Identifier: Apache-2.0 @@ -15,7 +16,6 @@ source "${script_dir}/../../scripts/lib.sh" set +u ovmf_build="${ovmf_build:-x86_64}" ovmf_repo="${ovmf_repo:-}" -ovmf_dir="edk2" ovmf_version="${ovmf_version:-}" ovmf_package="${ovmf_package:-}" package_output_dir="${package_output_dir:-}" @@ -30,6 +30,8 @@ build_target="${build_target:-RELEASE}" [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit" [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit" +ovmf_dir="${ovmf_repo##*/}" + info "Build ${ovmf_repo} version: ${ovmf_version}" build_root=$(mktemp -d) @@ -65,4 +67,4 @@ popd info "Install fd to destdir" mkdir -p "$DESTDIR/$PREFIX/share/ovmf" -cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" \ No newline at end of file +cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" From 42eaf19b436ab643c0e47a9e92fbbdd12bee1c7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 28 Jul 2022 21:41:55 +0200 Subject: [PATCH 3/5] packaging: Simplify OVMF repo clone MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of cloning the repo, and then switching to a specific branch, let's take advantage of `--branch` and directly clone the specific branch / tag. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build-ovmf.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index a257df3d43..fd4586cd4a 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -36,9 +36,8 @@ info "Build ${ovmf_repo} version: ${ovmf_version}" build_root=$(mktemp -d) pushd $build_root -git clone "${ovmf_repo}" +git clone --single-branch --depth 1 -b "${ovmf_version}" "${ovmf_repo}" cd "${ovmf_dir}" -git checkout "${ovmf_version}" git submodule init git submodule update From e6a5a5106d670f724f46b0afb851fb99092b2eda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 29 Jul 2022 14:44:21 +0200 Subject: [PATCH 4/5] packaging: Generate a tarball as OVMF build result MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of having as a result the directory where OVMF artefacts where installed, let's follow what we do with the other components and have a tarball as a result of the OVMF build. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build-ovmf.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index fd4586cd4a..906293ee5b 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -67,3 +67,8 @@ popd info "Install fd to destdir" mkdir -p "$DESTDIR/$PREFIX/share/ovmf" cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" + +pushd $DESTDIR +tar -czvf "${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX" +rm -rf $(dirname ./$PREFIX) +popd From c9b5bde30b23ed7269666f296a378e634aa9a4a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 28 Jul 2022 21:15:35 +0200 Subject: [PATCH 5/5] versions: Track and build TDVF MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TDVF is the firmware used by QEMU to start TDX capable VMs. Let's start tracking it as it'll become part of the Confidential Containers sooner or later. TDVF lives in the public https://github.com/tianocore/edk2-staging repo and we're using as its version tags that are consumed internally at Intel. Fixes: #4624 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/Dockerfile | 1 + .../packaging/static-build/ovmf/build-ovmf.sh | 32 ++++++++++++++++--- tools/packaging/static-build/ovmf/build.sh | 10 +++++- versions.yaml | 6 ++++ 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/tools/packaging/static-build/ovmf/Dockerfile b/tools/packaging/static-build/ovmf/Dockerfile index cffeb2ffb2..a9a148a756 100644 --- a/tools/packaging/static-build/ovmf/Dockerfile +++ b/tools/packaging/static-build/ovmf/Dockerfile @@ -17,5 +17,6 @@ RUN apt-get update && \ nasm \ python \ python3 \ + python3-distutils \ uuid-dev && \ apt-get clean && rm -rf /var/lib/lists/ diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index 906293ee5b..fe3925b1ce 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -54,19 +54,41 @@ if [ "${ovmf_build}" == "sev" ]; then fi info "Building ovmf" -build -b "${build_target}" -t "${toolchain}" -a "${architecture}" -p "${ovmf_package}" +build_cmd="build -b ${build_target} -t ${toolchain} -a ${architecture} -p ${ovmf_package}" +if [ "${ovmf_build}" == "tdx" ]; then + build_cmd+=" -D DEBUG_ON_SERIAL_PORT=TRUE -D TDX_MEM_PARTIAL_ACCEPT=512 -D TDX_EMULATION_ENABLE=FALSE -D TDX_ACCEPT_PAGE_SIZE=2M" +fi + +eval "${build_cmd}" info "Done Building" -build_path="Build/${package_output_dir}/${build_target}_${toolchain}/FV/OVMF.fd" -stat "${build_path}" +build_path_target_toolchain="Build/${package_output_dir}/${build_target}_${toolchain}" +build_path_fv="${build_path_target_toolchain}/FV" +stat "${build_path_fv}/OVMF.fd" +if [ "${ovmf_build}" == "tdx" ]; then + build_path_arch="${build_path_target_toolchain}/X64" + stat "${build_path_fv}/OVMF_CODE.fd" + stat "${build_path_fv}/OVMF_VARS.fd" + stat "${build_path_arch}/DumpTdxEventLog.efi" +fi #need to leave tmp dir popd info "Install fd to destdir" -mkdir -p "$DESTDIR/$PREFIX/share/ovmf" -cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" +install_dir="${DESTDIR}/${PREFIX}/share/ovmf" +if [ "${ovmf_build}" == "tdx" ]; then + install_dir="$DESTDIR/$PREFIX/share/tdvf" +fi + +mkdir -p "${install_dir}" +install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}" +if [ "${ovmf_build}" == "tdx" ]; then + install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_CODE.fd ${install_dir} + install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_VARS.fd ${install_dir} + install $build_root/$ovmf_dir/"${build_path_arch}"/DumpTdxEventLog.efi ${install_dir} +fi pushd $DESTDIR tar -czvf "${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX" diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh index 0662d20b82..fcbbd93210 100755 --- a/tools/packaging/static-build/ovmf/build.sh +++ b/tools/packaging/static-build/ovmf/build.sh @@ -25,7 +25,11 @@ ovmf_package="${ovmf_package:-}" package_output_dir="${package_output_dir:-}" if [ -z "$ovmf_repo" ]; then - ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}") + if [ "${ovmf_build}" == "tdx" ]; then + ovmf_repo=$(get_from_kata_deps "externals.ovmf.tdx.url" "${kata_version}") + else + ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}") + fi fi [ -n "$ovmf_repo" ] || die "failed to get ovmf repo" @@ -38,6 +42,10 @@ elif [ "${ovmf_build}" == "sev" ]; then [ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.sev.version" "${kata_version}") [ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.sev.package" "${kata_version}") [ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.sev.package_output_dir" "${kata_version}") +elif [ "${ovmf_build}" == "tdx" ]; then + [ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.tdx.version" "${kata_version}") + [ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.tdx.package" "${kata_version}") + [ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.tdx.package_output_dir" "${kata_version}") fi [ -n "$ovmf_version" ] || die "failed to get ovmf version or commit" diff --git a/versions.yaml b/versions.yaml index b903546d3f..075b7e0070 100644 --- a/versions.yaml +++ b/versions.yaml @@ -261,6 +261,12 @@ externals: version: "edk2-stable202202" package: "OvmfPkg/AmdSev/AmdSevX64.dsc" package_output_dir: "AmdSev" + tdx: + url: "https://github.com/tianocore/edk2-staging" + description: "TDVF build needed for TDX measured direct boot." + version: "2022-tdvf-ww28.5" + package: "OvmfPkg/OvmfPkgX64.dsc" + package_output_dir: "OvmfX64" td-shim: description: "Confidential Containers Shim Firmware"