Merge pull request #9026 from fidencio/topic/packaging-remove-tee-specific-leftovers

packaging: Remove leftovers from the transition from TEE specific kernel / initrd / image to the "confidential" ones
This commit is contained in:
Fabiano Fidêncio 2024-02-13 22:14:26 +01:00 committed by GitHub
commit c95c37d2ab
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 16 additions and 125 deletions

View File

@ -100,11 +100,7 @@ options:
kernel-dragonball-experimental kernel-dragonball-experimental
kernel-experimental kernel-experimental
kernel-nvidia-gpu kernel-nvidia-gpu
kernel-nvidia-gpu-snp
kernel-nvidia-gpu-tdx-experimental
kernel-nvidia-gpu-confidential kernel-nvidia-gpu-confidential
kernel-sev-tarball
kernel-tdx-experimental
nydus nydus
pause-image pause-image
ovmf ovmf
@ -115,11 +111,9 @@ options:
stratovirt stratovirt
rootfs-image rootfs-image
rootfs-image-confidential rootfs-image-confidential
rootfs-image-tdx
rootfs-initrd rootfs-initrd
rootfs-initrd-confidential rootfs-initrd-confidential
rootfs-initrd-mariner rootfs-initrd-mariner
rootfs-initrd-sev
runk runk
shim-v2 shim-v2
tdvf tdvf
@ -334,12 +328,6 @@ install_image_confidential() {
install_image "confidential" install_image "confidential"
} }
#Install guest image for tdx
install_image_tdx() {
export AGENT_POLICY=yes
install_image "tdx"
}
#Install guest initrd #Install guest initrd
install_initrd() { install_initrd() {
local variant="${1:-}" local variant="${1:-}"
@ -414,12 +402,6 @@ install_initrd_mariner() {
install_initrd "mariner" install_initrd "mariner"
} }
#Install guest initrd for sev
install_initrd_sev() {
export AGENT_POLICY=yes
install_initrd "sev"
}
install_se_image() { install_se_image() {
info "Create IBM SE image configured with AA_KBC=${AA_KBC}" info "Create IBM SE image configured with AA_KBC=${AA_KBC}"
"${se_image_builder}" --destdir="${destdir}" "${se_image_builder}" --destdir="${destdir}"
@ -442,7 +424,7 @@ install_cached_kernel_tarball_component() {
"${extra_tarballs}" \ "${extra_tarballs}" \
|| return 1 || return 1
if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel"*"-confidential" ]]; then if [[ "${kernel_name}" != "kernel"*"-confidential" ]]; then
return 0 return 0
fi fi
@ -463,13 +445,11 @@ install_kernel_helper() {
export kernel_version="$(get_from_kata_deps ${kernel_version_yaml_path})" export kernel_version="$(get_from_kata_deps ${kernel_version_yaml_path})"
export kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)" export kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
if [[ "${kernel_name}" == "kernel-sev" ]]; then if [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then
kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
elif [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then
kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)" kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
fi fi
if [[ "${kernel_name}" == "kernel-sev" ]] || [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then if [[ "${kernel_name}" == "kernel"*"-confidential" ]]; then
local kernel_modules_tarball_name="kata-static-${kernel_name}-modules.tar.xz" local kernel_modules_tarball_name="kata-static-${kernel_name}-modules.tar.xz"
local kernel_modules_tarball_path="${workdir}/${kernel_modules_tarball_name}" local kernel_modules_tarball_path="${workdir}/${kernel_modules_tarball_name}"
extra_tarballs="${kernel_modules_tarball_name}:${kernel_modules_tarball_path}" extra_tarballs="${kernel_modules_tarball_name}:${kernel_modules_tarball_path}"
@ -500,7 +480,7 @@ install_kernel_confidential() {
install_kernel_helper \ install_kernel_helper \
"assets.kernel.confidential.version" \ "assets.kernel.confidential.version" \
"kernel-confidential" \ "kernel-confidential" \
"-x confidential -u ${kernel_url}" "-x -u ${kernel_url}"
} }
install_kernel_dragonball_experimental() { install_kernel_dragonball_experimental() {
@ -527,50 +507,7 @@ install_kernel_nvidia_gpu_confidential() {
install_kernel_helper \ install_kernel_helper \
"assets.kernel.confidential.version" \ "assets.kernel.confidential.version" \
"kernel-nvidia-gpu-confidential" \ "kernel-nvidia-gpu-confidential" \
"-x confidential -g nvidia -u ${kernel_url} -H deb" "-x -g nvidia -u ${kernel_url} -H deb"
