diff --git a/.github/workflows/cc-payload-after-push-amd64.yaml b/.github/workflows/cc-payload-after-push-amd64.yaml index 0d1d025103..e26187e5c5 100644 --- a/.github/workflows/cc-payload-after-push-amd64.yaml +++ b/.github/workflows/cc-payload-after-push-amd64.yaml @@ -14,22 +14,22 @@ jobs: measured_rootfs: - no asset: - - cc-cloud-hypervisor - - cc-qemu - - cc-virtiofsd - - cc-sev-kernel - - cc-sev-ovmf - - cc-x86_64-ovmf - - cc-snp-qemu + - cloud-hypervisor + - qemu + - virtiofsd + - kernel-sev + - ovmf-sev + - ovmf + - qemu-snp-experimental + - qemu-tdx-exprimental - cc-sev-rootfs-initrd - - cc-tdx-qemu - cc-tdx-td-shim - - cc-tdx-tdvf + - tdvf include: - measured_rootfs: yes - asset: cc-kernel + asset: kernel - measured_rootfs: yes - asset: cc-tdx-kernel + asset: kernel-tdx-experimental - measured_rootfs: yes asset: cc-rootfs-image - measured_rootfs: yes diff --git a/.github/workflows/cc-payload-after-push-s390x.yaml b/.github/workflows/cc-payload-after-push-s390x.yaml index ccfdd82218..0f5801e2c8 100644 --- a/.github/workflows/cc-payload-after-push-s390x.yaml +++ b/.github/workflows/cc-payload-after-push-s390x.yaml @@ -14,13 +14,13 @@ jobs: measured_rootfs: - no asset: - - cc-qemu + - qemu - cc-rootfs-initrd - cc-se-image - - cc-virtiofsd + - virtiofsd include: - measured_rootfs: yes - asset: cc-kernel + asset: kernel - measured_rootfs: yes asset: cc-rootfs-image steps: diff --git a/.github/workflows/cc-payload-amd64.yaml b/.github/workflows/cc-payload-amd64.yaml index b1f2510ead..56649657b9 100644 --- a/.github/workflows/cc-payload-amd64.yaml +++ b/.github/workflows/cc-payload-amd64.yaml @@ -14,22 +14,23 @@ jobs: measured_rootfs: - no asset: - - cc-cloud-hypervisor - - cc-qemu - - cc-virtiofsd - - cc-sev-kernel - - cc-sev-ovmf - - cc-x86_64-ovmf - - cc-snp-qemu + - cloud-hypervisor + - qemu + - virtiofsd + - kernel-sev + - kernel-snp-experimental + - ovmf-sev + - ovmf + - qemu-snp-experimental + - qemu-tdx-experimental - cc-sev-rootfs-initrd - - cc-tdx-qemu - cc-tdx-td-shim - - cc-tdx-tdvf + - tdvf include: - measured_rootfs: yes - asset: cc-kernel + asset: kernel - measured_rootfs: yes - asset: cc-tdx-kernel + asset: kernel-tdx-experimental - measured_rootfs: yes asset: cc-rootfs-image - measured_rootfs: yes diff --git a/.github/workflows/cc-payload-s390x.yaml b/.github/workflows/cc-payload-s390x.yaml index 1796308a80..66e48738f3 100644 --- a/.github/workflows/cc-payload-s390x.yaml +++ b/.github/workflows/cc-payload-s390x.yaml @@ -14,11 +14,11 @@ jobs: measured_rootfs: - no asset: - - cc-qemu - - cc-virtiofsd + - qemu + - virtiofsd include: - measured_rootfs: yes - asset: cc-kernel + asset: kernel - measured_rootfs: yes asset: cc-rootfs-image steps: diff --git a/src/runtime/arch/amd64-options.mk b/src/runtime/arch/amd64-options.mk index fd55b062c2..ec894241dc 100644 --- a/src/runtime/arch/amd64-options.mk +++ b/src/runtime/arch/amd64-options.mk @@ -11,7 +11,7 @@ MACHINEACCELERATORS := CPUFEATURES := pmu=off QEMUCMD := qemu-system-x86_64 -QEMUTDXCMD := qemu-system-x86_64-tdx +QEMUTDXCMD := qemu-system-x86_64-tdx-experimental TDXCPUFEATURES := -vmx-rdseed-exit,pmu=off QEMUSNPCMD := qemu-system-x86_64-snp-experimental diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index 7b2faa93c2..c98ec51c39 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -45,7 +45,7 @@ build_initrd() { config_version=$(get_config_version) kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")" kernel_version=${kernel_version#v} - module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}" + module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}" sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" KERNEL_MODULES_DIR="${module_dir}" else sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" @@ -195,4 +195,4 @@ main() { popd } -main $* \ No newline at end of file +main $* diff --git a/tools/packaging/kata-deploy-cc/Dockerfile b/tools/packaging/kata-deploy-cc/Dockerfile deleted file mode 100644 index 3c5a0916c7..0000000000 --- a/tools/packaging/kata-deploy-cc/Dockerfile +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Intel Corporation, 2022 IBM Corp. -# -# SPDX-License-Identifier: Apache-2.0 - -# Specify alternative base image, e.g. clefos for s390x -ARG BASE_IMAGE_NAME=ubuntu -ARG BASE_IMAGE_TAG=20.04 -FROM $BASE_IMAGE_NAME:$BASE_IMAGE_TAG -ENV DEBIAN_FRONTEND=noninteractive -ARG KATA_ARTIFACTS=./kata-static.tar.xz -ARG DESTINATION=/opt/kata-artifacts - -COPY ${KATA_ARTIFACTS} ${WORKDIR} - -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - -RUN \ -apt-get update && \ -apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl xz-utils systemd && \ -mkdir -p /etc/apt/keyrings/ && \ -curl -fsSLo /etc/apt/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg && \ -echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list && \ -apt-get update && \ -apt-get install -y --no-install-recommends kubectl && \ -apt-get clean && rm -rf /var/lib/apt/lists/ && \ -mkdir -p ${DESTINATION} && \ -tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \ -rm -f ${WORKDIR}/${KATA_ARTIFACTS} - -COPY scripts ${DESTINATION}/scripts \ No newline at end of file diff --git a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh deleted file mode 100755 index 20959ab669..0000000000 --- a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh +++ /dev/null @@ -1,384 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) 2019 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 -# - -set -o errexit -set -o pipefail -set -o nounset - -crio_drop_in_conf_dir="/etc/crio/crio.conf.d/" -crio_drop_in_conf_file="${crio_drop_in_conf_dir}/99-kata-deploy" -containerd_conf_file="/etc/containerd/config.toml" -containerd_conf_file_backup="${containerd_conf_file}.bak" - -shims=( - "remote" - "qemu" - "qemu-tdx" - "qemu-sev" - "qemu-se" - "qemu-snp" - "clh" - "clh-tdx" -) - -default_shim="qemu" - -# If we fail for any reason a message will be displayed -die() { - msg="$*" - echo "ERROR: $msg" >&2 - exit 1 -} - -function print_usage() { - echo "Usage: $0 [install/cleanup/reset]" -} - -function get_container_runtime() { - - local runtime=$(kubectl get node $NODE_NAME -o jsonpath='{.status.nodeInfo.containerRuntimeVersion}') - if [ "$?" -ne 0 ]; then - die "invalid node name" - fi - if echo "$runtime" | grep -qE 'containerd.*-k3s'; then - if systemctl is-active --quiet rke2-agent; then - echo "rke2-agent" - elif systemctl is-active --quiet rke2-server; then - echo "rke2-server" - elif systemctl is-active --quiet k3s-agent; then - echo "k3s-agent" - else - echo "k3s" - fi - else - echo "$runtime" | awk -F '[:]' '{print $1}' - fi -} - -function install_artifacts() { - echo "copying kata artifacts onto host" - cp -a /opt/kata-artifacts/opt/confidential-containers/* /opt/confidential-containers/ - chmod +x /opt/confidential-containers/bin/* -} - -function wait_till_node_is_ready() { - local ready="False" - - while ! [[ "${ready}" == "True" ]]; do - sleep 2s - ready=$(kubectl get node $NODE_NAME -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}') - done -} - -function configure_cri_runtime() { - configure_different_shims_base - - case $1 in - crio) - configure_crio - ;; - containerd | k3s | k3s-agent | rke2-agent | rke2-server) - configure_containerd - ;; - esac - systemctl daemon-reload - systemctl restart "$1" - - wait_till_node_is_ready -} - -function backup_shim() { - local shim_file="$1" - local shim_backup="${shim_file}.bak" - - if [ -f "${shim_file}" ]; then - echo "warning: ${shim_file} already exists" >&2 - if [ ! -f "${shim_backup}" ]; then - mv "${shim_file}" "${shim_backup}" - else - rm "${shim_file}" - fi - fi -} - -function configure_different_shims_base() { - # Currently containerd has an assumption on the location of the shimv2 implementation - # This forces kata-deploy to create files in a well-defined location that's part of - # the PATH, pointing to the containerd-shim-kata-v2 binary in /opt/confidential-contaienrs/bin - # Issues: - # https://github.com/containerd/containerd/issues/3073 - # https://github.com/containerd/containerd/issues/5006 - - local default_shim_file="/usr/local/bin/containerd-shim-kata-v2" - - mkdir -p /usr/local/bin - - for shim in "${shims[@]}"; do - local shim_binary="containerd-shim-kata-${shim}-v2" - local shim_file="/usr/local/bin/${shim_binary}" - - backup_shim "${shim_file}" - ln -sf /opt/confidential-containers/bin/containerd-shim-kata-v2 "${shim_file}" - chmod +x "$shim_file" - - if [ "${shim}" == "${default_shim}" ]; then - backup_shim "${default_shim_file}" - - echo "Creating the default shim-v2 binary" - ln -sf "${shim_file}" "${default_shim_file}" - fi - done -} - -function restore_shim() { - local shim_file="$1" - local shim_backup="${shim_file}.bak" - - if [ -f "${shim_backup}" ]; then - mv "$shim_backup" "$shim_file" - fi -} - -function cleanup_different_shims_base() { - local default_shim_file="/usr/local/bin/containerd-shim-kata-v2" - - for shim in "${shims[@]}"; do - local shim_binary="containerd-shim-kata-${shim}-v2" - local shim_file="/usr/local/bin/${shim_binary}" - - rm "${shim_file}" || true - restore_shim "${shim_file}" - done - - rm "${default_shim_file}" || true - restore_shim "${default_shim_file}" -} - -function configure_crio_runtime() { - local runtime="kata" - local configuration="configuration" - if [ -n "${1-}" ]; then - runtime+="-$1" - configuration+="-$1" - fi - - local kata_path="/usr/local/bin/containerd-shim-${runtime}-v2" - local kata_conf="crio.runtime.runtimes.${runtime}" - local kata_config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml" - - cat <" $containerd_conf_file; then - pluginid=\"io.containerd.grpc.v1.cri\" - fi - local runtime_table="plugins.${pluginid}.containerd.runtimes.$runtime" - local runtime_type="io.containerd.$runtime.v2" - local cri_handler_value="cc" - if [ "$runtime" == "kata-remote" ]; then - cri_handler_value="" - fi - local options_table="$runtime_table.options" - local config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml" - if grep -q "\[$runtime_table\]" $containerd_conf_file; then - echo "Configuration exists for $runtime_table, overwriting" - sed -i "/\[$runtime_table\]/,+1s#runtime_type.*#runtime_type = \"${runtime_type}\"#" $containerd_conf_file - else - cat < "$containerd_conf_file" - fi - fi - - action=${1:-} - if [ -z "$action" ]; then - print_usage - die "invalid arguments" - fi - - # only install / remove / update if we are dealing with CRIO or containerd - if [[ "$runtime" =~ ^(crio|containerd|k3s|k3s-agent|rke2-agent|rke2-server)$ ]]; then - - case "$action" in - install) - install_artifacts - configure_cri_runtime "$runtime" - kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true - ;; - cleanup) - cleanup_cri_runtime "$runtime" - kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=cleanup - remove_artifacts - ;; - reset) - reset_runtime $runtime - ;; - *) - echo invalid arguments - print_usage - ;; - esac - fi - - #It is assumed this script will be called as a daemonset. As a result, do - # not return, otherwise the daemon will restart and rexecute the script - sleep infinity -} - -main "$@" \ No newline at end of file diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 328bb3dd97..0f2c68fb88 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -11,15 +11,15 @@ V := 1 ARCH := $(shell uname -m) ifeq ($(ARCH), x86_64) -EXTRA_TARBALL=cc-cloud-hypervisor-tarball \ - cc-tdx-kernel-tarball \ - cc-tdx-qemu-tarball \ +EXTRA_TARBALL=\ + kernel-tdx-experimental-tarball \ + tdvf-tarball \ + ovmf-sev-tarball \ + ovmf-tarball \ + qemu-snp-experimental-tarball \ + qemu-tdx-experimental-tarball \ cc-tdx-td-shim-tarball \ - cc-tdx-tdvf-tarball \ - cc-sev-ovmf-tarball \ - cc-x86_64-ovmf-tarball \ cc-sev-rootfs-initrd-tarball \ - cc-snp-qemu-tarball \ cc-tdx-rootfs-image-tarball endif @@ -155,63 +155,30 @@ cc-tarball: | cc merge-builds cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh ${MAKE} -f $(MK_PATH) cc -j$$(( $$(nproc) - 1 )) V= -cc: cc-kernel-tarball \ - cc-qemu-tarball \ +cc: kernel-tarball \ + qemu-tarball \ + virtiofsd-tarball \ cc-rootfs-image-tarball \ - cc-virtiofsd-tarball \ cc-shim-v2-tarball \ ${EXTRA_TARBALL} -cc-cloud-hypervisor-tarball: - ${MAKE} $@-build - -cc-kernel-tarball: - ${MAKE} $@-build - -cc-qemu-tarball: - ${MAKE} $@-build - -cc-snp-qemu-tarball: - ${MAKE} $@-build - cc-rootfs-image-tarball: ${MAKE} $@-build cc-rootfs-initrd-tarball: ${MAKE} $@-build -cc-sev-rootfs-initrd-tarball: cc-sev-kernel-tarball +cc-sev-rootfs-initrd-tarball: kernel-sev-tarball ${MAKE} $@-build -cc-se-image-tarball: cc-kernel-tarball cc-rootfs-initrd-tarball +cc-se-image-tarball: kernel-tarball cc-rootfs-initrd-tarball ${MAKE} $@-build cc-tdx-rootfs-image-tarball: ${MAKE} $@-build -cc-shim-v2-tarball: - ${MAKE} $@-build - -cc-virtiofsd-tarball: - ${MAKE} $@-build - -cc-tdx-kernel-tarball: - ${MAKE} $@-build - -cc-sev-kernel-tarball: - ${MAKE} $@-build - -cc-tdx-qemu-tarball: - ${MAKE} $@-build - cc-tdx-td-shim-tarball: ${MAKE} $@-build -cc-tdx-tdvf-tarball: - ${MAKE} $@-build - -cc-sev-ovmf-tarball: - ${MAKE} $@-build - -cc-x86_64-ovmf-tarball: +cc-shim-v2-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 26d64fa075..61014578d4 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -29,7 +29,6 @@ readonly kernel_builder="${static_build_dir}/kernel/build.sh" readonly ovmf_builder="${static_build_dir}/ovmf/build.sh" readonly qemu_builder="${static_build_dir}/qemu/build-static-qemu.sh" readonly qemu_experimental_builder="${static_build_dir}/qemu/build-static-qemu-experimental.sh" -readonly qemu_experimental_cc_builder="${static_build_dir}/qemu/build-static-qemu-experimental-cc.sh" readonly shimv2_builder="${static_build_dir}/shim-v2/build.sh" readonly td_shim_builder="${static_build_dir}/td-shim/build.sh" readonly virtiofsd_builder="${static_build_dir}/virtiofsd/build.sh" @@ -38,9 +37,6 @@ readonly nydus_builder="${static_build_dir}/nydus/build.sh" readonly rootfs_builder="${repo_root_dir}/tools/packaging/guest-image/build_image.sh" readonly se_image_builder="${repo_root_dir}/tools/packaging/guest-image/build_se_image.sh" -readonly cc_prefix="/opt/confidential-containers" -readonly qemu_cc_builder="${static_build_dir}/qemu/build-static-qemu-cc.sh" - source "${script_dir}/../../scripts/lib.sh" readonly jenkins_url="http://jenkins.katacontainers.io" @@ -112,21 +108,11 @@ options: tdvf virtiofsd cc - cc-cloud-hypervisor - cc-kernel - cc-tdx-kernel - cc-sev-kernel - cc-qemu - cc-snp-qemu - cc-tdx-qemu cc-rootfs-image cc-rootfs-initrd cc-sev-rootfs-initrd cc-se-image cc-shimv2 - cc-virtiofsd - cc-sev-ovmf - cc-x86_64-ovmf EOF exit "${return_code}" @@ -138,6 +124,12 @@ cleanup_and_fail() { } install_cached_tarball_component() { + case ${5} in + "kata-static-cc-rootfs-image.tar.xz" | "kata-static-cc-rootfs-initrd.tar.xz" | "kata-static-cc-se-image.tar.xz" | "kata-static-cc-tdx-rootfs-image.tar.xz" | "kata-static-cc-tdx-td-shim.tar.xz" | "kata-static-cc-sev-rootfs-initrd.tar.xz" ) + USE_CACHE="no" + ;; + esac + if [ "${USE_CACHE}" != "yes" ]; then return 1 fi @@ -177,6 +169,16 @@ install_cached_tarball_component() { # we have to rely and check some artefacts coming from the cc-rootfs-image and the # cc-tdx-rootfs-image jobs. install_cached_cc_shim_v2() { + case ${5} in + "kata-static-cc-shim-v2.tar.xz") + USE_CACHE="no" + ;; + esac + + if [ "${USE_CACHE}" != "yes" ]; then + return 1 + fi + local component="${1}" local jenkins_build_url="${2}" local current_version="${3}" @@ -231,28 +233,6 @@ install_cached_cc_shim_v2() { "$(basename ${root_hash_tdx})" } -# Install static CC cloud-hypervisor asset -install_cc_clh() { - install_cached_tarball_component \ - "cloud-hypervisor" \ - "${jenkins_url}/job/kata-containers-2.0-clh-cc-$(uname -m)/${cached_artifacts_path}" \ - "$(get_from_kata_deps "assets.hypervisor.cloud_hypervisor.version")" \ - "" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - if [[ "${ARCH}" == "x86_64" ]]; then - export features="tdx" - fi - - info "build static CC