From 845c1c03cfbe8435ac383964ef243da252726351 Mon Sep 17 00:00:00 2001 From: Xuewei Niu Date: Fri, 29 Jul 2022 18:35:10 +0800 Subject: [PATCH 01/12] agent: use rtnetlink's neighbours API to add neighbors Bump rtnetlink version from 0.8.0 to 0.11.0. Use rtnetlinks's API to add neighbors and fix issues to adapt new verson of rtnetlink. Fixes: #4607 Signed-off-by: Xuewei Niu --- src/agent/Cargo.lock | 81 ++++++++++++++++++++++------------------ src/agent/Cargo.toml | 2 +- src/agent/src/netlink.rs | 60 ++++------------------------- 3 files changed, 53 insertions(+), 90 deletions(-) diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 8c9524c9c1..abfca3a780 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -588,8 +588,8 @@ dependencies = [ "libc", "log", "logging", - "netlink-packet-utils", - "netlink-sys", + "netlink-packet-utils 0.4.1", + "netlink-sys 0.7.0", "nix 0.23.1", "oci", "opentelemetry", @@ -734,28 +734,28 @@ checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" [[package]] name = "netlink-packet-core" -version = "0.2.4" +version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac48279d5062bdf175bdbcb6b58ff1d6b0ecd54b951f7a0ff4bc0550fe903ccb" +checksum = "345b8ab5bd4e71a2986663e88c56856699d060e78e152e6e9d7966fcd5491297" dependencies = [ "anyhow", "byteorder", "libc", - "netlink-packet-utils", + "netlink-packet-utils 0.5.1", ] [[package]] name = "netlink-packet-route" -version = "0.8.0" +version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "76aed5d3b6e3929713bf1e1334a11fd65180b6d9f5d7c8572664c48b122604f8" +checksum = "f5dee5ed749373c298237fe694eb0a51887f4cc1a27370c8464bac4382348f1a" dependencies = [ "anyhow", "bitflags", "byteorder", "libc", "netlink-packet-core", - "netlink-packet-utils", + "netlink-packet-utils 0.5.1", ] [[package]] @@ -771,18 +771,30 @@ dependencies = [ ] [[package]] -name = "netlink-proto" -version = "0.7.0" +name = "netlink-packet-utils" +version = "0.5.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ddd06e90449ae973fe3888c1ff85949604ef5189b4ac9a2ae39518da1e00762d" +checksum = "25af9cf0dc55498b7bd94a1508af7a78706aa0ab715a73c5169273e03c84845e" +dependencies = [ + "anyhow", + "byteorder", + "paste", + "thiserror", +] + +[[package]] +name = "netlink-proto" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "65b4b14489ab424703c092062176d52ba55485a89c076b4f9db05092b7223aa6" dependencies = [ "bytes 1.1.0", "futures", "log", "netlink-packet-core", - "netlink-sys", + "netlink-sys 0.8.3", + "thiserror", "tokio", - "tokio-util", ] [[package]] @@ -797,6 +809,19 @@ dependencies = [ "tokio", ] +[[package]] +name = "netlink-sys" +version = "0.8.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92b654097027250401127914afb37cb1f311df6610a9891ff07a757e94199027" +dependencies = [ + "bytes 1.1.0", + "futures", + "libc", + "log", + "tokio", +] + [[package]] name = "nix" version = "0.17.0" @@ -812,9 +837,9 @@ dependencies = [ [[package]] name = "nix" -version = "0.22.3" +version = "0.23.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e4916f159ed8e5de0082076562152a76b7a1f64a01fd9d1e0fea002c37624faf" +checksum = "9f866317acbd3a240710c63f065ffb1e4fd466259045ccb504130b7f668f35c6" dependencies = [ "bitflags", "cc", @@ -825,15 +850,13 @@ dependencies = [ [[package]] name = "nix" -version = "0.23.1" +version = "0.24.