diff --git a/.github/workflows/cc-payload-after-push-amd64.yaml b/.github/workflows/cc-payload-after-push-amd64.yaml index d753dd4117..0838d66f70 100644 --- a/.github/workflows/cc-payload-after-push-amd64.yaml +++ b/.github/workflows/cc-payload-after-push-amd64.yaml @@ -16,7 +16,6 @@ jobs: - cc-kernel - cc-qemu - cc-rootfs-image - - cc-shim-v2 - cc-virtiofsd - cc-sev-kernel - cc-sev-ovmf @@ -56,9 +55,60 @@ jobs: retention-days: 1 if-no-files-found: error - create-kata-tarball: + - name: store-artifact root_hash_tdx.txt + uses: actions/upload-artifact@v3 + with: + name: root_hash_tdx.txt + path: tools/osbuilder/root_hash_tdx.txt + retention-days: 1 + if-no-files-found: ignore + + - name: store-artifact root_hash_vanilla.txt + uses: actions/upload-artifact@v3 + with: + name: root_hash_vanilla.txt + path: tools/osbuilder/root_hash_vanilla.txt + retention-days: 1 + if-no-files-found: ignore + + build-asset-cc-shim-v2: runs-on: ubuntu-latest needs: build-asset + steps: + - uses: actions/checkout@v3 + + - name: Get root_hash_tdx.txt + uses: actions/download-artifact@v3 + with: + name: root_hash_tdx.txt + path: tools/osbuilder/ + + - name: Get root_hash_vanilla.txt + uses: actions/download-artifact@v3 + with: + name: root_hash_vanilla.txt + path: tools/osbuilder/ + + - name: Build cc-shim-v2 + run: | + make cc-shim-v2-tarball + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + PUSH_TO_REGISTRY: yes + + - name: store-artifact cc-shim-v2 + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts + path: kata-build/kata-static-cc-shim-v2.tar.xz + retention-days: 1 + if-no-files-found: error + + create-kata-tarball: + runs-on: ubuntu-latest + needs: [build-asset, build-asset-cc-shim-v2] steps: - uses: actions/checkout@v3 - name: get-artifacts diff --git a/.github/workflows/cc-payload-after-push-s390x.yaml b/.github/workflows/cc-payload-after-push-s390x.yaml index aaf0aa6102..3e1799f619 100644 --- a/.github/workflows/cc-payload-after-push-s390x.yaml +++ b/.github/workflows/cc-payload-after-push-s390x.yaml @@ -15,7 +15,6 @@ jobs: - cc-kernel - cc-qemu - cc-rootfs-image - - cc-shim-v2 - cc-virtiofsd steps: - name: Login to Kata Containers quay.io @@ -52,9 +51,50 @@ jobs: retention-days: 1 if-no-files-found: error - create-kata-tarball: + - name: store-artifact root_hash_vanilla.txt + uses: actions/upload-artifact@v3 + with: + name: root_hash_vanilla.txt-s390x + path: tools/osbuilder/root_hash_vanilla.txt + retention-days: 1 + if-no-files-found: ignore + + build-asset-cc-shim-v2: runs-on: s390x needs: build-asset + steps: + - name: Adjust a permission for repo + run: | + sudo chown -R $USER:$USER $GITHUB_WORKSPACE + + - uses: actions/checkout@v3 + + - name: Get root_hash_vanilla.txt + uses: actions/download-artifact@v3 + with: + name: root_hash_vanilla.txt-s390x + path: tools/osbuilder/ + + - name: Build cc-shim-v2 + run: | + make cc-shim-v2-tarball + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + env: + PUSH_TO_REGISTRY: yes + + - name: store-artifact cc-shim-v2 + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts-s390x + path: kata-build/kata-static-cc-shim-v2.tar.xz + retention-days: 1 + if-no-files-found: error + + create-kata-tarball: + runs-on: s390x + needs: [build-asset, build-asset-cc-shim-v2] steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/cc-payload.yaml b/.github/workflows/cc-payload.yaml index