From a9720495deb203210eb4c520f52caa6f15721314 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 8 May 2024 16:27:24 +0200 Subject: [PATCH] kata-deploy: Ensure the distro QEMU and OVMF are used for TDX MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Here we're checking the distro's `/etc/os-release` or `/usr/lib/os-release` in order to get which distro we're deploying the Kata Containers artefacts to, and then to properly adjust the QEMU and OVMF with TDX support that's been shipped with the distros. Together with that, we're also printing the instructions provided by the distro on how to enable and use TDX. Signed-off-by: Fabiano FidĂȘncio --- .../kata-deploy/scripts/kata-deploy.sh | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh index 60876e10c9..76fa6aeabf 100755 --- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh +++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh @@ -39,6 +39,16 @@ die() { exit 1 } +warn() { + msg="$*" + echo "WARN: $msg" >&2 +} + +info() { + msg="$*" + echo "INFO: $msg" >&2 +} + function host_systemctl() { nsenter --target 1 --mount systemctl "${@}" } @@ -148,6 +158,63 @@ function get_kata_containers_config_path() { echo "$config_path" } +function tdx_not_supported() { + distro="${1}" + version="${2}" + + warn "Distro ${distro} ${version} does not support TDX and the TDX related runtime classes will not work in your cluster!" +} + +function tdx_supported() { + distro="${1}" + version="${2}" + config="${3}" + + sed -i -e "s|PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT|$(get_tdx_qemu_path_from_distro ${distro})|g" ${config} + sed -i -e "s|PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT|$(get_tdx_ovmf_path_from_distro ${distro})|g" ${config} + + info "In order to use the tdx related runtime classes, ensure TDX is properly configured for ${distro} ${version} by following the instructions provided at: $(get_tdx_distro_instructions ${distro})" +} + +function get_tdx_distro_instructions() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "https://github.com/canonical/tdx/tree/noble-24.04" + ;; + centos) + echo "https://sigs.centos.org/virt/tdx" + ;; + esac +} + +function get_tdx_qemu_path_from_distro() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "/usr/bin/qemu-system-x86_64" + ;; + centos) + echo "/usr/libexec/qemu-kvm" + ;; + esac +} + +function get_tdx_ovmf_path_from_distro() { + distro="${1}" + + case ${distro} in + ubuntu) + echo "/usr/share/ovmf/OVMF.fd" + ;; + centos) + echo "/usr/share/edk2/ovmf/OVMF.inteltdx.fd" + ;; + esac +} + function install_artifacts() { echo "copying kata artifacts onto host" cp -au /opt/kata-artifacts/opt/kata/* /opt/kata/ @@ -181,6 +248,35 @@ function install_artifacts() { if [ -n "${allowed_hypervisor_annotations}" ]; then sed -i -e "s/^enable_annotations = \[\(.*\)\]/enable_annotations = [\1, $allowed_hypervisor_annotations]/" "${kata_config_file}" fi + + if grep -q "tdx" <<< "$shim"; then + source /host/etc/os-release || source /host/usr/lib/os-release + case ${ID} in + ubuntu) + case ${VERSION_ID} in + 24.04) + tdx_supported ${ID} ${VERSION_ID} ${kata_config_file} + ;; + *) + tdx_not_supported ${ID} ${VERSION_ID} + ;; + esac + ;; + centos) + case ${VERSION_ID} in + 9) + tdx_supported ${ID} ${VERSION_ID} ${kata_config_file} + ;; + *) + tdx_not_supported ${ID} ${VERSION_ID} + ;; + esac + ;; + *) + tdx_not_supported_warning + ;; + esac + fi done # Allow Mariner to use custom configuration.