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f866317acbd3a240710c63f065ffb1e4fd466259045ccb504130b7f668f35c6" +checksum = "195cdbc1741b8134346d515b3a56a1c94b0912758009cfd53f99ea0f57b065fc" dependencies = [ "bitflags", - "cc", "cfg-if 1.0.0", "libc", - "memoffset", ] [[package]] @@ -1331,15 +1354,15 @@ dependencies = [ [[package]] name = "rtnetlink" -version = "0.8.1" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c9a6200d18ec1acfc218ce71363dcc9b6075f399220f903fdfeacd476a876ef" +checksum = "46f1cfa18f8cebe685373a2697915d7e0db3b4554918bba118385e0f71f258a7" dependencies = [ "futures", "log", "netlink-packet-route", "netlink-proto", - "nix 0.22.3", + "nix 0.24.2", "thiserror", "tokio", ] @@ -1710,20 +1733,6 @@ dependencies = [ "tokio", ] -[[package]] -name = "tokio-util" -version = "0.6.10" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "36943ee01a6d67977dd3f84a5a1d2efeb4ada3a1ae771cadfaa535d9d9fc6507" -dependencies = [ - "bytes 1.1.0", - "futures-core", - "futures-sink", - "log", - "pin-project-lite", - "tokio", -] - [[package]] name = "tokio-vsock" version = "0.3.1" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index ae809bdaf7..a25120b4ff 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -32,7 +32,7 @@ tokio = { version = "1.14.0", features = ["full"] } tokio-vsock = "0.3.1" netlink-sys = { version = "0.7.0", features = ["tokio_socket",]} -rtnetlink = "0.8.0" +rtnetlink = "0.11.0" netlink-packet-utils = "0.4.1" ipnetwork = "0.17.0" diff --git a/src/agent/src/netlink.rs b/src/agent/src/netlink.rs index c6fc9c2079..171e2eb3b1 100644 --- a/src/agent/src/netlink.rs +++ b/src/agent/src/netlink.rs @@ -4,7 +4,7 @@ // use anyhow::{anyhow, Context, Result}; -use futures::{future, StreamExt, TryStreamExt}; +use futures::{future, TryStreamExt}; use ipnetwork::{IpNetwork, Ipv4Network, Ipv6Network}; use nix::errno::Errno; use protobuf::RepeatedField; @@ -164,7 +164,7 @@ impl Handle { let request = self.handle.link().get(); let filtered = match filter { - LinkFilter::Name(name) => request.set_name_filter(name.to_owned()), + LinkFilter::Name(name) => request.match_name(name.to_owned()), LinkFilter::Index(index) => request.match_index(index), _ => request, // Post filters }; @@ -516,7 +516,6 @@ impl Handle { } /// Adds an ARP neighbor. - /// TODO: `rtnetlink` has no neighbours API, remove this after https://github.com/little-dude/netlink/pull/135 async fn add_arp_neighbor(&mut self, neigh: &ARPNeighbor) -> Result<()> { let ip_address = neigh .toIPAddress @@ -528,58 +527,13 @@ impl Handle { let ip = IpAddr::from_str(ip_address) .map_err(|e| anyhow!("Failed to parse IP {}: {:?}", ip_address, e))?; - // Import rtnetlink objects that make sense only for this function - use packet::constants::{NDA_UNSPEC, NLM_F_ACK, NLM_F_CREATE, NLM_F_EXCL, NLM_F_REQUEST}; - use packet::neighbour::{NeighbourHeader, NeighbourMessage}; - use packet::nlas::neighbour::Nla; - use packet::{NetlinkMessage, NetlinkPayload, RtnlMessage}; - use rtnetlink::Error; - - const IFA_F_PERMANENT: u16 = 0x80; // See https://github.com/little-dude/netlink/blob/0185b2952505e271805902bf175fee6ea86c42b8/netlink-packet-route/src/rtnl/constants.rs#L770 - let link = self.find_link(LinkFilter::Name(&neigh.device)).await?; - let message = NeighbourMessage { - header: NeighbourHeader { - family: match ip { - IpAddr::V4(_) => packet::AF_INET, - IpAddr::V6(_) => packet::AF_INET6, - } as u8, - ifindex: link.index(), - state: if neigh.state != 0 { - neigh.state as u16 - } else { - IFA_F_PERMANENT - }, - flags: neigh.flags as u8, - ntype: NDA_UNSPEC as u8, - }, - nlas: { - let mut nlas = vec![Nla::Destination(match ip { - IpAddr::V4(v4) => v4.octets().to_vec(), - IpAddr::V6(v6) => v6.octets().to_vec(), - })]; - - if !neigh.lladdr.is_empty() { - nlas.push(Nla::LinkLocalAddress( - parse_mac_address(&neigh.lladdr)?.to_vec(), - )); - } - - nlas - }, - }; - - // Send request and ACK - let mut req = NetlinkMessage::from(RtnlMessage::NewNeighbour(message)); - req.header.flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE; - - let mut response = self.handle.request(req)?; - while let Some(message) = response.next().await { - if let NetlinkPayload::Error(err) = message.payload { - return Err(anyhow!