github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-20 08:54:03 +00:00
Code Issues Projects Releases Wiki Activity

CCv0: Merge main into CCv0 branch

Browse Source 
Merge remote-tracking branch 'upstream/main' into CCv0

Fixes: #4800
Signed-off-by: Georgina Kinge <georgina.kinge@ibm.com>
This commit is contained in:
Georgina Kinge 2022-08-03 09:44:12 +01:00
commit a924faeead
7 changed files with 167 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
tools/packaging/static-build/ovmf/Dockerfile
View File

@ -17,5 +17,6 @@ RUN apt-get update && \
nasm \ nasm \
python \ python \
python3 \ python3 \
python3-distutils \
uuid-dev && \ uuid-dev && \
apt-get clean && rm -rf /var/lib/lists/ apt-get clean && rm -rf /var/lib/lists/

44
tools/packaging/static-build/ovmf/build-ovmf.sh
View File

@ -1,6 +1,7 @@
#!/bin/bash #!/bin/bash
# #
# Copyright (c) 2022 IBM # Copyright (c) 2022 IBM
# Copyright (c) 2022 Intel
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
@ -15,7 +16,6 @@ source "${script_dir}/../../scripts/lib.sh"
set +u set +u
ovmf_build="${ovmf_build:-x86_64}" ovmf_build="${ovmf_build:-x86_64}"
ovmf_repo="${ovmf_repo:-}" ovmf_repo="${ovmf_repo:-}"
ovmf_dir="edk2"
ovmf_version="${ovmf_version:-}" ovmf_version="${ovmf_version:-}"
ovmf_package="${ovmf_package:-}" ovmf_package="${ovmf_package:-}"
package_output_dir="${package_output_dir:-}" package_output_dir="${package_output_dir:-}"
@ -30,13 +30,14 @@ build_target="${build_target:-RELEASE}"
[ -n "$ovmf_package" ] || die "failed to get ovmf package or commit" [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit"
[ -n "$package_output_dir" ] || die "failed to get ovmf package or commit" [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit"
ovmf_dir="${ovmf_repo##*/}"
info "Build ${ovmf_repo} version: ${ovmf_version}" info "Build ${ovmf_repo} version: ${ovmf_version}"
build_root=$(mktemp -d) build_root=$(mktemp -d)
pushd $build_root pushd $build_root
git clone "${ovmf_repo}" git clone --single-branch --depth 1 -b "${ovmf_version}" "${ovmf_repo}"
cd "${ovmf_dir}" cd "${ovmf_dir}"
git checkout "${ovmf_version}"
git submodule init git submodule init
git submodule update git submodule update
@ -53,16 +54,43 @@ if [ "${ovmf_build}" == "sev" ]; then
fi fi
info "Building ovmf" info "Building ovmf"
build -b "${build_target}" -t "${toolchain}" -a "${architecture}" -p "${ovmf_package}" build_cmd="build -b ${build_target} -t ${toolchain} -a ${architecture} -p ${ovmf_package}"
if [ "${ovmf_build}" == "tdx" ]; then
build_cmd+=" -D DEBUG_ON_SERIAL_PORT=TRUE -D TDX_MEM_PARTIAL_ACCEPT=512 -D TDX_EMULATION_ENABLE=FALSE -D TDX_ACCEPT_PAGE_SIZE=2M"
fi
eval "${build_cmd}"
info "Done Building" info "Done Building"
build_path="Build/${package_output_dir}/${build_target}_${toolchain}/FV/OVMF.fd" build_path_target_toolchain="Build/${package_output_dir}/${build_target}_${toolchain}"
stat "${build_path}" build_path_fv="${build_path_target_toolchain}/FV"
stat "${build_path_fv}/OVMF.fd"
if [ "${ovmf_build}" == "tdx" ]; then
build_path_arch="${build_path_target_toolchain}/X64"
stat "${build_path_fv}/OVMF_CODE.fd"
stat "${build_path_fv}/OVMF_VARS.fd"
stat "${build_path_arch}/DumpTdxEventLog.efi"
fi
#need to leave tmp dir #need to leave tmp dir
popd popd
info "Install fd to destdir" info "Install fd to destdir"
mkdir -p "$DESTDIR/$PREFIX/share/ovmf" install_dir="${DESTDIR}/${PREFIX}/share/ovmf"
cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" if [ "${ovmf_build}" == "tdx" ]; then
install_dir="$DESTDIR/$PREFIX/share/tdvf"
fi
mkdir -p "${install_dir}"
install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}"
if [ "${ovmf_build}" == "tdx" ]; then
install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_CODE.fd ${install_dir}
install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_VARS.fd ${install_dir}
install $build_root/$ovmf_dir/"${build_path_arch}"/DumpTdxEventLog.efi ${install_dir}
fi
pushd $DESTDIR
tar -czvf "${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX"
rm -rf $(dirname ./$PREFIX)
popd

10
tools/packaging/static-build/ovmf/build.sh
View File

@ -25,7 +25,11 @@ ovmf_package="${ovmf_package:-}"
package_output_dir="${package_output_dir:-}" package_output_dir="${package_output_dir:-}"
if [ -z "$ovmf_repo" ]; then if [ -z "$ovmf_repo" ]; then
ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}") if [ "${ovmf_build}" == "tdx" ]; then
ovmf_repo=$(get_from_kata_deps "externals.ovmf.tdx.url" "${kata_version}")
else
ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}")
fi
fi fi
[ -n "$ovmf_repo" ] || die "failed to get ovmf repo" [ -n "$ovmf_repo" ] || die "failed to get ovmf repo"
@ -38,6 +42,10 @@ elif [ "${ovmf_build}" == "sev" ]; then
[ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.sev.version" "${kata_version}") [ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.sev.version" "${kata_version}")
[ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.sev.package" "${kata_version}") [ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.sev.package" "${kata_version}")
[ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.sev.package_output_dir" "${kata_version}") [ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.sev.package_output_dir" "${kata_version}")
elif [ "${ovmf_build}" == "tdx" ]; then
[ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.tdx.version" "${kata_version}")
[ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.tdx.package" "${kata_version}")
[ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.tdx.package_output_dir" "${kata_version}")
fi fi
[ -n "$ovmf_version" ] || die "failed to get ovmf version or commit" [ -n "$ovmf_version" ] || die "failed to get ovmf version or commit"