}
#Install GPU and SNP enabled kernel asset
install_kernel_nvidia_gpu_snp() {
local kernel_url="$(get_from_kata_deps assets.kernel.sev.url)"
install_kernel_helper \
"assets.kernel.sev.version" \
"kernel-nvidia-gpu-snp" \
"-x sev -g nvidia -u ${kernel_url} -H deb"
}
#Install GPU and TDX experimental enabled kernel asset
install_kernel_nvidia_gpu_tdx_experimental() {
local kernel_url="$(get_from_kata_deps assets.kernel-tdx-experimental.url)"
install_kernel_helper \
"assets.kernel-tdx-experimental.version" \
"kernel-nvidia-gpu-tdx-experimental" \
"-x tdx -g nvidia -u ${kernel_url} -H deb"
}
#Install experimental TDX kernel asset
install_kernel_tdx_experimental() {
local kernel_url="$(get_from_kata_deps assets.kernel-tdx-experimental.url)"
export MEASURED_ROOTFS=yes
install_kernel_helper \
"assets.kernel-tdx-experimental.version" \
"kernel-tdx-experimental" \
"-x tdx -u ${kernel_url}"
}
#Install sev kernel asset
install_kernel_sev() {
info "build sev kernel"
local kernel_url="$(get_from_kata_deps assets.kernel.sev.url)"
install_kernel_helper \
"assets.kernel.sev.version" \
"kernel-sev" \
"-x sev -u ${kernel_url}"
} }
install_qemu_helper() { install_qemu_helper() {
@ -973,12 +910,10 @@ handle_build() {
install_initrd install_initrd
install_initrd_confidential install_initrd_confidential
install_initrd_mariner install_initrd_mariner
install_initrd_sev
install_kata_ctl install_kata_ctl
install_kernel install_kernel
install_kernel_confidential install_kernel_confidential
install_kernel_dragonball_experimental install_kernel_dragonball_experimental
install_kernel_tdx_experimental
install_log_parser_rs install_log_parser_rs
install_nydus install_nydus
install_ovmf install_ovmf
@ -1024,14 +959,6 @@ handle_build() {
kernel-nvidia-gpu-confidential) install_kernel_nvidia_gpu_confidential ;; kernel-nvidia-gpu-confidential) install_kernel_nvidia_gpu_confidential ;;
kernel-nvidia-gpu-snp) install_kernel_nvidia_gpu_snp;;
kernel-nvidia-gpu-tdx-experimental) install_kernel_nvidia_gpu_tdx_experimental;;
kernel-tdx-experimental) install_kernel_tdx_experimental ;;
kernel-sev) install_kernel_sev ;;
nydus) install_nydus ;; nydus) install_nydus ;;
ovmf) install_ovmf ;; ovmf) install_ovmf ;;
@ -1052,16 +979,12 @@ handle_build() {
rootfs-image-confidential) install_image_confidential ;; rootfs-image-confidential) install_image_confidential ;;
rootfs-image-tdx) install_image_tdx ;;
rootfs-initrd) install_initrd ;; rootfs-initrd) install_initrd ;;
rootfs-initrd-confidential) install_initrd_confidential ;; rootfs-initrd-confidential) install_initrd_confidential ;;
rootfs-initrd-mariner) install_initrd_mariner ;; rootfs-initrd-mariner) install_initrd_mariner ;;
rootfs-initrd-sev) install_initrd_sev ;;
runk) install_runk ;; runk) install_runk ;;
shim-v2) install_shimv2 ;; shim-v2) install_shimv2 ;;
@ -1084,7 +1007,7 @@ handle_build() {
tar tvf "${final_tarball_path}" tar tvf "${final_tarball_path}"
case ${build_target} in case ${build_target} in
kernel*-confidential|kernel-sev) kernel*-confidential)
local modules_final_tarball_path="${workdir}/kata-static-${build_target}-modules.tar.xz" local modules_final_tarball_path="${workdir}/kata-static-${build_target}-modules.tar.xz"
if [ ! -f "${modules_final_tarball_path}" ]; then if [ ! -f "${modules_final_tarball_path}" ]; then
local modules_dir=$(get_kernel_modules_dir ${kernel_version} ${kernel_kata_config_version} ${build_target}) local modules_dir=$(get_kernel_modules_dir ${kernel_version} ${kernel_kata_config_version} ${build_target})
@ -1114,7 +1037,7 @@ handle_build() {
echo "${ARTEFACT_REGISTRY_PASSWORD}" | sudo oras login "${ARTEFACT_REGISTRY}" -u "${ARTEFACT_REGISTRY_USERNAME}" --password-stdin echo "${ARTEFACT_REGISTRY_PASSWORD}" | sudo oras login "${ARTEFACT_REGISTRY}" -u "${ARTEFACT_REGISTRY_USERNAME}" --password-stdin
case ${build_target} in case ${build_target} in
kernel*-confidential|kernel-sev) kernel*-confidential)
sudo oras push \ sudo oras push \
${ARTEFACT_REGISTRY}/kata-containers/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) \ ${ARTEFACT_REGISTRY}/kata-containers/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) \
${final_tarball_name} \ ${final_tarball_name} \

