From 4e883fc5be256513749c272ae9ad381547c2a3dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Jul 2023 23:03:02 +0200 Subject: [PATCH 01/14] versions: Converge to the same asset names used on main MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will make things easier in the future `main -> CCv0` merges. Signed-off-by: Fabiano Fidêncio --- versions.yaml | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/versions.yaml b/versions.yaml index 4958fc18c2..1a53c20b4a 100644 --- a/versions.yaml +++ b/versions.yaml @@ -71,7 +71,8 @@ assets: description: "Component used to create virtual machines" cloud_hypervisor: - description: "Cloud Hypervisor is an open source Virtual Machine Monitor" + # yamllint disable-line rule:line-length + description: "Cloud Hypervisor is an open source Virtual Machine Monitor -- DO NOT TOUCH on main -> CCv0 merges" url: "https://github.com/cloud-hypervisor/cloud-hypervisor" uscan-url: >- https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz @@ -98,16 +99,18 @@ assets: uscan-url: >- https://github.com/qemu/qemu/tags .*/v?(\d\S+)\.tar\.gz - tdx: - description: "VMM that uses KVM and supports TDX" - url: "https://github.com/kata-containers/qemu" - tag: "TDX-v3.1" qemu-experimental: description: "QEMU with virtiofs support" url: "https://github.com/qemu/qemu" version: "7a800cf9496fddddf71b21a00991e0ec757a170a" + qemu-tdx-experimental: + # yamllint disable-line rule:line-length + description: "QEMU with TDX support - DO NOT TOUCH on main -> CCv0 merges" + url: "https://github.com/kata-containers/qemu" + tag: "TDX-v3.1" + qemu-snp-experimental: description: "QEMU with experimental SNP support (no UPM)" url: "https://github.com/AMDESE/qemu" @@ -160,10 +163,6 @@ assets: description: "Linux kernel optimised for virtual machines" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" version: "v5.19.2" - tdx: - description: "Linux kernel that supports TDX" - url: "https://github.com/kata-containers/linux/archive/refs/tags" - tag: "5.15-plus-TDX" sev: description: "Linux kernel that supports SEV and SNP" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" @@ -188,6 +187,12 @@ assets: url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" version: "v5.10.25" + kernel-tdx-experimental: + # yamllint disable-line rule:line-length + description: "Linux kernel with TDX support -- DO NOT TOUCH on main -> CCv0 merges" + url: "https://github.com/kata-containers/linux/archive/refs/tags" + version: "5.15-plus-TDX" + externals: description: "Third-party projects used by the system" @@ -303,13 +308,15 @@ externals: package_output_dir: "AmdSev" tdx: url: "https://github.com/tianocore/edk2-staging" - description: "TDVF build needed for TDX measured direct boot." + # yamllint disable-line rule:line-length + description: "TDVF build needed for TDX measured direct boot. -- DO NOT TOUCH on main -> CCv0 merges" version: "2022-tdvf-ww28.5" package: "OvmfPkg/OvmfPkgX64.dsc" package_output_dir: "OvmfX64" td-shim: - description: "Confidential Containers Shim Firmware" + # yamllint disable-line rule:line-length + description: "Confidential Containers Shim Firmware -- DO NOT TOUCH on main -> CCv0 merges" url: "https://github.com/confidential-containers/td-shim" version: "v0.7.0" toolchain: "nightly-2022-11-15" From 6f552b010c51eb9e6dbcbb21cfa122f5c8d6ad36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Jul 2023 23:11:29 +0200 Subject: [PATCH 02/14] kata-deploy: Make sure kata-deploy handles kata-deploy-cc content MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will also help us immensely on main -> CCv0 merges Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy-cc/Dockerfile | 30 -- .../kata-deploy-cc/scripts/kata-deploy.sh | 384 ------------------ .../kata-deploy-build-and-upload-payload.sh | 2 +- 3 files changed, 1 insertion(+), 415 deletions(-) delete mode 100644 tools/packaging/kata-deploy-cc/Dockerfile delete mode 100755 tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh diff --git a/tools/packaging/kata-deploy-cc/Dockerfile b/tools/packaging/kata-deploy-cc/Dockerfile deleted file mode 100644 index 3c5a0916c7..0000000000 --- a/tools/packaging/kata-deploy-cc/Dockerfile +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Intel Corporation, 2022 IBM Corp. -# -# SPDX-License-Identifier: Apache-2.0 - -# Specify alternative base image, e.g. clefos for s390x -ARG BASE_IMAGE_NAME=ubuntu -ARG BASE_IMAGE_TAG=20.04 -FROM $BASE_IMAGE_NAME:$BASE_IMAGE_TAG -ENV DEBIAN_FRONTEND=noninteractive -ARG KATA_ARTIFACTS=./kata-static.tar.xz -ARG DESTINATION=/opt/kata-artifacts - -COPY ${KATA_ARTIFACTS} ${WORKDIR} - -SHELL ["/bin/bash", "-o", "pipefail", "-c"] - -RUN \ -apt-get update && \ -apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl xz-utils systemd && \ -mkdir -p /etc/apt/keyrings/ && \ -curl -fsSLo /etc/apt/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg && \ -echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list && \ -apt-get update && \ -apt-get install -y --no-install-recommends kubectl && \ -apt-get clean && rm -rf /var/lib/apt/lists/ && \ -mkdir -p ${DESTINATION} && \ -tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \ -rm -f ${WORKDIR}/${KATA_ARTIFACTS} - -COPY scripts ${DESTINATION}/scripts \ No newline at end of file diff --git a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh deleted file mode 100755 index 20959ab669..0000000000 --- a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh +++ /dev/null @@ -1,384 +0,0 @@ -#!