From 502a78730b80d209a38a211f87bc439731a7d1f3 Mon Sep 17 00:00:00 2001 From: Alex Carter Date: Mon, 29 Aug 2022 16:18:08 +0000 Subject: [PATCH] packaging: Build SEV capable kernel + efi_secret module Adds a new make target for an sev kernel which can be built and put into payload bundles for the operator. Currently not including this sev kernel target in the cc payload bundle. Unfortunately having to breakflow from using the generic cc_tee_kernel functions in either the kata-deploy-binaries or build-kernel. Largely based on using an upstreamed kernel release, meaning the url is the defaul cdn, and e.g. we use version rather than tag. The upside of this is that we can use the sha sum checking functionality from the generic get_kernel function. CC label in title removed for commit message check. Fixes: #5037 Signed-off-by: Alex Carter --- .../packaging/kata-deploy/local-build/Makefile | 4 ++++ .../local-build/kata-deploy-binaries.sh | 17 +++++++++++++---- tools/packaging/static-build/kernel/Dockerfile | 1 + 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 99e69ddbbb..9adfbb3b5b 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -82,6 +82,7 @@ cc: cc-cloud-hypervisor-tarball \ cc-shim-v2-tarball \ cc-virtiofsd-tarball \ cc-tdx-kernel-tarball \ + cc-sev-kernel-tarball \ cc-tdx-qemu-tarball \ cc-tdx-tdvf-tarball @@ -109,6 +110,9 @@ cc-tdx-cloud-hypervisor-tarball: cc-tdx-kernel-tarball: ${MAKE} $@-build +cc-sev-kernel-tarball: + ${MAKE} $@-build + cc-tdx-qemu-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index b305ca4cbb..1891b4c2ec 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -87,6 +87,7 @@ options: cc-cloud-hypervisor cc-kernel cc-tdx-kernel + cc-sev-kernel cc-qemu cc-tdx-qemu cc-rootfs-image @@ -161,17 +162,23 @@ install_tdx_cc_clh() { #Install CC kernel assert, with TEE support install_cc_tee_kernel() { tee="${1}" + kernel_version="${2}" - [ "${tee}" != "tdx" ] && die "Non supported TEE" + [[ "${tee}" != "tdx" && "${tee}" != "sev" ]] && die "Non supported TEE" - export kernel_version="$(yq r $versions_yaml assets.kernel.${tee}.tag)" - export kernel_url="$(yq r $versions_yaml assets.kernel.${tee}.url)" + kernel_url="$(yq r $versions_yaml assets.kernel.${tee}.url)" DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -x "${tee}" -v "${kernel_version}" -u "${kernel_url}" } #Install CC kernel assert for Intel TDX install_cc_tdx_kernel() { - install_cc_tee_kernel "tdx" + kernel_version="$(yq r $versions_yaml assets.kernel.tdx.tag)" + install_cc_tee_kernel "tdx" "${kernel_version}" +} + +install_cc_sev_kernel() { + kernel_version="$(yq r $versions_yaml assets.kernel.sev.version)" + install_cc_tee_kernel "sev" "${kernel_version}" } install_cc_tee_qemu() { @@ -329,6 +336,8 @@ handle_build() { cc-tdx-kernel) install_cc_tdx_kernel ;; + cc-sev-kernel) install_cc_sev_kernel ;; + cc-tdx-qemu) install_cc_tdx_qemu ;; cc-tdx-td-shim) install_cc_tdx_td_shim ;; diff --git a/tools/packaging/static-build/kernel/Dockerfile b/tools/packaging/static-build/kernel/Dockerfile index 2595a08e72..4953193dc3 100644 --- a/tools/packaging/static-build/kernel/Dockerfile +++ b/tools/packaging/static-build/kernel/Dockerfile @@ -17,6 +17,7 @@ RUN apt-get update && \ git \ iptables \ libelf-dev \ + libssl-dev \ patch && \ if [ "$(uname -m)" = "s390x" ]; then apt-get install -y --no-install-recommends libssl-dev; fi && \ apt-get clean && rm -rf /var/lib/lists/