(Error::NetlinkError(err))); - } - } + self.handle + .neighbours() + .add(link.index(), ip) + .execute() + .await?; Ok(()) } From 81fe51ab0b2873edc14d10c95593a65928889e73 Mon Sep 17 00:00:00 2001 From: Xuewei Niu Date: Mon, 1 Aug 2022 16:14:18 +0800 Subject: [PATCH 02/12] agent: fix unittests for arp neighbors Set an ARP address explicitly before netlink::test_add_one_arp_neighbor() running. Signed-off-by: Xuewei Niu --- src/agent/src/netlink.rs | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/agent/src/netlink.rs b/src/agent/src/netlink.rs index 171e2eb3b1..3869eee000 100644 --- a/src/agent/src/netlink.rs +++ b/src/agent/src/netlink.rs @@ -904,7 +904,7 @@ mod tests { .expect("prepare: failed to delete neigh"); } - fn prepare_env_for_test_add_one_arp_neighbor(dummy_name: &str, ip: &str) { + fn prepare_env_for_test_add_one_arp_neighbor(dummy_name: &str, ip: &str, mac: &str) { clean_env_for_test_add_one_arp_neighbor(dummy_name, ip); // modprobe dummy Command::new("modprobe") @@ -918,6 +918,12 @@ mod tests { .output() .expect("failed to add dummy interface"); + // ip link set dummy address 6a:92:3a:59:70:aa + Command::new("ip") + .args(&["link", "set", dummy_name, "address", mac]) + .output() + .expect("failed to add dummy interface"); + // ip addr add 192.168.0.2/16 dev dummy Command::new("ip") .args(&["addr", "add", "192.168.0.2/16", "dev", dummy_name]) @@ -939,7 +945,7 @@ mod tests { let to_ip = "169.254.1.1"; let dummy_name = "dummy_for_arp"; - prepare_env_for_test_add_one_arp_neighbor(dummy_name, to_ip); + prepare_env_for_test_add_one_arp_neighbor(dummy_name, to_ip, mac); let mut ip_address = IPAddress::new(); ip_address.set_address(to_ip.to_string()); From 4d33b0541d3a4ffd7b0ef7fddfea3f848449fa1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 28 Jul 2022 21:29:33 +0200 Subject: [PATCH 03/12] packaging: Don't hardcode "edk2" as the cloned repo's dir. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As TDVF comes from a different repo, the edk2-staging one, we cannot simply hardcode the name. Instead, let's get the name of the directory from name of the git repo. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build-ovmf.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index 83537686c9..a257df3d43 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -1,6 +1,7 @@ #!/bin/bash # # Copyright (c) 2022 IBM +# Copyright (c) 2022 Intel # # SPDX-License-Identifier: Apache-2.0 @@ -15,7 +16,6 @@ source "${script_dir}/../../scripts/lib.sh" set +u ovmf_build="${ovmf_build:-x86_64}" ovmf_repo="${ovmf_repo:-}" -ovmf_dir="edk2" ovmf_version="${ovmf_version:-}" ovmf_package="${ovmf_package:-}" package_output_dir="${package_output_dir:-}" @@ -30,6 +30,8 @@ build_target="${build_target:-RELEASE}" [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit" [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit" +ovmf_dir="${ovmf_repo##*/}" + info "Build ${ovmf_repo} version: ${ovmf_version}" build_root=$(mktemp -d) @@ -65,4 +67,4 @@ popd info "Install fd to destdir" mkdir -p "$DESTDIR/$PREFIX/share/ovmf" -cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" \ No newline at end of file +cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" From 42eaf19b436ab643c0e47a9e92fbbdd12bee1c7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 28 Jul 2022 21:41:55 +0200 Subject: [PATCH 04/12] packaging: Simplify OVMF repo clone MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of cloning the repo, and then switching to a specific branch, let's take advantage of `--branch` and directly clone the specific branch / tag. