From 412a384aadcb25a45ed89fb93f843de253986ace Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@intel.com>
Date: Wed, 30 Jul 2025 11:56:50 +0300
Subject: [PATCH 1/2] versions: update kernel-confidential to Linux v6.16.1

Linux v6.16 brings some useful features for the confidential guests.
Most importantly, it adds an ABI to extend runtime measurement registers
(RTMR) for the TEE platforms supporting it. This is currently enabled
on Intel TDX only.

The kernel version bump from v6.12.x to v6.16 forces some CONFIG_*
changes too:

MEMORY_HOTPLUG_DEFAULT_ONLINE was dropped in favor of more config
choices. The equivalent option is MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO.

X86_5LEVEL was made unconditional. Since this was only a TDX
configuration, dropping it completely as part of v6.16 is fine.

CRYPTO_NULL2 was merged with CRYPTO_NULL. This was only added in
confidential guest fragments (cryptsetup) so we can drop it in this update.

CRYPTO_FIPS now depends on CRYPTO_SELFTESTS which further depends on
EXPERT which we don't have. Enable both in a separate config fragment
for confidential guests. This can be moved to a common setting once
other targets bump to post v6.16.

CRYPTO_SHA256_SSE3 arch optimizations were reworked and are now enabled
by default. Instead of adding it to whitelist.conf, just drop it completely
since it was only enabled as part of "measured boot" feature for
confidential guests. CONFIG_CRYPTO_CRC32_S390 was reworked the same way.
In this case, whitelist.conf is needed.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
---
 .../common/confidential_containers/cryptsetup.conf         | 1 -
 .../packaging/kernel/configs/fragments/common/hotplug.conf | 3 +++
 .../kernel/configs/fragments/s390/confidential/fips.conf   | 7 +++++++
 tools/packaging/kernel/configs/fragments/whitelist.conf    | 3 +++
 .../kernel/configs/fragments/x86_64/confidential/fips.conf | 7 +++++++
 .../packaging/kernel/configs/fragments/x86_64/crypto.conf  | 1 -
 .../packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf | 1 -
 tools/packaging/kernel/kata_config_version                 | 2 +-
 tools/packaging/kernel/patches/6.16.x/no_patches.txt       | 0
 versions.yaml                                              | 2 +-
 10 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 tools/packaging/kernel/configs/fragments/s390/confidential/fips.conf
 create mode 100644 tools/packaging/kernel/configs/fragments/x86_64/confidential/fips.conf
 create mode 100644 tools/packaging/kernel/patches/6.16.x/no_patches.txt

