kernel: build efi_secret module for SEV

Add kernel fork for sev to kernel builder with efi_secret. Additionally, install efi_secret module for sev. Fixes: #4179 Signed-off-by: Alex Carter <alex.carter@ibm.com>
2025-05-02 13:44:33 +00:00 · 2022-04-29 11:53:06 -05:00 · 2022-04-29 11:53:06 -05:00 · db5048d52c
commit db5048d52c
parent ae911d0cd3
4 changed files with 37 additions and 0 deletions
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@ -132,6 +132,23 @@ get_tdx_kernel() {
 	tar --strip-components=1 -xf ${kernel_tarball} -C ${kernel_path}
 }
 get_sev_kernel() {
 	local version="${1}"
 	local kernel_path=${2}
 	mkdir -p ${kernel_path}
 	kernel_url=$(get_from_kata_deps "assets.kernel.sev.url")
 	kernel_tarball="${version}.tar.gz"
 	if [ ! -f "${kernel_tarball}" ]; then
 	   curl --fail -OL "${kernel_url}${kernel_tarball}"
 	fi
 	mkdir -p ${kernel_path}
 	tar --strip-components=1 -xf ${kernel_tarball} -C ${kernel_path}
 }
 get_kernel() {
 	local version="${1:-}"
@ -142,6 +159,9 @@ get_kernel() {
 	if [ "${conf_guest}" == "tdx" ]; then
 		get_tdx_kernel ${version} ${kernel_path}
 		return
 	elif [ "${conf_guest}" == "sev" ]; then
 		get_sev_kernel ${version} ${kernel_path}
 		return
 	fi
 		#Remove extra 'v'
@ -399,6 +419,9 @@ build_kernel() {
 	arch_target=$(arch_to_kernel "${arch_target}")
 	pushd "${kernel_path}" >>/dev/null
 	make -j $(nproc) ARCH="${arch_target}"
 	if [ "${conf_guest}" == "sev" ]; then
 		make -j $(nproc --ignore=1) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
 	fi
 	[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
 	[ -e "vmlinux" ]
 	([ "${hypervisor_target}" == "firecracker" ] || [ "${hypervisor_target}" == "cloud-hypervisor" ]) && [ "${arch_target}" == "arm64" ] && [ -e "arch/${arch_target}/boot/Image" ]
@ -542,6 +565,9 @@ main() {
 			esac
 		elif [[ "${conf_guest}" == "tdx" ]]; then
 			 kernel_version=$(get_from_kata_deps "assets.kernel.tdx.tag")
 		elif [[ "${conf_guest}" == "sev" ]]; then
 			#If specifying a tag for kernel_version, must be formatted version-like to avoid unintended parsing issues
 			 kernel_version=$(get_from_kata_deps "assets.kernel.sev.tag")
 		else
 			kernel_version=$(get_from_kata_deps "assets.kernel.version")
 		fi
--- a/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf
+++ b/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf
@ -4,3 +4,9 @@ CONFIG_AMD_MEM_ENCRYPT=y
 CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y
 CONFIG_CRYPTO_DEV_SP_PSP=y
 CONFIG_CRYPTO_DEV_CCP=y
 CONFIG_SECURITYFS=y
 CONFIG_VIRT_DRIVERS=y
 CONFIG_EFI=y
 CONFIG_EFI_SECRET=m
 CONFIG_MODULE_SIG=y
 CONFIG_MODULES=y
--- a/tools/packaging/kernel/patches/efi-secret-v5.17-rc6.x/no_patches.txt
+++ b/tools/packaging/kernel/patches/efi-secret-v5.17-rc6.x/no_patches.txt
--- a/versions.yaml
+++ b/versions.yaml
@ -158,6 +158,11 @@ assets:
      description: "Linux kernel that supports TDX"
      url: "https://github.com/intel/tdx/archive/refs/tags"
      tag: "tdx-guest-v5.15-4"
    sev:
      description: "Linux kernel with efi_secret support"
      url: "https://github.com/confidential-containers-demo/\
      linux/archive/refs/tags/"
      tag: "efi-secret-v5.17-rc6"
  kernel-experimental:
    description: "Linux kernel with virtio-fs support"