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build-ovmf.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index a257df3d43..fd4586cd4a 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -36,9 +36,8 @@ info "Build ${ovmf_repo} version: ${ovmf_version}" build_root=$(mktemp -d) pushd $build_root -git clone "${ovmf_repo}" +git clone --single-branch --depth 1 -b "${ovmf_version}" "${ovmf_repo}" cd "${ovmf_dir}" -git checkout "${ovmf_version}" git submodule init git submodule update From e6a5a5106d670f724f46b0afb851fb99092b2eda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 29 Jul 2022 14:44:21 +0200 Subject: [PATCH 05/12] packaging: Generate a tarball as OVMF build result MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead of having as a result the directory where OVMF artefacts where installed, let's follow what we do with the other components and have a tarball as a result of the OVMF build. Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build-ovmf.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index fd4586cd4a..906293ee5b 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -67,3 +67,8 @@ popd info "Install fd to destdir" mkdir -p "$DESTDIR/$PREFIX/share/ovmf" cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" + +pushd $DESTDIR +tar -czvf "${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX" +rm -rf $(dirname ./$PREFIX) +popd From c9b5bde30b23ed7269666f296a378e634aa9a4a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 28 Jul 2022 21:15:35 +0200 Subject: [PATCH 06/12] versions: Track and build TDVF MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TDVF is the firmware used by QEMU to start TDX capable VMs. Let's start tracking it as it'll become part of the Confidential Containers sooner or later. TDVF lives in the public https://github.com/tianocore/edk2-staging repo and we're using as its version tags that are consumed internally at Intel. Fixes: #4624 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/Dockerfile | 1 + .../packaging/static-build/ovmf/build-ovmf.sh | 32 ++++++++++++++++--- tools/packaging/static-build/ovmf/build.sh | 10 +++++- versions.yaml | 6 ++++ 4 files changed, 43 insertions(+), 6 deletions(-) diff --git a/tools/packaging/static-build/ovmf/Dockerfile b/tools/packaging/static-build/ovmf/Dockerfile index cffeb2ffb2..a9a148a756 100644 --- a/tools/packaging/static-build/ovmf/Dockerfile +++ b/tools/packaging/static-build/ovmf/Dockerfile @@ -17,5 +17,6 @@ RUN apt-get update && \ nasm \ python \ python3 \ + python3-distutils \ uuid-dev && \ apt-get clean && rm -rf /var/lib/lists/ diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index 906293ee5b..fe3925b1ce 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -54,19 +54,41 @@ if [ "${ovmf_build}" == "sev" ]; then fi info "Building ovmf" -build -b "${build_target}" -t "${toolchain}" -a "${architecture}" -p "${ovmf_package}" +build_cmd="build -b ${build_target} -t ${toolchain} -a ${architecture} -p ${ovmf_package}" +if [ "${ovmf_build}" == "tdx" ]; then + build_cmd+=" -D DEBUG_ON_SERIAL_PORT=TRUE -D TDX_MEM_PARTIAL_ACCEPT=512 -D TDX_EMULATION_ENABLE=FALSE -D TDX_ACCEPT_PAGE_SIZE=2M" +fi + +eval "${build_cmd}" info "Done Building" -build_path="Build/${package_output_dir}/${build_target}_${toolchain}/FV/OVMF.fd" -stat "${build_path}" +build_path_target_toolchain="Build/${package_output_dir}/${build_target}_${toolchain}" +build_path_fv="${build_path_target_toolchain}/FV" +stat "${build_path_fv}/OVMF.fd" +if [ "${ovmf_build}" == "tdx" ]; then + build_path_arch="${build_path_target_toolchain}/X64" + stat "${build_path_fv}/OVMF_CODE.fd" + stat "${build_path_fv}/OVMF_VARS.fd" + stat "${build_path_arch}/DumpTdxEventLog.efi" +fi #need to leave tmp dir popd info "Install fd to destdir" -mkdir -p "$DESTDIR/$PREFIX/share/ovmf" -cp $build_root/$ovmf_dir/"${build_path}" "$DESTDIR/$PREFIX/share/ovmf" +install_dir="${DESTDIR}/${PREFIX}/share/ovmf" +if [ "${ovmf_build}" == "tdx" ]; then + install_dir="$DESTDIR/$PREFIX/share/tdvf" +fi + +mkdir -p "${install_dir}" +install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}" +if [ "${ovmf_build}" == "tdx" ]; then + install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_CODE.fd ${install_dir} + install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_VARS.fd ${install_dir} + install $build_root/$ovmf_dir/"${build_path_arch}"/DumpTdxEventLog.efi ${install_dir} +fi pushd $DESTDIR tar -czvf "${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX" diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh index 0662d20b82..fcbbd93210 100755 --- a/tools/packaging/static-build/ovmf/build.sh +++ b/tools/packaging/static-build/ovmf/build.sh @@ -25,7 +25,11 @@ ovmf_package="${ovmf_package:-}" package_output_dir="${package_output_dir:-}" if [ -z "$ovmf_repo" ]; then - ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}") + if [ "${ovmf_build}" == "tdx" ]; then + ovmf_repo=$(get_from_kata_deps "externals.ovmf.tdx.url" "${kata_version}") + else + ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}") + fi fi [ -n "$ovmf_repo" ] || die "failed to get ovmf repo" @@ -38,6 +42,10 @@ elif [ "${ovmf_build}" == "sev" ]; then [ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.sev.version" "${kata_version}") [ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.sev.package" "${kata_version}") [ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.sev.package_output_dir" "${kata_version}") +elif [ "${ovmf_build}" == "tdx" ]; then + [ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps "externals.ovmf.tdx.version" "${kata_version}") + [ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps "externals.ovmf.tdx.package" "${kata_version}") + [ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps "externals.ovmf.tdx.package_output_dir" "${kata_version}") fi [ -n "$ovmf_version" ] || die "failed to get ovmf version or commit" diff --git a/versions.yaml b/versions.yaml index b903546d3f..075b7e0070 100644 --- a/versions.yaml +++ b/versions.yaml @@ -261,6 +261,12 @@ externals: version: "edk2-stable202202" package: "OvmfPkg/AmdSev/AmdSevX64.dsc" package_output_dir: "AmdSev" + tdx: + url: "https://github.com/tianocore/edk2-staging" + description: "TDVF build needed for TDX measured direct boot." + version: "2022-tdvf-ww28.5" + package: "OvmfPkg/OvmfPkgX64.dsc" + package_output_dir: "OvmfX64" td-shim: description: "Confidential Containers Shim Firmware" From dd397ff1bf9518dfcf79459b121e88dbf4742c0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 3 Aug 2022 11:00:36 +0200 Subject: [PATCH 07/12] versions: Bump QEMU TDX version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's use the latest tag provided in the "https://github.com/intel/qemu-dcp" repo, "SPR-BKC-QEMU-v2.5". Fixes: #4802 Signed-off-by: Fabiano Fidêncio --- versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index 075b7e0070..d964cac7c0 100644 --- a/versions.yaml +++ b/versions.yaml @@ -101,7 +101,7 @@ assets: tdx: description: "VMM that uses KVM and supports TDX" url: "https://github.com/intel/qemu-dcp" - tag: "SPR-BKC-QEMU-v2.2" + tag: "SPR-BKC-QEMU-v2.5" qemu-experimental: description: "QEMU with virtiofs support" From c9358155a26cd2491431a2b96aba2c93b50ed8f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 3 Aug 2022 11:56:18 +0200 Subject: [PATCH 08/12] kernel: Sort the TDX configs alphabetically MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's just re-order the TDX configs alphabetically. No new config has been added or removed, thus no need to bump the kernel version. Signed-off-by: Fabiano Fidêncio --- .../kernel/configs/fragments/x86_64/tdx/tdx.