From edf3cba463faebbec86aa87ac4ffd4c30558d665 Mon Sep 17 00:00:00 2001
From: Arron Wang <arron.wang@intel.com>
Date: Wed, 4 May 2022 16:35:49 +0800
Subject: [PATCH] CCv0: Add cryptsetup support in Guest kernel and rootfs

Add required kernel config for dm-crypt/dm-integrity/dm-verity
and related crypto config.

Add userspace command line tools for disk encryption support
and ext4 file system utilities.

Fixes: #4761

Signed-off-by: Arron Wang <arron.wang@intel.com>
---
 tools/osbuilder/rootfs-builder/rootfs.sh      |  1 +
 .../osbuilder/rootfs-builder/ubuntu/config.sh |  1 +
 .../kata-deploy-binaries-in-docker.sh         |  1 +
 .../local-build/kata-deploy-binaries.sh       |  1 +
 tools/packaging/kernel/build-kernel.sh        |  4 ++++
 .../confidential_containers/cryptsetup.conf   | 21 +++++++++++++++++++
 .../configs/fragments/x86_64/crypto.conf      |  3 +++
 tools/packaging/kernel/kata_config_version    |  2 +-
 8 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf
 create mode 100644 tools/packaging/kernel/configs/fragments/x86_64/crypto.conf

diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index d82f2e7d6d..96d834791f 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -448,6 +448,7 @@ build_rootfs_distro()
 			--env SKOPEO="${SKOPEO}" \
 			--env UMOCI="${UMOCI}" \
 			--env AA_KBC="${AA_KBC}" \
+			--env KATA_BUILD_CC="${KATA_BUILD_CC}" \
 			--env SECCOMP="${SECCOMP}" \
 			--env DEBUG="${DEBUG}" \
 			--env HOME="/root" \
diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
index e139856ca0..486c2b4977 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -7,6 +7,7 @@ OS_NAME=ubuntu
 OS_VERSION=${OS_VERSION:-focal}
 PACKAGES="chrony iptables"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
+[ "$KATA_BUILD_CC" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2"
 [ "$SKOPEO" = yes ] && PACKAGES+=" libgpgme11"
 REPO_URL=http://ports.ubuntu.com
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
index f28e9ab650..d63fddd638 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@@ -45,6 +45,7 @@ docker run \
 	--env SKOPEO="${SKOPEO:-}" \
 	--env UMOCI="${UMOCI:-}" \
 	--env AA_KBC="${AA_KBC:-}" \
+	--env KATA_BUILD_CC="${KATA_BUILD_CC:-}" \
 	--env INCLUDE_ROOTFS="$(realpath "${INCLUDE_ROOTFS:-}" 2> /dev/null || true)" \
 	-v "${kata_dir}:${kata_dir}" \
 	--rm \
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 5aa8bd336c..da3aa476d7 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -116,6 +116,7 @@ install_cc_image() {
 	export SKOPEO=yes
 	export UMOCI=yes
 	export AA_KBC="offline_fs_kbc"
+	export KATA_BUILD_CC=yes
 
 	"${rootfs_builder}" --imagetype=image --prefix="${cc_prefix}" --destdir="${destdir}"
 }
diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index 837dfd67a6..19436ac488 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -242,6 +242,10 @@ get_kernel_frag_path() {
 	fi
 
 	if [[ "${conf_guest}" != "" ]];then
+		info "Enabling config for confidential guest trust storage protection"
+		local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)"
+		all_configs="${all_configs} ${cryptsetup_configs}"
+
 		info "Enabling config for '${conf_guest}' confidential guest protection"
 		local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)"
 		all_configs="${all_configs} ${conf_configs}"
diff --git a/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf
new file mode 100644
index 0000000000..a3e04e9b17
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf
@@ -0,0 +1,21 @@
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM_BUILTIN=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_CRYPT=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_INTEGRITY=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_ESSIV=y
+CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_HMAC=y
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf
new file mode 100644
index 0000000000..5cd7070f3b
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf
@@ -0,0 +1,3 @@
+# x86 cryptographic instructions to improve AES encryption and SHA256 hashing.
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index c67f579c9a..49541f7210 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-93
+94