/usr/bin/env bash -# Copyright (c) 2019 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 -# - -set -o errexit -set -o pipefail -set -o nounset - -crio_drop_in_conf_dir="/etc/crio/crio.conf.d/" -crio_drop_in_conf_file="${crio_drop_in_conf_dir}/99-kata-deploy" -containerd_conf_file="/etc/containerd/config.toml" -containerd_conf_file_backup="${containerd_conf_file}.bak" - -shims=( - "remote" - "qemu" - "qemu-tdx" - "qemu-sev" - "qemu-se" - "qemu-snp" - "clh" - "clh-tdx" -) - -default_shim="qemu" - -# If we fail for any reason a message will be displayed -die() { - msg="$*" - echo "ERROR: $msg" >&2 - exit 1 -} - -function print_usage() { - echo "Usage: $0 [install/cleanup/reset]" -} - -function get_container_runtime() { - - local runtime=$(kubectl get node $NODE_NAME -o jsonpath='{.status.nodeInfo.containerRuntimeVersion}') - if [ "$?" -ne 0 ]; then - die "invalid node name" - fi - if echo "$runtime" | grep -qE 'containerd.*-k3s'; then - if systemctl is-active --quiet rke2-agent; then - echo "rke2-agent" - elif systemctl is-active --quiet rke2-server; then - echo "rke2-server" - elif systemctl is-active --quiet k3s-agent; then - echo "k3s-agent" - else - echo "k3s" - fi - else - echo "$runtime" | awk -F '[:]' '{print $1}' - fi -} - -function install_artifacts() { - echo "copying kata artifacts onto host" - cp -a /opt/kata-artifacts/opt/confidential-containers/* /opt/confidential-containers/ - chmod +x /opt/confidential-containers/bin/* -} - -function wait_till_node_is_ready() { - local ready="False" - - while ! [[ "${ready}" == "True" ]]; do - sleep 2s - ready=$(kubectl get node $NODE_NAME -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}') - done -} - -function configure_cri_runtime() { - configure_different_shims_base - - case $1 in - crio) - configure_crio - ;; - containerd | k3s | k3s-agent | rke2-agent | rke2-server) - configure_containerd - ;; - esac - systemctl daemon-reload - systemctl restart "$1" - - wait_till_node_is_ready -} - -function backup_shim() { - local shim_file="$1" - local shim_backup="${shim_file}.bak" - - if [ -f "${shim_file}" ]; then - echo "warning: ${shim_file} already exists" >&2 - if [ ! -f "${shim_backup}" ]; then - mv "${shim_file}" "${shim_backup}" - else - rm "${shim_file}" - fi - fi -} - -function configure_different_shims_base() { - # Currently containerd has an assumption on the location of the shimv2 implementation - # This forces kata-deploy to create files in a well-defined location that's part of - # the PATH, pointing to the containerd-shim-kata-v2 binary in /opt/confidential-contaienrs/bin - # Issues: - # https://github.com/containerd/containerd/issues/3073 - # https://github.com/containerd/containerd/issues/5006 - - local default_shim_file="/usr/local/bin/containerd-shim-kata-v2" - - mkdir -p /usr/local/bin - - for shim in "${shims[@]}"; do - local shim_binary="containerd-shim-kata-${shim}-v2" - local shim_file="/usr/local/bin/${shim_binary}" - - backup_shim "${shim_file}" - ln -sf /opt/confidential-containers/bin/containerd-shim-kata-v2 "${shim_file}" - chmod +x "$shim_file" - - if [ "${shim}" == "${default_shim}" ]; then - backup_shim "${default_shim_file}" - - echo "Creating the default shim-v2 binary" - ln -sf "${shim_file}" "${default_shim_file}" - fi - done -} - -function restore_shim() { - local shim_file="$1" - local shim_backup="${shim_file}.bak" - - if [ -f "${shim_backup}" ]; then - mv "$shim_backup" "$shim_file" - fi -} - -function cleanup_different_shims_base() { - local default_shim_file="/usr/local/bin/containerd-shim-kata-v2" - - for shim in "${shims[@]}"; do - local shim_binary="containerd-shim-kata-${shim}-v2" - local shim_file="/usr/local/bin/${shim_binary}" - - rm "${shim_file}" || true - restore_shim "${shim_file}" - done - - rm "${default_shim_file}" || true - restore_shim "${default_shim_file}" -} - -function configure_crio_runtime() { - local runtime="kata" - local configuration="configuration" - if [ -n "${1-}" ]; then - runtime+="-$1" - configuration+="-$1" - fi - - local kata_path="/usr/local/bin/containerd-shim-${runtime}-v2" - local kata_conf="crio.runtime.runtimes.${runtime}" - local kata_config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml" - - cat <" $containerd_conf_file; then - pluginid=\"io.containerd.grpc.v1.cri\" - fi - local runtime_table="plugins.