cloud-hypervisor" - "${clh_builder}" - info "Install static CC cloud-hypervisor" - mkdir -p "${destdir}/${cc_prefix}/bin/" - sudo install -D --owner root --group root --mode 0744 cloud-hypervisor/cloud-hypervisor "${destdir}/${cc_prefix}/bin/cloud-hypervisor" -} - #Install cc capable guest image install_cc_image() { export AA_KBC="${1:-offline_fs_kbc}" @@ -307,7 +287,7 @@ install_cc_image() { info "Create CC image configured with AA_KBC=${AA_KBC}" "${rootfs_builder}" \ --imagetype="${image_type}" \ - --prefix="${cc_prefix}" \ + --prefix="${prefix}" \ --destdir="${destdir}" \ --image_initrd_suffix="${image_initrd_suffix}" \ --root_hash_suffix="${root_hash_suffix}" @@ -332,48 +312,6 @@ install_cc_tdx_image() { install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}" "tdx" } -#Install CC kernel asset -install_cc_kernel() { - export KATA_BUILD_CC=yes - export kernel_version="$(yq r $versions_yaml assets.kernel.version)" - - local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)" - - install_cached_tarball_component \ - "kernel" \ - "${jenkins_url}/job/kata-containers-2.0-kernel-cc-$(uname -m)/${cached_artifacts_path}" \ - "${kernel_version}-${kernel_kata_config_version}" \ - "$(get_kernel_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - if [ "${MEASURED_ROOTFS}" == "yes" ]; then - info "build initramfs for cc kernel" - "${initramfs_builder}" - fi - DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -f -v "${kernel_version}" -} - -# Install static CC qemu asset -install_cc_qemu() { - info "build static CC qemu" - export qemu_repo="$(yq r $versions_yaml assets.hypervisor.qemu.url)" - export qemu_version="$(yq r $versions_yaml assets.hypervisor.qemu.version)" - - install_cached_tarball_component \ - "QEMU" \ - "${jenkins_url}/job/kata-containers-2.0-qemu-cc-$(uname -m)/${cached_artifacts_path}" \ - "${qemu_version}-$(calc_qemu_files_sha256sum)" \ - "$(get_qemu_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - "${qemu_cc_builder}" - tar xvf "${builddir}/kata-static-qemu-cc.tar.gz" -C "${destdir}" -} - #Install all components that are not assets install_cc_shimv2() { local shim_v2_last_commit="$(get_last_modification "${repo_root_dir}/src/runtime")" @@ -413,119 +351,7 @@ install_cc_shimv2() { fi fi info "extra_opts: ${extra_opts}" - DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" -} - -# Install static CC virtiofsd asset -install_cc_virtiofsd() { - local virtiofsd_version="$(get_from_kata_deps "externals.virtiofsd.version")-$(get_from_kata_deps "externals.virtiofsd.toolchain")" - install_cached_tarball_component \ - "virtiofsd" \ - "${jenkins_url}/job/kata-containers-2.0-virtiofsd-cc-$(uname -m)/${cached_artifacts_path}" \ - "${virtiofsd_version}" \ - "$(get_virtiofsd_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - info "build static CC virtiofsd" - "${virtiofsd_builder}" - info "Install static CC virtiofsd" - mkdir -p "${destdir}/${cc_prefix}/libexec/" - sudo install -D --owner root --group root --mode 0744 virtiofsd/virtiofsd "${destdir}/${cc_prefix}/libexec/virtiofsd" -} - -# Install cached kernel compoenent -install_cached_kernel_component() { - tee="${1}" - kernel_version="${2}" - module_dir="${3:-}" - - local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)" - - install_cached_tarball_component \ - "kernel" \ - "${jenkins_url}/job/kata-containers-2.0-kernel-${tee}-cc-$(uname -m)/${cached_artifacts_path}" \ - "${kernel_version}-${kernel_kata_config_version}" \ - "$(get_kernel_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - || return 1 - - [ "${tee}" == "tdx" ] && return 0 - - # SEV specific code path - install_cached_tarball_component \ - "kernel-modules" \ - "${jenkins_url}/job/kata-containers-2.0-kernel-sev-cc-$(uname -m)/${cached_artifacts_path}" \ - "${kernel_version}" \ - "$(get_kernel_image_name)" \ - "kata-static-cc-sev-kernel-modules.tar.xz" \ - "${workdir}/kata-static-cc-sev-kernel-modules.tar.xz" \ - || return 1 - - mkdir -p "${module_dir}" - tar xvf "${workdir}/kata-static-cc-sev-kernel-modules.tar.xz" -C "${module_dir}" && return 0 - - return 1 -} - -#Install CC kernel assert, with TEE support -install_cc_tee_kernel() { - export KATA_BUILD_CC=yes - tee="${1}" - kernel_version="${2}" - module_dir="${3:-}" - - [[ "${tee}" != "tdx" && "${tee}" != "sev" ]] && die "Non supported TEE" - - export kernel_version=${kernel_version} - - install_cached_kernel_component "${tee}" "${kernel_version}" "${module_dir}" && return 0 - - info "build initramfs for TEE kernel" - "${initramfs_builder}" - kernel_url="$(yq r $versions_yaml assets.kernel.