ca9b38a549..a0b32f8b6d 100644 --- a/.github/workflows/cc-payload.yaml +++ b/.github/workflows/cc-payload.yaml @@ -14,7 +14,6 @@ jobs: - cc-kernel - cc-qemu - cc-rootfs-image - - cc-shim-v2 - cc-virtiofsd - cc-sev-kernel - cc-sev-ovmf @@ -44,9 +43,58 @@ jobs: retention-days: 1 if-no-files-found: error - create-kata-tarball: + - name: store-artifact root_hash_tdx.txt + uses: actions/upload-artifact@v3 + with: + name: root_hash_tdx.txt + path: tools/osbuilder/root_hash_tdx.txt + retention-days: 1 + if-no-files-found: ignore + + - name: store-artifact root_hash_vanilla.txt + uses: actions/upload-artifact@v3 + with: + name: root_hash_vanilla.txt + path: tools/osbuilder/root_hash_vanilla.txt + retention-days: 1 + if-no-files-found: ignore + + build-asset-cc-shim-v2: runs-on: ubuntu-latest needs: build-asset + steps: + - uses: actions/checkout@v3 + + - name: Get root_hash_tdx.txt + uses: actions/download-artifact@v3 + with: + name: root_hash_tdx.txt + path: tools/osbuilder/ + + - name: Get root_hash_vanilla.txt + uses: actions/download-artifact@v3 + with: + name: root_hash_vanilla.txt + path: tools/osbuilder/ + + - name: Build cc-shim-v2 + run: | + make cc-shim-v2-tarball + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + sudo cp -r "${build_dir}" "kata-build" + + - name: store-artifact cc-shim-v2 + uses: actions/upload-artifact@v3 + with: + name: kata-artifacts + path: kata-build/kata-static-cc-shim-v2.tar.xz + retention-days: 1 + if-no-files-found: error + + create-kata-tarball: + runs-on: ubuntu-latest + needs: [build-asset, build-asset-cc-shim-v2] steps: - uses: actions/checkout@v3 - name: get-artifacts diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 38e40c6cd0..ad5aa14651 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -128,11 +128,14 @@ AGENTCONFIGFILEPATH := /etc/agent-config.toml AGENTCONFIGFILEKERNELPARAM := agent.config_file=$(AGENTCONFIGFILEPATH) ROOTMEASURECONFIG ?= "" +ROOTMEASURECONFIGTDX ?= "" AGENT_AA_KBC_PARAMS ?= "" AGENT_AA_KBC_PARAMS_TDX ?= "" AGENT_AA_KBC_PARAMS_SEV ?= "" -TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_TDX) -SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_SEV) +TDXKERNELPARAMS := tdx_disable_filter agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_TDX) +TDXKERNELPARAMS_QEMU += $(TDXKERNELPARAMS) $(ROOTMEASURECONFIGTDX) +TDXKERNELPARAMS_CLH += $(TDXKERNELPARAMS) $(ROOTMEASURECONFIG) +SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_SEV) KERNELPARAMS += $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS) # Name of default configuration file the runtime will use. @@ -518,6 +521,8 @@ USER_VARS += TDXCPUFEATURES USER_VARS += DEFMACHINETYPE_CLH USER_VARS += KERNELPARAMS USER_VARS += TDXKERNELPARAMS +USER_VARS += TDXKERNELPARAMS_QEMU +USER_VARS += TDXKERNELPARAMS_CLH USER_VARS += SEVKERNELPARAMS USER_VARS += LIBEXECDIR USER_VARS += LOCALSTATEDIR diff --git a/src/runtime/config/configuration-clh-tdx.toml.in b/src/runtime/config/configuration-clh-tdx.toml.in index 798098afb1..a6a2ea713b 100644 --- a/src/runtime/config/configuration-clh-tdx.toml.in +++ b/src/runtime/config/configuration-clh-tdx.toml.in @@ -70,7 +70,7 @@ valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@ # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. -kernel_params = "@TDXKERNELPARAMS@" +kernel_params = "@TDXKERNELPARAMS_CLH@" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to @DEFVCPUS@ diff --git a/src/runtime/config/configuration-qemu-tdx.toml.in b/src/runtime/config/configuration-qemu-tdx.toml.in index 79907f16be..f21f611b8f 100644 --- a/src/runtime/config/configuration-qemu-tdx.toml.in +++ b/src/runtime/config/configuration-qemu-tdx.toml.in @@ -59,7 +59,7 @@ valid_hypervisor_paths = @QEMUTDXVALIDHYPERVISORPATHS@ # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. -kernel_params = "@TDXKERNELPARAMS@" +kernel_params = "@TDXKERNELPARAMS_QEMU@" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index c254778399..e8b00eb040 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -74,7 +74,8 @@ build_image() { ROOTFS_BUILD_DEST="${builddir}/rootfs-image" mv -f "kata-containers.img" "${install_dir}/${image_name}" if [ -e "root_hash.txt" ]; then - cp root_hash.txt "${install_dir}/" + [ -z "${root_hash_suffix}" ] && root_hash_suffix=vanilla + mv "${repo_root_dir}/tools/osbuilder/root_hash.txt" "${repo_root_dir}/tools/osbuilder/root_hash_${root_hash_suffix}.txt" fi ( cd "${install_dir}" @@ -106,6 +107,7 @@ main() { destdir="$PWD" prefix="/opt/kata" image_initrd_suffix="" + root_hash_suffix="" builddir="${PWD}" while getopts "h-:" opt; do case "$opt" in @@ -139,6 +141,9 @@ main() { final_initrd_name="${final_initrd_name}-${image_initrd_suffix}" fi ;; + root_hash_suffix=*) + root_hash_suffix=${OPTARG#*=} + ;; prefix=*) prefix=${OPTARG#*=} ;; diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index d2a25f28bb..7db6acba0f 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -160,10 +160,16 @@ install_cc_image() { export AA_KBC="${1:-offline_fs_kbc}" image_type="${2:-image}" image_initrd_suffix="${3:-""}" + root_hash_suffix="${4:-""}" export KATA_BUILD_CC=yes info "Create CC image configured with AA_KBC=${AA_KBC}" - "${rootfs_builder}" --imagetype="${image_type}" --prefix="${cc_prefix}" --destdir="${destdir}" --image_initrd_suffix="${image_initrd_suffix}" + "${rootfs_builder}" \ + --imagetype="${image_type}" \ + --prefix="${cc_prefix}" \ + --destdir="${destdir}" \ + --image_initrd_suffix="${image_initrd_suffix}" \ + --root_hash_suffix="${root_hash_suffix}" } install_cc_sev_image() { @@ -176,7 +182,8 @@ install_cc_tdx_image() { AA_KBC="eaa_kbc" image_type="image" image_suffix="tdx" - install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" + root_hash_suffix="tdx" + install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}" } #Install CC kernel asset @@ -224,12 +231,19 @@ install_cc_shimv2() { export REMOVE_VMM_CONFIGS="acrn fc" extra_opts="DEFSERVICEOFFLOAD=true" - if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then - root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt") + if [ -f "${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt" ]; then + root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt") root_measure_config="cc_rootfs_verity.scheme=dm-verity cc_rootfs_verity.hash=${root_hash}" extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\"" fi + if [ -f "${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt" ]; then + root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt") + root_measure_config="cc_rootfs_verity.scheme=dm-verity cc_rootfs_verity.hash=${root_hash}" + extra_opts+=" ROOTMEASURECONFIGTDX=\"${root_measure_config}\"" + fi + + info "extra_opts: ${extra_opts}" DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" }