${pluginid}.containerd.runtimes.$runtime" - local runtime_type="io.containerd.$runtime.v2" - local cri_handler_value="cc" - if [ "$runtime" == "kata-remote" ]; then - cri_handler_value="" - fi - local options_table="$runtime_table.options" - local config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml" - if grep -q "\[$runtime_table\]" $containerd_conf_file; then - echo "Configuration exists for $runtime_table, overwriting" - sed -i "/\[$runtime_table\]/,+1s#runtime_type.*#runtime_type = \"${runtime_type}\"#" $containerd_conf_file - else - cat < "$containerd_conf_file" - fi - fi - - action=${1:-} - if [ -z "$action" ]; then - print_usage - die "invalid arguments" - fi - - # only install / remove / update if we are dealing with CRIO or containerd - if [[ "$runtime" =~ ^(crio|containerd|k3s|k3s-agent|rke2-agent|rke2-server)$ ]]; then - - case "$action" in - install) - install_artifacts - configure_cri_runtime "$runtime" - kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true - ;; - cleanup) - cleanup_cri_runtime "$runtime" - kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=cleanup - remove_artifacts - ;; - reset) - reset_runtime $runtime - ;; - *) - echo invalid arguments - print_usage - ;; - esac - fi - - #It is assumed this script will be called as a daemonset. As a result, do - # not return, otherwise the daemon will restart and rexecute the script - sleep infinity -} - -main "$@" \ No newline at end of file diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh index 33be68f7ba..3480d3c847 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh @@ -11,7 +11,7 @@ set -o nounset set -o pipefail set -o errtrace -KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy-cc" +KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy" KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}" REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}" TAG="${3:-}" From f62a88f1798627b7c61379b45c462557fb2060d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Jul 2023 23:19:57 +0200 Subject: [PATCH 03/14] kata-deploy-binaries: Remove CC hypervisor builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We can just rely on the hypervisors builds from `main`, with the TDX one being the only discrepancy here. However, we have a big note in the versions.yaml to **not** update the TDX hypervisor versions on this branch, so we should be good. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/Makefile | 17 +--- .../local-build/kata-deploy-binaries.sh | 91 +------------------ .../static-build/qemu/build-static-qemu-cc.sh | 34 ------- .../qemu/build-static-qemu-experimental-cc.sh | 36 -------- 4 files changed, 4 insertions(+), 174 deletions(-) delete mode 100755 tools/packaging/static-build/qemu/build-static-qemu-cc.sh delete mode 100755 tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 328bb3dd97..ab1d1b4117 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -11,15 +11,13 @@ V := 1 ARCH := $(shell uname -m) ifeq ($(ARCH), x86_64) -EXTRA_TARBALL=cc-cloud-hypervisor-tarball \ +EXTRA_TARBALL=\ cc-tdx-kernel-tarball \ - cc-tdx-qemu-tarball \ cc-tdx-td-shim-tarball \ cc-tdx-tdvf-tarball \ cc-sev-ovmf-tarball \ cc-x86_64-ovmf-tarball \ cc-sev-rootfs-initrd-tarball \ - cc-snp-qemu-tarball \ cc-tdx-rootfs-image-tarball endif @@ -156,24 +154,14 @@ cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh ${MAKE} -f $(MK_PATH) cc -j$$(( $$(nproc) - 1 )) V= cc: cc-kernel-tarball \ - cc-qemu-tarball \ cc-rootfs-image-tarball \ cc-virtiofsd-tarball \ cc-shim-v2-tarball \ ${EXTRA_TARBALL} -cc-cloud-hypervisor-tarball: - ${MAKE} $@-build - cc-kernel-tarball: ${MAKE} $@-build -cc-qemu-tarball: - ${MAKE} $@-build - -cc-snp-qemu-tarball: - ${MAKE} $@-build - cc-rootfs-image-tarball: ${MAKE} $@-build @@ -201,9 +189,6 @@ cc-tdx-kernel-tarball: cc-sev-kernel-tarball: ${MAKE} $@-build -cc-tdx-qemu-tarball: - ${MAKE} $@-build - cc-tdx-td-shim-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 26d64fa075..fc55dddf12 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -29,7 +29,6 @@ readonly kernel_builder="${static_build_dir}/kernel/build.sh" readonly ovmf_builder="${static_build_dir}/ovmf/build.sh" readonly qemu_builder="${static_build_dir}/qemu/build-static-qemu.sh" readonly qemu_experimental_builder="${static_build_dir}/qemu/build-static-qemu-experimental.sh" -readonly qemu_experimental_cc_builder="${static_build_dir}/qemu/build-static-qemu-experimental-cc.sh" readonly shimv2_builder="${static_build_dir}/shim-v2/build.sh" readonly td_shim_builder="${static_build_dir}/td-shim/build.sh" readonly virtiofsd_builder="${static_build_dir}/virtiofsd/build.sh" @@ -39,7 +38,6 @@ readonly rootfs_builder="${repo_root_dir}/tools/packaging/guest-image/build_imag readonly se_image_builder="${repo_root_dir}/tools/packaging/guest-image/build_se_image.sh" readonly cc_prefix="/opt/confidential-containers" -readonly