diff --git a/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf
index a3e04e9b17..dae3142f1b 100644
--- a/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf
+++ b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf
@@ -12,7 +12,6 @@ CONFIG_CRYPTO_MANAGER=y
 CONFIG_CRYPTO_MANAGER2=y
 CONFIG_CRYPTO_USER=y
 CONFIG_CRYPTO_NULL=y
-CONFIG_CRYPTO_NULL2=y
 CONFIG_CRYPTO_CRYPTD=y
 CONFIG_CRYPTO_AUTHENC=y
 CONFIG_CRYPTO_CBC=y
diff --git a/tools/packaging/kernel/configs/fragments/common/hotplug.conf b/tools/packaging/kernel/configs/fragments/common/hotplug.conf
index af84a24d72..c179970316 100644
--- a/tools/packaging/kernel/configs/fragments/common/hotplug.conf
+++ b/tools/packaging/kernel/configs/fragments/common/hotplug.conf
@@ -9,3 +9,6 @@ CONFIG_PCIEPORTBUS=y
 # Define hotplugs to be online immediately. Speeds things up, and makes things
 # work smoother on some arch's.
 CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE=y
+
+# Linux v6.14+ dropped MEMORY_HOTPLUG_DEFAULT_ONLINE. The equivalent is:
+CONFIG_MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO=y
diff --git a/tools/packaging/kernel/configs/fragments/s390/confidential/fips.conf b/tools/packaging/kernel/configs/fragments/s390/confidential/fips.conf
new file mode 100644
index 0000000000..d3985544c1
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/s390/confidential/fips.conf
@@ -0,0 +1,7 @@
+# To keep CRYPTO_FIPS enabled, the following dependencies
+# are needed. This is done for confidential guest build
+# target only since it's needed by v6.16+ kernels. Move
+# to a common fragment once non-confidential guest kernels
+# follow.
+CONFIG_CRYPTO_SELFTESTS=y
+CONFIG_EXPERT=y
diff --git a/tools/packaging/kernel/configs/fragments/whitelist.conf b/tools/packaging/kernel/configs/fragments/whitelist.conf
index 2ddf89e98c..c18a89c01a 100644
--- a/tools/packaging/kernel/configs/fragments/whitelist.conf
+++ b/tools/packaging/kernel/configs/fragments/whitelist.conf
@@ -39,3 +39,6 @@ CONFIG_MITIGATION_PAGE_TABLE_ISOLATION
 CONFIG_VFIO_AP
 CONFIG_VFIO_MDEV
 CONFIG_BLK_DEV_WRITE_MOUNTED
+CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE
+CONFIG_MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO
+CONFIG_CRYPTO_CRC32_S390
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/fips.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/fips.conf
new file mode 100644
index 0000000000..d3985544c1
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/fips.conf
@@ -0,0 +1,7 @@
+# To keep CRYPTO_FIPS enabled, the following dependencies
+# are needed. This is done for confidential guest build
+# target only since it's needed by v6.16+ kernels. Move
+# to a common fragment once non-confidential guest kernels
+# follow.
+CONFIG_CRYPTO_SELFTESTS=y
+CONFIG_EXPERT=y
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf
index 5cd7070f3b..a7d97ca5de 100644
--- a/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf
+++ b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf
@@ -1,3 +1,2 @@
 # x86 cryptographic instructions to improve AES encryption and SHA256 hashing.
-CONFIG_CRYPTO_SHA256_SSSE3=y
 CONFIG_CRYPTO_AES_NI_INTEL=y
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf
index b0b4dfa10e..c7c0e7ca29 100644
--- a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf
+++ b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf
@@ -7,6 +7,5 @@ CONFIG_INTEL_TDX_GUEST=y
 CONFIG_OF=y
 CONFIG_TDX_GUEST_DRIVER=y
 CONFIG_VIRT_DRIVERS=y
-CONFIG_X86_5LEVEL=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
 CONFIG_X86_PLATFORM_DEVICES=y
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index 9386c220a1..0234b515ea 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-161
+162
diff --git a/tools/packaging/kernel/patches/6.16.x/no_patches.txt b/tools/packaging/kernel/patches/6.16.x/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/versions.yaml b/versions.yaml
index 9df11cdf3a..32f9efb311 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -200,7 +200,7 @@ assets:
     confidential:
       description: "Linux kernel with x86_64 TEEs (SNP and TDX) support"
       url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
-      version: "v6.12.42"
+      version: "v6.16.1"
 
   kernel-arm-experimental:
     description: "Linux kernel with cpu/mem hotplug support on arm64"

From a0ae1b660862139ded9c53f0f284a47b9028a9a2 Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@intel.com>
Date: Tue, 19 Aug 2025 14:48:14 +0300
Subject: [PATCH 2/2] packaging: kernel: libdw-dev and python3 to builder image

These new dependencies are needed by Linux 6.16+.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
---
 tools/packaging/static-build/kernel/Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tools/packaging/static-build/kernel/Dockerfile b/tools/packaging/static-build/kernel/Dockerfile
index d5eba7b2df..0b96d0aeef 100644
--- a/tools/packaging/static-build/kernel/Dockerfile
+++ b/tools/packaging/static-build/kernel/Dockerfile
@@ -20,11 +20,13 @@ RUN apt-get update && \
 	    git \
 	    iptables \
 	    kmod \
+	    libdw-dev \
 	    libelf-dev \
 	    libssl-dev \
 	    gettext \
 	    rsync \
 	    cpio \
-	    patch && \
+	    patch \
+	    python3 && \
     if [ "${ARCH}" != "$(uname -m)" ]; then apt-get install --no-install-recommends -y gcc-"${ARCH}"-linux-gnu binutils-"${ARCH}"-linux-gnu; fi && \
     apt-get clean && apt-get autoclean && rm -rf /var/lib/apt/lists/*