Merge pull request #8983 from fidencio/topic/add-confidential-image

packaging: Add confidential image / initrd
This commit is contained in:
Fabiano Fidêncio 2024-02-03 12:30:16 +01:00 committed by GitHub
commit e0bb632053
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 40 additions and 0 deletions

View File

@ -49,8 +49,10 @@ jobs:
- qemu-tdx-experimental
- stratovirt
- rootfs-image
- rootfs-image-confidential
- rootfs-image-tdx
- rootfs-initrd
- rootfs-initrd-confidential
- rootfs-initrd-mariner
- rootfs-initrd-sev
- runk

View File

@ -39,7 +39,9 @@ BASE_TARBALLS = serial-targets \
tdvf-tarball \
virtiofsd-tarball
BASE_SERIAL_TARBALLS = rootfs-image-tarball \
rootfs-image-confidential-tarball \
rootfs-image-tdx-tarball \
rootfs-initrd-confidential-tarball \
rootfs-initrd-mariner-tarball \
rootfs-initrd-sev-tarball \
rootfs-initrd-tarball \
@ -160,12 +162,18 @@ stratovirt-tarball:
rootfs-image-tarball: agent-tarball
${MAKE} $@-build
rootfs-image-confidential-tarball: agent-opa-tarball kernel-confidential-tarball
${MAKE} $@-build
rootfs-image-tdx-tarball: agent-opa-tarball kernel-confidential-tarball
${MAKE} $@-build
rootfs-initrd-mariner-tarball: agent-opa-tarball
${MAKE} $@-build
rootfs-initrd-confidential-tarball: agent-opa-tarball kernel-confidential-tarball
${MAKE} $@-build
rootfs-initrd-sev-tarball: agent-opa-tarball kernel-confidential-tarball
${MAKE} $@-build

View File

@ -112,8 +112,10 @@ options:
qemu-tdx-experimental
stratovirt
rootfs-image
rootfs-image-confidential
rootfs-image-tdx
rootfs-initrd
rootfs-initrd-confidential
rootfs-initrd-mariner
rootfs-initrd-sev
runk
@ -284,6 +286,13 @@ install_image() {
"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
}
#Install guest image for confidential guests
install_image_confidential() {
export AGENT_POLICY=yes
export MEASURED_ROOTFS=yes
install_image "confidential"
}
#Install guest image for tdx
install_image_tdx() {
export AGENT_POLICY=yes
@ -344,6 +353,13 @@ install_initrd() {
"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
}
#Install guest initrd for confidential guests
install_initrd_confidential() {
export AGENT_POLICY=yes
export MEASURED_ROOTFS=yes
install_initrd "confidential"
}
#Install Mariner guest initrd
install_initrd_mariner() {
export AGENT_POLICY=yes
@ -888,7 +904,9 @@ handle_build() {
install_clh
install_firecracker
install_image
install_image_confidential
install_initrd
install_initrd_confidential
install_initrd_mariner
install_initrd_sev
install_kata_ctl
@ -965,10 +983,14 @@ handle_build() {
rootfs-image) install_image ;;
rootfs-image-confidential) install_image_confidential ;;
rootfs-image-tdx) install_image_tdx ;;
rootfs-initrd) install_initrd ;;
rootfs-initrd-confidential) install_initrd_confidential ;;
rootfs-initrd-mariner) install_initrd_mariner ;;
rootfs-initrd-sev) install_initrd_sev ;;
@ -1081,7 +1103,9 @@ main() {
qemu
stratovirt
rootfs-image
rootfs-image-confidential
rootfs-initrd
rootfs-initrd-confidential
rootfs-initrd-mariner
runk
shim-v2

View File

@ -133,6 +133,9 @@ assets:
x86_64:
name: *default-image-name
version: *default-image-version
confidential:
name: *default-image-name
version: *default-image-version
tdx:
name: *default-image-name
version: *default-image-version
@ -159,6 +162,9 @@ assets:
x86_64:
name: *default-initrd-name
version: *default-initrd-version
confidential:
name: *glibc-initrd-name
version: *glibc-initrd-version
mariner:
name: "cbl-mariner"
version: "2.0"