qemu_cc_builder="${static_build_dir}/qemu/build-static-qemu-cc.sh" source "${script_dir}/../../scripts/lib.sh" @@ -112,13 +110,9 @@ options: tdvf virtiofsd cc - cc-cloud-hypervisor cc-kernel cc-tdx-kernel cc-sev-kernel - cc-qemu - cc-snp-qemu - cc-tdx-qemu cc-rootfs-image cc-rootfs-initrd cc-sev-rootfs-initrd @@ -231,28 +225,6 @@ install_cached_cc_shim_v2() { "$(basename ${root_hash_tdx})" } -# Install static CC cloud-hypervisor asset -install_cc_clh() { - install_cached_tarball_component \ - "cloud-hypervisor" \ - "${jenkins_url}/job/kata-containers-2.0-clh-cc-$(uname -m)/${cached_artifacts_path}" \ - "$(get_from_kata_deps "assets.hypervisor.cloud_hypervisor.version")" \ - "" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - if [[ "${ARCH}" == "x86_64" ]]; then - export features="tdx" - fi - - info "build static CC cloud-hypervisor" - "${clh_builder}" - info "Install static CC cloud-hypervisor" - mkdir -p "${destdir}/${cc_prefix}/bin/" - sudo install -D --owner root --group root --mode 0744 cloud-hypervisor/cloud-hypervisor "${destdir}/${cc_prefix}/bin/cloud-hypervisor" -} - #Install cc capable guest image install_cc_image() { export AA_KBC="${1:-offline_fs_kbc}" @@ -355,25 +327,6 @@ install_cc_kernel() { DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -f -v "${kernel_version}" } -# Install static CC qemu asset -install_cc_qemu() { - info "build static CC qemu" - export qemu_repo="$(yq r $versions_yaml assets.hypervisor.qemu.url)" - export qemu_version="$(yq r $versions_yaml assets.hypervisor.qemu.version)" - - install_cached_tarball_component \ - "QEMU" \ - "${jenkins_url}/job/kata-containers-2.0-qemu-cc-$(uname -m)/${cached_artifacts_path}" \ - "${qemu_version}-$(calc_qemu_files_sha256sum)" \ - "$(get_qemu_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - "${qemu_cc_builder}" - tar xvf "${builddir}/kata-static-qemu-cc.tar.gz" -C "${destdir}" -} - #Install all components that are not assets install_cc_shimv2() { local shim_v2_last_commit="$(get_last_modification "${repo_root_dir}/src/runtime")" @@ -502,32 +455,6 @@ install_cc_sev_kernel() { install_cc_tee_kernel "sev" "${kernel_version}" "${module_dir}" } -install_cc_tee_qemu() { - tee="${1}" - - [ "${tee}" != "tdx" ] && die "Non supported TEE" - - export qemu_repo="$(yq r $versions_yaml assets.hypervisor.qemu.${tee}.url)" - export qemu_version="$(yq r $versions_yaml assets.hypervisor.qemu.${tee}.tag)" - export tee="${tee}" - - install_cached_tarball_component \ - "QEMU ${tee}" \ - "${jenkins_url}/job/kata-containers-2.0-qemu-${tee}-cc-$(uname -m)/${cached_artifacts_path}" \ - "${qemu_version}-$(calc_qemu_files_sha256sum)" \ - "$(get_qemu_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - "${qemu_cc_builder}" - tar xvf "${builddir}/kata-static-${tee}-qemu-cc.tar.gz" -C "${destdir}" -} - -install_cc_tdx_qemu() { - install_cc_tee_qemu "tdx" -} - install_cc_tdx_td_shim() { install_cached_tarball_component \ "td-shim" \ @@ -827,16 +754,15 @@ install_qemu_tdx_experimental() { "${qemu_experimental_builder}" } -install_cc_snp_qemu_experimental() { +install_qemu_snp_experimental() { export qemu_suffix="snp-experimental" - export qemu_tarball_name="kata-static-qemu-${qemu_suffix}-cc.tar.gz" - export tee="snp" + export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz" install_qemu_helper \ "assets.hypervisor.qemu-${qemu_suffix}.url" \ "assets.hypervisor.qemu-${qemu_suffix}.tag" \ "qemu-${qemu_suffix}" \ - "${qemu_experimental_cc_builder}" + "${qemu_experimental_builder}" } # Install static firecracker asset @@ -1044,24 +970,15 @@ handle_build() { ;; cc) - install_cc_clh install_cc_kernel - install_cc_qemu - install_cc_snp_qemu_experimental install_cc_image install_cc_shimv2 install_cc_virtiofsd install_cc_sev_image ;; - cc-cloud-hypervisor) install_cc_clh ;; - cc-kernel) install_cc_kernel ;; - cc-qemu) install_cc_qemu ;; - - cc-snp-qemu) install_cc_snp_qemu_experimental ;; - cc-rootfs-image) install_cc_image ;; cc-rootfs-initrd) install_cc_initrd ;; @@ -1080,8 +997,6 @@ handle_build() { cc-sev-kernel) install_cc_sev_kernel ;; - cc-tdx-qemu) install_cc_tdx_qemu ;; - cc-tdx-td-shim) install_cc_tdx_td_shim ;; cc-tdx-tdvf) install_cc_tdx_tdvf ;; diff --git a/tools/packaging/static-build/qemu/build-static-qemu-cc.sh b/tools/packaging/static-build/qemu/build-static-qemu-cc.sh deleted file mode 100755 index 4ec3dcfd16..0000000000 --- a/tools/packaging/static-build/qemu/build-static-qemu-cc.