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf index a363ec6b6e..9239aeecdc 100644 --- a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf +++ b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf @@ -1,13 +1,13 @@ # Intel Trust Domain Extensions (Intel TDX) +CONFIG_CLK_LGM_CGU=y +CONFIG_DMA_RESTRICTED_POOL=y CONFIG_EFI=y CONFIG_EFI_STUB=y -CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y -CONFIG_INTEL_TDX_GUEST=y CONFIG_INTEL_TDX_FIXES=y -CONFIG_X86_MEM_ENCRYPT_COMMON=y -CONFIG_X86_5LEVEL=y +CONFIG_INTEL_TDX_GUEST=y CONFIG_OF=y -CONFIG_CLK_LGM_CGU=y CONFIG_OF_RESERVED_MEM=y -CONFIG_DMA_RESTRICTED_POOL=y +CONFIG_X86_5LEVEL=y +CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y +CONFIG_X86_MEM_ENCRYPT_COMMON=y From 9972487f6e1a1ffd27c6f3e013d60efa4a3a2859 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 3 Aug 2022 11:58:34 +0200 Subject: [PATCH 09/12] versions: Bump Kernel TDX version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The latest kernel with TDX support should be pulled from a different repo (https://github.com/intel/linux-kernel-dcp, instead of https://github.com/intel/tdx), and the latest version to be used is SPR-BKC-PC-v9.6. With the new version being used, let's make sure we enable the INTEL_TDX_ATTESTATION config option, and all the dependencies needed to do so. Fixes: #4803 Signed-off-by: Fabiano Fidêncio --- tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf | 4 ++++ tools/packaging/kernel/kata_config_version | 2 +- versions.yaml | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf index 9239aeecdc..1b1f8751ef 100644 --- a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf +++ b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf @@ -4,6 +4,8 @@ CONFIG_CLK_LGM_CGU=y CONFIG_DMA_RESTRICTED_POOL=y CONFIG_EFI=y CONFIG_EFI_STUB=y +CONFIG_INTEL_IOMMU_SVM=y +CONFIG_INTEL_TDX_ATTESTATION=y CONFIG_INTEL_TDX_FIXES=y CONFIG_INTEL_TDX_GUEST=y CONFIG_OF=y @@ -11,3 +13,5 @@ CONFIG_OF_RESERVED_MEM=y CONFIG_X86_5LEVEL=y CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y CONFIG_X86_MEM_ENCRYPT_COMMON=y +CONFIG_X86_PLATFORM_DEVICES=y +CONFIG_X86_PLATFORM_DRIVERS_INTEL=y diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index c67f579c9a..49541f7210 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -93 +94 diff --git a/versions.yaml b/versions.yaml index d964cac7c0..306e058e97 100644 --- a/versions.yaml +++ b/versions.yaml @@ -156,8 +156,8 @@ assets: version: "v5.15.48" tdx: description: "Linux kernel that supports TDX" - url: "https://github.com/intel/tdx/archive/refs/tags" - tag: "tdx-guest-v5.15-4" + url: "https://github.com/intel/linux-kernel-dcp/archive/refs/tags" + tag: "SPR-BKC-PC-v9.6" sev: description: "Linux kernel with efi_secret support" url: "https://github.com/confidential-containers-demo/\ From 62f05d4b481ab6765abe3de69628e6806770c02b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 3 Aug 2022 14:44:10 +0200 Subject: [PATCH 10/12] ovmf: Adjust final tarball location MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's create the OVMF tarball in the directory where the script was called from, instead of doing it in the $DESTDIR. This aligns with the logic being used for creating / extracting the tarball content, which is already in use by the kata-deploy local build scripts. Fixes: #4808 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/ovmf/build-ovmf.