diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 57cc9be100..4e58a45ef1 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -132,6 +132,23 @@ get_tdx_kernel() { tar --strip-components=1 -xf ${kernel_tarball} -C ${kernel_path} } +get_sev_kernel() { + local version="${1}" + local kernel_path=${2} + + mkdir -p ${kernel_path} + + kernel_url=$(get_from_kata_deps "assets.kernel.sev.url") + kernel_tarball="${version}.tar.gz" + + if [ ! -f "${kernel_tarball}" ]; then + curl --fail -OL "${kernel_url}${kernel_tarball}" + fi + + mkdir -p ${kernel_path} + tar --strip-components=1 -xf ${kernel_tarball} -C ${kernel_path} +} + get_kernel() { local version="${1:-}" @@ -142,6 +159,9 @@ get_kernel() { if [ "${conf_guest}" == "tdx" ]; then get_tdx_kernel ${version} ${kernel_path} return + elif [ "${conf_guest}" == "sev" ]; then + get_sev_kernel ${version} ${kernel_path} + return fi #Remove extra 'v' @@ -399,6 +419,9 @@ build_kernel() { arch_target=$(arch_to_kernel "${arch_target}") pushd "${kernel_path}" >>/dev/null make -j $(nproc) ARCH="${arch_target}" + if [ "${conf_guest}" == "sev" ]; then + make -j $(nproc --ignore=1) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install + fi [ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ]) [ -e "vmlinux" ] ([ "${hypervisor_target}" == "firecracker" ] || [ "${hypervisor_target}" == "cloud-hypervisor" ]) && [ "${arch_target}" == "arm64" ] && [ -e "arch/${arch_target}/boot/Image" ] @@ -542,6 +565,9 @@ main() { esac elif [[ "${conf_guest}" == "tdx" ]]; then kernel_version=$(get_from_kata_deps "assets.kernel.tdx.tag") + elif [[ "${conf_guest}" == "sev" ]]; then + #If specifying a tag for kernel_version, must be formatted version-like to avoid unintended parsing issues + kernel_version=$(get_from_kata_deps "assets.kernel.sev.tag") else kernel_version=$(get_from_kata_deps "assets.kernel.version") fi diff --git a/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf b/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf index af29405c72..32a43f2bbf 100644 --- a/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf +++ b/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf @@ -4,3 +4,9 @@ CONFIG_AMD_MEM_ENCRYPT=y CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y CONFIG_CRYPTO_DEV_SP_PSP=y CONFIG_CRYPTO_DEV_CCP=y +CONFIG_SECURITYFS=y +CONFIG_VIRT_DRIVERS=y +CONFIG_EFI=y +CONFIG_EFI_SECRET=m +CONFIG_MODULE_SIG=y +CONFIG_MODULES=y \ No newline at end of file diff --git a/tools/packaging/kernel/patches/efi-secret-v5.17-rc6.x/no_patches.txt b/tools/packaging/kernel/patches/efi-secret-v5.17-rc6.x/no_patches.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/versions.yaml b/versions.yaml index 34723fd857..c09b9689ce 100644 --- a/versions.yaml +++ b/versions.yaml @@ -158,6 +158,11 @@ assets: description: "Linux kernel that supports TDX" url: "https://github.com/intel/tdx/archive/refs/tags" tag: "tdx-guest-v5.15-4" + sev: + description: "Linux kernel with efi_secret support" + url: "https://github.com/confidential-containers-demo/\ + linux/archive/refs/tags/" + tag: "efi-secret-v5.17-rc6" kernel-experimental: description: "Linux kernel with virtio-fs support"