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2022 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 - -set -o errexit -set -o nounset -set -o pipefail - -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -source "${script_dir}/../../scripts/lib.sh" - -qemu_repo="${qemu_repo:-}" -qemu_version="${qemu_version:-}" -tee="${tee:-}" - -export prefix="/opt/confidential-containers/" - -if [ -z "${qemu_repo}" ]; then - info "Get qemu information from runtime versions.yaml" - export qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu.url") - [ -n "${qemu_url}" ] || die "failed to get qemu url" - export qemu_repo="${qemu_url}.git" -fi - -[ -n "${qemu_repo}" ] || die "failed to get qemu repo" -[ -n "${qemu_version}" ] || export qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version") -[ -n "${qemu_version}" ] || die "failed to get qemu version" - -qemu_tarball_name="kata-static-qemu-cc.tar.gz" -[ -n "${tee}" ] && qemu_tarball_name="kata-static-${tee}-qemu-cc.tar.gz" -"${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${tee}" "${qemu_tarball_name}" diff --git a/tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh b/tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh deleted file mode 100755 index b12835f2c3..0000000000 --- a/tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2022 Intel Corporation -# -# SPDX-License-Identifier: Apache-2.0 - -set -o errexit -set -o nounset -set -o pipefail - -script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" - -source "${script_dir}/../../scripts/lib.sh" - -qemu_repo="${qemu_repo:-}" -qemu_version="${qemu_version:-}" -qemu_suffix="${qemu_suffix:-experimental}" -tee="${tee:-}" -qemu_tarball_name="${qemu_tarball_name:-kata-static-qemu-experimental.tar.gz}" - -export prefix="/opt/confidential-containers/" - -if [ -z "${qemu_repo}" ]; then - info "Get qemu information from runtime versions.yaml" - export qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu.url") - [ -n "${qemu_url}" ] || die "failed to get qemu url" - export qemu_repo="${qemu_url}.git" -fi - -[ -n "${qemu_repo}" ] || die "failed to get qemu repo" -[ -n "${qemu_version}" ] || export qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version") -[ -n "${qemu_version}" ] || die "failed to get qemu version" - -qemu_tarball_name="kata-static-qemu-experimental-cc.tar.gz" -[ -n "${tee}" ] && qemu_tarball_name="kata-static-qemu-${tee}-experimental-cc.tar.gz" -"${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${qemu_suffix}" "${qemu_tarball_name}" From 3fa936e4921614b8f1daf56bd9618aa7375c3e58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Jul 2023 23:46:35 +0200 Subject: [PATCH 04/14] kata-deploy-binaires: Remove CC virtiofsd build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We can simply ship the one from main. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/Makefile | 4 ---- .../local-build/kata-deploy-binaries.sh | 23 ------------------- 2 files changed, 27 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index ab1d1b4117..25d395729b 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -155,7 +155,6 @@ cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh cc: cc-kernel-tarball \ cc-rootfs-image-tarball \ - cc-virtiofsd-tarball \ cc-shim-v2-tarball \ ${EXTRA_TARBALL} @@ -180,9 +179,6 @@ cc-tdx-rootfs-image-tarball: cc-shim-v2-tarball: ${MAKE} $@-build -cc-virtiofsd-tarball: - ${MAKE} $@-build - cc-tdx-kernel-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index fc55dddf12..a930cfa8e1 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -118,7 +118,6 @@ options: cc-sev-rootfs-initrd cc-se-image cc-shimv2 - cc-virtiofsd cc-sev-ovmf cc-x86_64-ovmf EOF @@ -369,25 +368,6 @@ install_cc_shimv2() { DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" } -# Install static CC virtiofsd asset -install_cc_virtiofsd() { - local virtiofsd_version="$(get_from_kata_deps "externals.virtiofsd.version")-$(get_from_kata_deps "externals.virtiofsd.toolchain")" - install_cached_tarball_component \ - "virtiofsd" \ - "${jenkins_url}/job/kata-containers-2.0-virtiofsd-cc-$(uname -m)/${cached_artifacts_path}" \ - "${virtiofsd_version}" \ - "$(get_virtiofsd_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - info "build static CC virtiofsd" - "${virtiofsd_builder}" - info "Install static CC virtiofsd" - mkdir -p "${destdir}/${cc_prefix}/libexec/" - sudo install -D --owner root --group root --mode 0744 virtiofsd/virtiofsd "${destdir}/${cc_prefix}/libexec/virtiofsd" -} - # Install cached kernel compoenent install_cached_kernel_component() { tee="${1}" @@ -973,7 +953,6 @@ handle_build() { install_cc_kernel install_cc_image install_cc_shimv2 - install_cc_virtiofsd install_cc_sev_image ;; @@ -991,8 +970,6 @@ handle_build() { cc-shim-v2) install_cc_shimv2 ;; - cc-virtiofsd) install_cc_virtiofsd ;; - cc-tdx-kernel) install_cc_tdx_kernel ;; cc-sev-kernel) install_cc_sev_kernel ;; From 8d1e1d4b0a4986f7c5c76e344847cc881e7aa89e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Jul 2023 23:51:51 +0200 Subject: [PATCH 05/14] kata-deploy-binaries: Remove CC kernel builds MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We can simply rely on those coming from main. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/Makefile | 22 ++-- .../local-build/kata-deploy-binaries.sh | 100 ------------------ 2 files changed, 6 insertions(+), 116 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 25d395729b..66df29eed0 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -12,7 +12,6 @@ ARCH := $(shell uname -m) ifeq ($(ARCH), x86_64) EXTRA_TARBALL=\ - cc-tdx-kernel-tarball \ cc-tdx-td-shim-tarball \ cc-tdx-tdvf-tarball \ cc-sev-ovmf-tarball \ @@ -153,41 +152,32 @@ cc-tarball: | cc merge-builds cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh ${MAKE} -f $(MK_PATH) cc -j$$(( $$(nproc) - 1 )) V= -cc: cc-kernel-tarball \ +cc:\ cc-rootfs-image-tarball \ cc-shim-v2-tarball \ ${EXTRA_TARBALL} -cc-kernel-tarball: - ${MAKE} $@-build - cc-rootfs-image-tarball: ${MAKE} $@-build cc-rootfs-initrd-tarball: ${MAKE} $@-build -cc-sev-rootfs-initrd-tarball: cc-sev-kernel-tarball +cc-sev-rootfs-initrd-tarball: kernel-sev-tarball ${MAKE} $@-build -cc-se-image-tarball: cc-kernel-tarball cc-rootfs-initrd-tarball +cc-se-image-tarball: kernel-tarball cc-rootfs-initrd-tarball ${MAKE} $@-build cc-tdx-rootfs-image-tarball: ${MAKE} $@-build -cc-shim-v2-tarball: - ${MAKE} $@-build - -cc-tdx-kernel-tarball: - ${MAKE} $@-build - -cc-sev-kernel-tarball: - ${MAKE} $@-build - cc-tdx-td-shim-tarball: ${MAKE} $@-build +cc-shim-v2-tarball: + ${MAKE} $@-build + cc-tdx-tdvf-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index a930cfa8e1..69e27d4082 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -110,9 +110,6 @@ options: tdvf virtiofsd cc - cc-kernel - cc-tdx-kernel - cc-sev-kernel cc-rootfs-image cc-rootfs-initrd cc-sev-rootfs-initrd @@ -303,29 +300,6 @@ install_cc_tdx_image() { install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}" "tdx" } -#Install CC kernel asset -install_cc_kernel() { - export KATA_BUILD_CC=yes - export kernel_version="$(yq r $versions_yaml assets.kernel.version)" - - local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)" - - install_cached_tarball_component \ - "kernel" \ - "${jenkins_url}/job/kata-containers-2.0-kernel-cc-$(uname -m)/${cached_artifacts_path}" \ - "${kernel_version}-${kernel_kata_config_version}" \ - "$(get_kernel_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - if [ "${MEASURED_ROOTFS}" == "yes" ]; then - info "build initramfs for cc kernel" - "${initramfs_builder}" - fi - DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -f -v "${kernel_version}" -} - #Install all components that are not assets install_cc_shimv2() { local shim_v2_last_commit="$(get_last_modification "${repo_root_dir}/src/runtime")" @@ -368,73 +342,6 @@ install_cc_shimv2() { DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" } -# Install cached kernel compoenent -install_cached_kernel_component() { - tee="${1}" - kernel_version="${2}" - module_dir="${3:-}" - - local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)" - - install_cached_tarball_component \ - "kernel" \ - "${jenkins_url}/job/kata-containers-2.0-kernel-${tee}-cc-$(uname -m)/${cached_artifacts_path}" \ - "${kernel_version}-${kernel_kata_config_version}" \ - "$(get_kernel_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - || return 1 - - [ "${tee}" == "tdx" ] && return 0 - - # SEV specific code path - install_cached_tarball_component \ - "kernel-modules" \ - "${jenkins_url}/job/kata-containers-2.0-kernel-sev-cc-$(uname -m)/${cached_artifacts_path}" \ - "${kernel_version}" \ - "$(get_kernel_image_name)" \ - "kata-static-cc-sev-kernel-modules.tar.xz" \ - "${workdir}/kata-static-cc-sev-kernel-modules.tar.xz" \ - || return 1 - - mkdir -p "${module_dir}" - tar xvf "${workdir}/kata-static-cc-sev-kernel-modules.tar.xz" -C "${module_dir}" && return 0 - - return 1 -} - -#Install CC kernel assert, with TEE support -install_cc_tee_kernel() { - export KATA_BUILD_CC=yes - tee="${1}" - kernel_version="${2}" - module_dir="${3:-}" - - [[ "${tee}" != "tdx" && "${tee}" != "sev" ]] && die "Non supported TEE" - - export kernel_version=${kernel_version} - - install_cached_kernel_component "${tee}" "${kernel_version}" "${module_dir}" && return 0 - - info "build initramfs for TEE kernel" - "${initramfs_builder}" - kernel_url="$(yq r $versions_yaml assets.kernel.${tee}.url)" - DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -x "${tee}" -v "${kernel_version}" -u "${kernel_url}" -} - -#Install CC kernel assert for Intel TDX -install_cc_tdx_kernel() { - kernel_version="$(yq r $versions_yaml assets.kernel.tdx.tag)" - install_cc_tee_kernel "tdx" "${kernel_version}" -} - -install_cc_sev_kernel() { - kernel_version="$(yq r $versions_yaml assets.kernel.sev.version)" - default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches" - module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version#v}-$(get_config_version)/lib/modules/${kernel_version#v}" - install_cc_tee_kernel "sev" "${kernel_version}" "${module_dir}" -} - install_cc_tdx_td_shim() { install_cached_tarball_component \ "td-shim" \ @@ -950,14 +857,11 @@ handle_build() { ;; cc) - install_cc_kernel