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh index fe3925b1ce..9245dead48 100755 --- a/tools/packaging/static-build/ovmf/build-ovmf.sh +++ b/tools/packaging/static-build/ovmf/build-ovmf.sh @@ -90,7 +90,8 @@ if [ "${ovmf_build}" == "tdx" ]; then install $build_root/$ovmf_dir/"${build_path_arch}"/DumpTdxEventLog.efi ${install_dir} fi +local_dir=${PWD} pushd $DESTDIR -tar -czvf "${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX" +tar -czvf "${local_dir}/${ovmf_dir}-${ovmf_build}.tar.gz" "./$PREFIX" rm -rf $(dirname ./$PREFIX) popd From 8d1cb1d513e61ab9da47f397e1432c08fcb954e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 3 Aug 2022 14:47:03 +0200 Subject: [PATCH 11/12] td-shim: Adjust final tarball location MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's create the td-shim tarball in the directory where the script was called from, instead of doing it in the $DESTDIR. This aligns with the logic being used for creating / extracting the tarball content, which is already in use by the kata-deploy local build scripts. Fixes: #4809 Signed-off-by: Fabiano Fidêncio --- tools/packaging/static-build/td-shim/build-td-shim.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/packaging/static-build/td-shim/build-td-shim.sh b/tools/packaging/static-build/td-shim/build-td-shim.sh index ed933c007e..cbc336d666 100755 --- a/tools/packaging/static-build/td-shim/build-td-shim.sh +++ b/tools/packaging/static-build/td-shim/build-td-shim.sh @@ -35,7 +35,8 @@ install target/x86_64-unknown-uefi/release/final-boot-kernel.bin ${install_dir}/ popd #td-shim popd #${build_root} +local_dir=${PWD} pushd ${DESTDIR} -tar -czvf "td-shim.tar.gz" "./$PREFIX" +tar -czvf "${local_dir}/td-shim.tar.gz" "./$PREFIX" rm -rf $(dirname ./$PREFIX) popd #${DESTDIR} From c5452faec66cadf95c2a8efecd9f2f6944f7c41a Mon Sep 17 00:00:00 2001 From: Chelsea Mafrica Date: Thu, 4 Aug 2022 12:49:01 -0700 Subject: [PATCH 12/12] docs: Improve SGX documentation Update documentation with details regarding intel-device-plugins-for-kubernetes setup and dependencies. Fixes #4819 Signed-off-by: Chelsea Mafrica --- docs/use-cases/using-Intel-SGX-and-kata.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/use-cases/using-Intel-SGX-and-kata.md b/docs/use-cases/using-Intel-SGX-and-kata.md index f45e3ed5bc..b08e3c765c 100644 --- a/docs/use-cases/using-Intel-SGX-and-kata.md +++ b/docs/use-cases/using-Intel-SGX-and-kata.md @@ -18,7 +18,7 @@ CONFIG_X86_SGX_KVM=y * Kubernetes cluster configured with: * [`kata-deploy`](../../tools/packaging/kata-deploy) based Kata Containers installation - * [Intel SGX Kubernetes device plugin](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/cmd/sgx_plugin#deploying-with-pre-built-images) + * [Intel SGX Kubernetes device plugin](https://github.com/intel/intel-device-plugins-for-kubernetes/tree/main/cmd/sgx_plugin#deploying-with-pre-built-images) and associated components including [operator](https://github.com/intel/intel-device-plugins-for-kubernetes/blob/main/cmd/operator/README.md) and dependencies > Note: Kata Containers supports creating VM sandboxes with Intel® SGX enabled > using [cloud-hypervisor](https://github.com/cloud-hypervisor/cloud-hypervisor/) and [QEMU](https://www.qemu.org/) VMMs only. @@ -99,4 +99,4 @@ because socket passthrough is not supported. An alternative is to deploy the `ae container. * Projects like [Gramine Shielded Containers (GSC)](https://gramine-gsc.readthedocs.io/en/latest/) are also known to work. For GSC specifically, the Kata guest kernel needs to have the `CONFIG_NUMA=y` -enabled and at least one CPU online when running the GSC container. +enabled and at least one CPU online when running the GSC container. The Kata Containers guest kernel currently has CONFIG_NUMA=y enabled by default.