View File

@ -110,7 +110,7 @@ Options:
-t <hypervisor> : Hypervisor_target. -t <hypervisor> : Hypervisor_target.
-u <url> : Kernel URL to be used to download the kernel tarball. -u <url> : Kernel URL to be used to download the kernel tarball.
-v <version> : Kernel version to use if kernel path not provided. -v <version> : Kernel version to use if kernel path not provided.
-x <type> : Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those). -x : All the confidential guest protection type for a specific architecture.
EOF EOF
exit "$exit_code" exit "$exit_code"
} }
@ -142,11 +142,7 @@ get_tee_kernel() {
mkdir -p ${kernel_path} mkdir -p ${kernel_path}
if [ -z "${kernel_url}" ]; then if [ -z "${kernel_url}" ]; then
if [[ "${conf_guest}" == "tdx" ]]; then kernel_url=$(get_from_kata_deps "assets.kernel.${tee}.url")
kernel_url=$(get_from_kata_deps "assets.kernel-tdx-experimental.url")
else
kernel_url=$(get_from_kata_deps "assets.kernel.${tee}.url")
fi
fi fi
local kernel_tarball="${version}.tar.gz" local kernel_tarball="${version}.tar.gz"
@ -262,7 +258,7 @@ get_kernel_frag_path() {
info "Add kernel config for GPU due to '-g ${gpu_vendor}'" info "Add kernel config for GPU due to '-g ${gpu_vendor}'"
# If conf_guest is set we need to update the CONFIG_LOCALVERSION # If conf_guest is set we need to update the CONFIG_LOCALVERSION
# to match the suffix created in install_kata # to match the suffix created in install_kata
# -nvidia-gpu-{snp|tdx}, the linux headers will be named the very # -nvidia-gpu-confidential, the linux headers will be named the very
# same if build with make deb-pkg for TDX or SNP. # same if build with make deb-pkg for TDX or SNP.
local gpu_configs=$(mktemp).conf local gpu_configs=$(mktemp).conf
local gpu_subst_configs="${gpu_path}/${gpu_vendor}.${arch_target}.conf.in" local gpu_subst_configs="${gpu_path}/${gpu_vendor}.${arch_target}.conf.in"
@ -457,7 +453,7 @@ build_kernel() {
arch_target=$(arch_to_kernel "${arch_target}") arch_target=$(arch_to_kernel "${arch_target}")
pushd "${kernel_path}" >>/dev/null pushd "${kernel_path}" >>/dev/null
make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG} make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then if [ "${conf_guest}" == "confidential" ]; then
make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
fi fi
[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ]) [ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
@ -545,7 +541,7 @@ install_kata() {
} }
main() { main() {
while getopts "a:b:c:deEfg:hH:k:mp:t:u:v:x:" opt; do while getopts "a:b:c:deEfg:hH:k:mp:t:u:v:x" opt; do
case "$opt" in case "$opt" in
a) a)
arch_target="${OPTARG}" arch_target="${OPTARG}"
@ -601,11 +597,7 @@ main() {
kernel_version="${OPTARG}" kernel_version="${OPTARG}"
;; ;;
x) x)
conf_guest="${OPTARG}" conf_guest="confidential"
case "$conf_guest" in
confidential|sev|snp|tdx) ;;
*) die "Confidential guest type '$conf_guest' not supported" ;;
esac
;; ;;
esac esac
done done
@ -645,12 +637,8 @@ main() {