${tee}.url)" - DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -x "${tee}" -v "${kernel_version}" -u "${kernel_url}" -} - -#Install CC kernel assert for Intel TDX -install_cc_tdx_kernel() { - kernel_version="$(yq r $versions_yaml assets.kernel.tdx.tag)" - install_cc_tee_kernel "tdx" "${kernel_version}" -} - -install_cc_sev_kernel() { - kernel_version="$(yq r $versions_yaml assets.kernel.sev.version)" - default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches" - module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version#v}-$(get_config_version)/lib/modules/${kernel_version#v}" - install_cc_tee_kernel "sev" "${kernel_version}" "${module_dir}" -} - -install_cc_tee_qemu() { - tee="${1}" - - [ "${tee}" != "tdx" ] && die "Non supported TEE" - - export qemu_repo="$(yq r $versions_yaml assets.hypervisor.qemu.${tee}.url)" - export qemu_version="$(yq r $versions_yaml assets.hypervisor.qemu.${tee}.tag)" - export tee="${tee}" - - install_cached_tarball_component \ - "QEMU ${tee}" \ - "${jenkins_url}/job/kata-containers-2.0-qemu-${tee}-cc-$(uname -m)/${cached_artifacts_path}" \ - "${qemu_version}-$(calc_qemu_files_sha256sum)" \ - "$(get_qemu_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - "${qemu_cc_builder}" - tar xvf "${builddir}/kata-static-${tee}-qemu-cc.tar.gz" -C "${destdir}" -} - -install_cc_tdx_qemu() { - install_cc_tee_qemu "tdx" + DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" } install_cc_tdx_td_shim() { @@ -538,42 +364,10 @@ install_cc_tdx_td_shim() { "${final_tarball_path}" \ && return 0 - DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${td_shim_builder}" + DESTDIR="${destdir}" PREFIX="${prefix}" "${td_shim_builder}" tar xvf "${builddir}/td-shim.tar.gz" -C "${destdir}" } -install_cc_tee_ovmf() { - tee="${1}" - tarball_name="${2}" - - local component_name="ovmf" - local component_version="$(get_from_kata_deps "externals.ovmf.${tee}.version")" - [ "${tee}" == "tdx" ] && component_name="tdvf" - install_cached_tarball_component \ - "${component_name}" \ - "${jenkins_url}/job/kata-containers-2.0-${component_name}-cc-$(uname -m)/${cached_artifacts_path}" \ - "${component_version}" \ - "$(get_ovmf_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - DESTDIR="${destdir}" PREFIX="${cc_prefix}" ovmf_build="${tee}" "${ovmf_builder}" - tar xvf "${builddir}/${tarball_name}" -C "${destdir}" -} - -install_cc_tdx_tdvf() { - install_cc_tee_ovmf "tdx" "edk2-staging-tdx.tar.gz" -} - -install_cc_sev_ovmf(){ - install_cc_tee_ovmf "sev" "edk2-sev.tar.gz" -} - -install_cc_x86_64_ovmf(){ - install_cc_tee_ovmf "x86_64" "edk2-x86_64.tar.gz" -} - #Install guest image install_image() { local image_type="${1:-"image"}" @@ -643,6 +437,7 @@ install_initrd_sev() { #Install kernel component helper install_cached_kernel_tarball_component() { local kernel_name=${1} + local module_dir=${2:-""} install_cached_tarball_component \ "${kernel_name}" \ @@ -667,8 +462,10 @@ install_cached_kernel_tarball_component() { "${workdir}/kata-static-kernel-sev-modules.tar.xz" \ || return 1 - mkdir -p "${module_dir}" - tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C "${module_dir}" && return 0 + if [[ -n "${module_dir}" ]]; then + mkdir -p "${module_dir}" + tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C "${module_dir}" && return 0 + fi return 1 } @@ -676,7 +473,7 @@ install_cached_kernel_tarball_component() { install_cc_initrd() { export AA_KBC="${AA_KBC:-offline_fs_kbc}" info "Create CC initrd configured with AA_KBC=${AA_KBC}" - "${rootfs_builder}" --imagetype=initrd --prefix="${cc_prefix}" --destdir="${destdir}" + "${rootfs_builder}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" } #Install kernel asset @@ -827,16 +624,15 @@ install_qemu_tdx_experimental() { "${qemu_experimental_builder}" } -install_cc_snp_qemu_experimental() { +install_qemu_snp_experimental() { export qemu_suffix="snp-experimental" - export qemu_tarball_name="kata-static-qemu-${qemu_suffix}-cc.tar.gz" - export tee="snp" + export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz" install_qemu_helper \ "assets.hypervisor.qemu-${qemu_suffix}.url" \ "assets.hypervisor.qemu-${qemu_suffix}.tag" \ "qemu-${qemu_suffix}" \ - "${qemu_experimental_cc_builder}" + "${qemu_experimental_builder}" } # Install static firecracker asset @@ -1000,7 +796,7 @@ install_ovmf() { # Install TDVF install_tdvf() { - install_ovmf "tdx" "edk2-tdx.tar.gz" + install_ovmf "tdx" "edk2-staging-tdx.tar.gz" } # Install OVMF SEV @@ -1044,24 +840,11 @@ handle_build() { ;; cc) - install_cc_clh - install_cc_kernel - install_cc_qemu - install_cc_snp_qemu_experimental install_cc_image install_cc_shimv2 - install_cc_virtiofsd install_cc_sev_image ;; - cc-cloud-hypervisor) install_cc_clh ;; - - cc-kernel) install_cc_kernel ;; - - cc-qemu) install_cc_qemu ;; - - cc-snp-qemu) install_cc_snp_qemu_experimental ;; - cc-rootfs-image) install_cc_image ;; cc-rootfs-initrd) install_cc_initrd ;; @@ -1074,22 +857,8 @@ handle_build() { cc-shim-v2) install_cc_shimv2 ;; - cc-virtiofsd) install_cc_virtiofsd ;; - - cc-tdx-kernel) install_cc_tdx_kernel ;; - - cc-sev-kernel) install_cc_sev_kernel ;; - - cc-tdx-qemu) install_cc_tdx_qemu ;; - cc-tdx-td-shim) install_cc_tdx_td_shim ;; - cc-tdx-tdvf) install_cc_tdx_tdvf ;; - - cc-sev-ovmf) install_cc_sev_ovmf ;; - - cc-x86_64-ovmf) install_cc_x86_64_ovmf ;; - cloud-hypervisor) install_clh ;; cloud-hypervisor-glibc) install_clh_glibc ;; diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh index 33be68f7ba..3480d3c847 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh @@ -11,7 +11,7 @@ set -o nounset set -o pipefail set -o errtrace -KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy-cc" +KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy" KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}" TAG="${3:-}" diff --git a/tools/packaging/static-build/qemu/build-static-qemu-cc.sh b/tools/packaging/static-build/qemu/build-static-qemu-cc.sh deleted file mode 100755 index 4ec3dcfd16..0000000000 --- a/tools/packaging/static-build/qemu/build-static-qemu-cc.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2022 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 - -set -o errexit -set -o nounset -set -o pipefail - -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -source "${script_dir}/../../scripts/lib.sh" - -qemu_repo="${qemu_repo:-}" -qemu_version="${qemu_version:-}" -tee="${tee:-}" - -export prefix="/opt/confidential-containers/" - -if [ -z "${qemu_repo}" ]; then - info "Get qemu information from runtime versions.yaml" - export qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu.url") - [ -n "${qemu_url}" ] || die "failed to get qemu url" - export qemu_repo="${qemu_url}.git" -fi - -[ -n "${qemu_repo}" ] || die "failed to get qemu repo" -[ -n "${qemu_version}" ] || export qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version") -[ -n "${qemu_version}" ] || die "failed to get qemu version" - -qemu_tarball_name="kata-static-qemu-cc.tar.gz" -[ -n "${tee}" ] && qemu_tarball_name="kata-static-${tee}-qemu-cc.tar.gz" -"${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${tee}" "${qemu_tarball_name}" diff --git a/tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh b/tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh deleted file mode 100755 index b12835f2c3..0000000000 --- a/tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2022 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 - -set -o errexit -set -o nounset -set -o pipefail - -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -source "${script_dir}/../../scripts/lib.sh" - -qemu_repo="${qemu_repo:-}" -qemu_version="${qemu_version:-}" -qemu_suffix="${qemu_suffix:-experimental}" -tee="${tee:-}" -qemu_tarball_name="${qemu_tarball_name:-kata-static-qemu-experimental.tar.gz}" - -export prefix="/opt/confidential-containers/" - -if [ -z "${qemu_repo}" ]; then - info "Get qemu information from runtime versions.yaml" - export qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu.url") - [ -n "${qemu_url}" ] || die "failed to get qemu url" - export qemu_repo="${qemu_url}.git" -fi - -[ -n "${qemu_repo}" ] || die "failed to get qemu repo" -[ -n "${qemu_version}" ] || export qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version") -[ -n "${qemu_version}" ] || die "failed to get qemu version" - -qemu_tarball_name="kata-static-qemu-experimental-cc.tar.gz" -[ -n "${tee}" ] && qemu_tarball_name="kata-static-qemu-${tee}-experimental-cc.tar.gz" -"${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${qemu_suffix}" "${qemu_tarball_name}" diff --git a/versions.yaml b/versions.yaml index 4958fc18c2..1a53c20b4a 100644 --- a/versions.yaml +++ b/versions.yaml @@ -71,7 +71,8 @@ assets: description: "Component used to create virtual machines" cloud_hypervisor: - description: "Cloud Hypervisor is an open source Virtual Machine Monitor" + # yamllint disable-line rule:line-length + description: "Cloud Hypervisor is an open source Virtual Machine Monitor -- DO NOT TOUCH on main -> CCv0 merges" url: "https://github.com/cloud-hypervisor/cloud-hypervisor" uscan-url: >- https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz @@ -98,16 +99,18 @@ assets: uscan-url: >- https://github.com/qemu/qemu/tags .*/v?(\d\S+)\.tar\.gz - tdx: - description: "VMM that uses KVM and supports TDX" - url: "https://github.com/kata-containers/qemu" - tag: "TDX-v3.1" qemu-experimental: description: "QEMU with virtiofs support" url: "https://github.com/qemu/qemu" version: "7a800cf9496fddddf71b21a00991e0ec757a170a" + qemu-tdx-experimental: + # yamllint disable-line rule:line-length + description: "QEMU with TDX support - DO NOT TOUCH on main -> CCv0 merges" + url: "https://github.com/kata-containers/qemu" + tag: "TDX-v3.1" + qemu-snp-experimental: description: "QEMU with experimental SNP support (no UPM)" url: "https://github.com/AMDESE/qemu" @@ -160,10 +163,6 @@ assets: description: "Linux kernel optimised for virtual machines" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" version: "v5.19.2" - tdx: - description: "Linux kernel that supports TDX" - url: "https://github.com/kata-containers/linux/archive/refs/tags" - tag: "5.15-plus-TDX" sev: description: "Linux kernel that supports SEV and SNP" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" @@ -188,6 +187,12 @@ assets: url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" version: "v5.10.25" + kernel-tdx-experimental: + # yamllint disable-line rule:line-length + description: "Linux kernel with TDX support -- DO NOT TOUCH on main -> CCv0 merges" + url: "https://github.com/kata-containers/linux/archive/refs/tags" + version: "5.15-plus-TDX" + externals: description: "Third-party projects used by the system" @@ -303,13 +308,15 @@ externals: package_output_dir: "AmdSev" tdx: url: "https://github.com/tianocore/edk2-staging" - description: "TDVF build needed for TDX measured direct boot." + # yamllint disable-line rule:line-length + description: "TDVF build needed for TDX measured direct boot. -- DO NOT TOUCH on main -> CCv0 merges" version: "2022-tdvf-ww28.5" package: "OvmfPkg/OvmfPkgX64.dsc" package_output_dir: "OvmfX64" td-shim: - description: "Confidential Containers Shim Firmware" + # yamllint disable-line rule:line-length + description: "Confidential Containers Shim Firmware -- DO NOT TOUCH on main -> CCv0 merges" url: "https://github.com/confidential-containers/td-shim" version: "v0.7.0" toolchain: "nightly-2022-11-15"