23
tools/packaging/static-build/td-shim/Dockerfile Normal file
View File

@ -0,0 +1,23 @@
# Copyright (c) 2022 Intel
#
# SPDX-License-Identifier: Apache-2.0
FROM ubuntu:20.04
ENV DEBIAN_FRONTEND=noninteractive
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
ARG RUST_TOOLCHAIN
RUN apt-get update && \
apt-get install -y --no-install-recommends \
ca-certificates \
clang \
curl \
gcc \
git \
llvm \
nasm && \
apt-get clean && rm -rf /var/lib/lists/ && \
curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN} && \
source "$HOME/.cargo/env" && \
rustup component add rust-src && \
cargo install cargo-xbuild

41
tools/packaging/static-build/td-shim/build-td-shim.sh Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
#
# Copyright (c) 2022 Intel
#
# SPDX-License-Identifier: Apache-2.0
set -o errexit
set -o nounset
set -o pipefail
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${script_dir}/../../scripts/lib.sh"
tdshim_repo="${tdshim_repo:-}"
DESTDIR=${DESTDIR:-${PWD}}
PREFIX="${PREFIX:-/opt/kata}"
[ -n "${tdshim_repo}" ] || die "Failed to get TD-shim repo"
[ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit"
info "Build ${tdshim_repo} version: ${tdshim_version}"
source ${HOME}/.cargo/env
build_root=$(mktemp -d)
pushd ${build_root}
git clone --single-branch "${tdshim_repo}"
pushd td-shim
git checkout "${tdshim_version}"
bash sh_script/build_final.sh boot_kernel
install_dir="${DESTDIR}/${PREFIX}/share/td-shim"
mkdir -p ${install_dir}
install target/x86_64-unknown-uefi/release/final-boot-kernel.bin ${install_dir}/td-shim.bin
popd #td-shim
popd #${build_root}
pushd ${DESTDIR}
tar -czvf "td-shim.tar.gz" "./$PREFIX"
rm -rf $(dirname ./$PREFIX)
popd #${DESTDIR}

45
tools/packaging/static-build/td-shim/build.sh Executable file
View File

@ -0,0 +1,45 @@
#!/usr/bin/env bash
#
# Copyright (c) 2022 Intel
#
# SPDX-License-Identifier: Apache-2.0
set -o errexit
set -o nounset
set -o pipefail
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)"
readonly tdshim_builder="${script_dir}/build-td-shim.sh"
source "${script_dir}/../../scripts/lib.sh"
DESTDIR=${DESTDIR:-${PWD}}
PREFIX=${PREFIX:-/opt/kata}
container_image="kata-td-shim-builder"
kata_version="${kata_version:-}"
tdshim_repo="${tdshim_repo:-}"
tdshim_version="${tdshim_version:-}"
tdshim_toolchain="${tdshim_toolchain:-}"
package_output_dir="${package_output_dir:-}"
[ -n "${tdshim_repo}" ] || tdshim_repo=$(get_from_kata_deps "externals.td-shim.url" "${kata_version}")
[ -n "${tdshim_version}" ] || tdshim_version=$(get_from_kata_deps "externals.td-shim.version" "${kata_version}")
[ -n "${tdshim_toolchain}" ] || tdshim_toolchain=$(get_from_kata_deps "externals.td-shim.toolchain" "${kata_version}")
[ -n "${tdshim_repo}" ] || die "Failed to get TD-shim repo"
[ -n "${tdshim_version}" ] || die "Failed to get TD-shim version or commit"
[ -n "${tdshim_toolchain}" ] || die "Failed to get TD-shim toolchain to be used to build the project"
sudo docker build \
--build-arg RUST_TOOLCHAIN="${tdshim_toolchain}" \
-t "${container_image}" "${script_dir}"
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
-w "${PWD}" \
--env DESTDIR="${DESTDIR}" \
--env PREFIX="${PREFIX}" \
--env tdshim_repo="${tdshim_repo}" \
--env tdshim_version="${tdshim_version}" \
"${container_image}" \
bash -c "${tdshim_builder}"

12
versions.yaml
View File

@ -274,6 +274,18 @@ externals:
version: "edk2-stable202202" version: "edk2-stable202202"
package: "OvmfPkg/AmdSev/AmdSevX64.dsc" package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
package_output_dir: "AmdSev" package_output_dir: "AmdSev"
tdx:
url: "https://github.com/tianocore/edk2-staging"
description: "TDVF build needed for TDX measured direct boot."
version: "2022-tdvf-ww28.5"
package: "OvmfPkg/OvmfPkgX64.dsc"
package_output_dir: "OvmfX64"
td-shim:
description: "Confidential Containers Shim Firmware"
url: "https://github.com/confidential-containers/td-shim"
version: "5f62a0e367b1845a54e534d103ed4a697a599ac3"
toolchain: "nightly-2022-04-07"
virtiofsd: virtiofsd:
description: "vhost-user virtio-fs device backend written in Rust" description: "vhost-user virtio-fs device backend written in Rust"