kernel_version=$(get_from_kata_deps "assets.kernel-dragonball-experimental.version") kernel_version=$(get_from_kata_deps "assets.kernel-dragonball-experimental.version")
elif [[ "${conf_guest}" != "" ]]; then elif [[ "${conf_guest}" != "" ]]; then
#If specifying a tag for kernel_version, must be formatted version-like to avoid unintended parsing issues #If specifying a tag for kernel_version, must be formatted version-like to avoid unintended parsing issues
if [[ "${conf_guest}" == "tdx" ]]; then kernel_version=$(get_from_kata_deps "assets.kernel.${conf_guest}.version" 2>/dev/null || true)
kernel_version=$(get_from_kata_deps "assets.kernel-tdx-experimental.version" 2>/dev/null || true) [ -n "${kernel_version}" ] || kernel_version=$(get_from_kata_deps "assets.kernel.${conf_guest}.tag")
else
kernel_version=$(get_from_kata_deps "assets.kernel.${conf_guest}.version" 2>/dev/null || true)
[ -n "${kernel_version}" ] || kernel_version=$(get_from_kata_deps "assets.kernel.${conf_guest}.tag")
fi
else else
kernel_version=$(get_from_kata_deps "assets.kernel.version") kernel_version=$(get_from_kata_deps "assets.kernel.version")
fi fi

View File

@ -1 +1 @@
124 125

View File

@ -136,9 +136,6 @@ assets:
confidential: confidential:
name: *default-image-name name: *default-image-name
version: *default-image-version version: *default-image-version
tdx:
name: *default-image-name
version: *default-image-version
meta: meta:
image-type: *default-image-name image-type: *default-image-name
@ -168,9 +165,6 @@ assets:
mariner: mariner:
name: "cbl-mariner" name: "cbl-mariner"
version: "2.0" version: "2.0"
sev:
name: *glibc-initrd-name
version: *glibc-initrd-version
kernel: kernel:
description: "Linux kernel optimised for virtual machines" description: "Linux kernel optimised for virtual machines"
@ -180,14 +174,6 @@ assets:
description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support" description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/" url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
version: "v6.7" version: "v6.7"
sev:
description: "Linux kernel that supports SEV and SNP"
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
version: "v5.19.2"
snp:
description: "Linux kernel that supports AMD SEV-SNP for VMs"
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
version: "v5.19.2"
kernel-arm-experimental: kernel-arm-experimental:
description: "Linux kernel with cpu/mem hotplug support on arm64" description: "Linux kernel with cpu/mem hotplug support on arm64"
@ -199,12 +185,6 @@ assets:
url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
version: "v5.10.25" version: "v5.10.25"
kernel-tdx-experimental:
# yamllint disable-line rule:line-length
description: "Linux kernel with TDX support -- based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"
url: "https://github.com/kata-containers/linux/archive/refs/tags"
version: "6.2-TDX-v1.8"
externals: externals:
description: "Third-party projects used by the system" description: "Third-party projects used by the system"