install_cc_image install_cc_shimv2 install_cc_sev_image ;; - cc-kernel) install_cc_kernel ;; - cc-rootfs-image) install_cc_image ;; cc-rootfs-initrd) install_cc_initrd ;; @@ -970,10 +874,6 @@ handle_build() { cc-shim-v2) install_cc_shimv2 ;; - cc-tdx-kernel) install_cc_tdx_kernel ;; - - cc-sev-kernel) install_cc_sev_kernel ;; - cc-tdx-td-shim) install_cc_tdx_td_shim ;; cc-tdx-tdvf) install_cc_tdx_tdvf ;; From 4d0b319a8b9718669667d757a93b56f8247368d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 20 Jul 2023 23:56:25 +0200 Subject: [PATCH 06/14] kata-deploy-binaries: Remove CC OVMF / TDVF MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's just rely on whatever we have on main. The big execption here is TDVF, but we have a big note saying to not update the version n this branch. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/Makefile | 12 ------ .../local-build/kata-deploy-binaries.sh | 40 ------------------- 2 files changed, 52 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 66df29eed0..851f8623d0 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -13,9 +13,6 @@ ARCH := $(shell uname -m) ifeq ($(ARCH), x86_64) EXTRA_TARBALL=\ cc-tdx-td-shim-tarball \ - cc-tdx-tdvf-tarball \ - cc-sev-ovmf-tarball \ - cc-x86_64-ovmf-tarball \ cc-sev-rootfs-initrd-tarball \ cc-tdx-rootfs-image-tarball endif @@ -177,12 +174,3 @@ cc-tdx-td-shim-tarball: cc-shim-v2-tarball: ${MAKE} $@-build - -cc-tdx-tdvf-tarball: - ${MAKE} $@-build - -cc-sev-ovmf-tarball: - ${MAKE} $@-build - -cc-x86_64-ovmf-tarball: - ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 69e27d4082..c72c8c9922 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -115,8 +115,6 @@ options: cc-sev-rootfs-initrd cc-se-image cc-shimv2 - cc-sev-ovmf - cc-x86_64-ovmf EOF exit "${return_code}" @@ -356,38 +354,6 @@ install_cc_tdx_td_shim() { tar xvf "${builddir}/td-shim.tar.gz" -C "${destdir}" } -install_cc_tee_ovmf() { - tee="${1}" - tarball_name="${2}" - - local component_name="ovmf" - local component_version="$(get_from_kata_deps "externals.ovmf.${tee}.version")" - [ "${tee}" == "tdx" ] && component_name="tdvf" - install_cached_tarball_component \ - "${component_name}" \ - "${jenkins_url}/job/kata-containers-2.0-${component_name}-cc-$(uname -m)/${cached_artifacts_path}" \ - "${component_version}" \ - "$(get_ovmf_image_name)" \ - "${final_tarball_name}" \ - "${final_tarball_path}" \ - && return 0 - - DESTDIR="${destdir}" PREFIX="${cc_prefix}" ovmf_build="${tee}" "${ovmf_builder}" - tar xvf "${builddir}/${tarball_name}" -C "${destdir}" -} - -install_cc_tdx_tdvf() { - install_cc_tee_ovmf "tdx" "edk2-staging-tdx.tar.gz" -} - -install_cc_sev_ovmf(){ - install_cc_tee_ovmf "sev" "edk2-sev.tar.gz" -} - -install_cc_x86_64_ovmf(){ - install_cc_tee_ovmf "x86_64" "edk2-x86_64.tar.gz" -} - #Install guest image install_image() { local image_type="${1:-"image"}" @@ -876,12 +842,6 @@ handle_build() { cc-tdx-td-shim) install_cc_tdx_td_shim ;; - cc-tdx-tdvf) install_cc_tdx_tdvf ;; - - cc-sev-ovmf) install_cc_sev_ovmf ;; - - cc-x86_64-ovmf) install_cc_x86_64_ovmf ;; - cloud-hypervisor) install_clh ;; cloud-hypervisor-glibc) install_clh_glibc ;; From 20a523f81bf28e4ade518f2f92f1c145b619d2b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 21 Jul 2023 00:00:41 +0200 Subject: [PATCH 07/14] kata-deloy-binaries: Get rid of cc_prefix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We'll be using prefix (/opt/kata) from now on, as it simplifies things on our side. Signed-off-by: Fabiano Fidêncio --- .../kata-deploy/local-build/kata-deploy-binaries.sh | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index c72c8c9922..c357b40276 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -37,8 +37,6 @@ readonly nydus_builder="${static_build_dir}/nydus/build.sh" readonly rootfs_builder="${repo_root_dir}/tools/packaging/guest-image/build_image.sh" readonly se_image_builder="${repo_root_dir}/tools/packaging/guest-image/build_se_image.sh" -readonly cc_prefix="/opt/confidential-containers" - source "${script_dir}/../../scripts/lib.sh" readonly jenkins_url="http://jenkins.katacontainers.io" @@ -273,7 +271,7 @@ install_cc_image() { info "Create CC image configured with AA_KBC=${AA_KBC}" "${rootfs_builder}" \ --imagetype="${image_type}" \ - --prefix="${cc_prefix}" \ + --prefix="${prefix}" \ --destdir="${destdir}" \ --image_initrd_suffix="${image_initrd_suffix}" \ --root_hash_suffix="${root_hash_suffix}" @@ -337,7 +335,7 @@ install_cc_shimv2() { fi fi info "extra_opts: ${extra_opts}" - DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" + DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" } install_cc_tdx_td_shim() { @@ -350,7 +348,7 @@ install_cc_tdx_td_shim() { "${final_tarball_path}" \ && return 0 - DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${td_shim_builder}" + DESTDIR="${destdir}" PREFIX="${prefix}" "${td_shim_builder}" tar xvf "${builddir}/td-shim.tar.gz" -C "${destdir}" } @@ -456,7 +454,7 @@ install_cached_kernel_tarball_component() { install_cc_initrd() { export AA_KBC="${AA_KBC:-offline_fs_kbc}" info "Create CC initrd configured with AA_KBC=${AA_KBC}" - "${rootfs_builder}" --imagetype=initrd --prefix="${cc_prefix}" --destdir="${destdir}" + "${rootfs_builder}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" } #Install kernel asset From ef6c0be9841ae13e6186e80b847d3ffcd5d381d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 21 Jul 2023 00:09:15 +0200 Subject: [PATCH 08/14] kata-depkoy-binarues: Add tarballs from main to the cc target MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Same as the others, it'll help us in the merges. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/Makefile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 851f8623d0..0f2c68fb88 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -12,6 +12,12 @@ ARCH := $(shell uname -m) ifeq ($(ARCH), x86_64) EXTRA_TARBALL=\ + kernel-tdx-experimental-tarball \ + tdvf-tarball \ + ovmf-sev-tarball \ + ovmf-tarball \ + qemu-snp-experimental-tarball \ + qemu-tdx-experimental-tarball \ cc-tdx-td-shim-tarball \ cc-sev-rootfs-initrd-tarball \ cc-tdx-rootfs-image-tarball @@ -149,7 +155,9 @@ cc-tarball: | cc merge-builds cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh ${MAKE} -f $(MK_PATH) cc -j$$(( $$(nproc) - 1 )) V= -cc:\ +cc: kernel-tarball \ + qemu-tarball \ + virtiofsd-tarball \ cc-rootfs-image-tarball \ cc-shim-v2-tarball \ ${EXTRA_TARBALL} From 507a89bb325ee75efa74582d370601c9dcf4dc6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 21 Jul 2023 00:14:34 +0200 Subject: [PATCH 09/14] gha: cc-payload: Adjust to using main componenets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Again, it'll make our lives easier in the near future. Signed-off-by: Fabiano Fidêncio --- .../cc-payload-after-push-amd64.yaml | 22 +++++++++--------- .../cc-payload-after-push-s390x.yaml | 6 ++--- .github/workflows/cc-payload-amd64.yaml | 23 ++++++++++--------- .github/workflows/cc-payload-s390x.yaml | 6 ++--- 4 files changed, 29 insertions(+), 28 deletions(-) diff --git a/.github/workflows/cc-payload-after-push-amd64.yaml b/.github/workflows/cc-payload-after-push-amd64.yaml index 0d1d025103..e26187e5c5 100644 --- a/.github/workflows/cc-payload-after-push-amd64.yaml +++ b/.github/workflows/cc-payload-after-push-amd64.yaml @@ -14,22 +14,22 @@ jobs: measured_rootfs: - no asset: - - cc-cloud-hypervisor - - cc-qemu - - cc-virtiofsd - - cc-sev-kernel - - cc-sev-ovmf - - cc-x86_64-ovmf - - cc-snp-qemu + - cloud-hypervisor + - qemu + - virtiofsd + - kernel-sev + - ovmf-sev + - ovmf + - qemu-snp-experimental + - qemu-tdx-exprimental - cc-sev-rootfs-initrd - - cc-tdx-qemu - cc-tdx-td-shim - - cc-tdx-tdvf + - tdvf include: - measured_rootfs: yes - asset: cc-kernel + asset: kernel - measured_rootfs: yes - asset: cc-tdx-kernel + asset: kernel-tdx-experimental - measured_rootfs: yes asset: cc-rootfs-image - measured_rootfs: yes diff --git a/.github/workflows/cc-payload-after-push-s390x.yaml b/.github/workflows/cc-payload-after-push-s390x.yaml index ccfdd82218..0f5801e2c8 100644 --- a/.github/workflows/cc-payload-after-push-s390x.yaml +++ b/.github/workflows/cc-payload-after-push-s390x.yaml @@ -14,13 +14,13 @@ jobs: measured_rootfs: - no asset: - - cc-qemu + - qemu - cc-rootfs-initrd - cc-se-image - - cc-virtiofsd + - virtiofsd include: - measured_rootfs: yes - asset: cc-kernel + asset: kernel - measured_rootfs: yes asset: cc-rootfs-image steps: diff --git a/.github/workflows/cc-payload-amd64.yaml b/.github/workflows/cc-payload-amd64.yaml index b1f2510ead..56649657b9 100644 --- a/.github/workflows/cc-payload-amd64.yaml +++ b/.github/workflows/cc-payload-amd64.yaml @@ -14,22 +14,23 @@ jobs: measured_rootfs: - no asset: - - cc-cloud-hypervisor - - cc-qemu - - cc-virtiofsd - - cc-sev-kernel - - cc-sev-ovmf - - cc-x86_64-ovmf - - cc-snp-qemu + - cloud-hypervisor + - qemu + - virtiofsd + - kernel-sev + - kernel-snp-experimental + - ovmf-sev + - ovmf + - qemu-snp-experimental + - qemu-tdx-experimental - cc-sev-rootfs-initrd - - cc-tdx-qemu - cc-tdx-td-shim - - cc-tdx-tdvf + - tdvf include: - measured_rootfs: yes - asset: cc-kernel + asset: kernel - measured_rootfs: yes - asset: cc-tdx-kernel + asset: kernel-tdx-experimental - measured_rootfs: yes asset: cc-rootfs-image - measured_rootfs: yes diff --git a/.github/workflows/cc-payload-s390x.yaml b/.github/workflows/cc-payload-s390x.yaml index 1796308a80..66e48738f3 100644 --- a/.github/workflows/cc-payload-s390x.yaml +++ b/.github/workflows/cc-payload-s390x.yaml @@ -14,11 +14,11 @@ jobs: measured_rootfs: - no asset: - - cc-qemu - - cc-virtiofsd + - qemu + - virtiofsd include: - measured_rootfs: yes - asset: cc-kernel + asset: kernel - measured_rootfs: yes asset: cc-rootfs-image steps: From 344921849c25cb98692afd962431880fb171a3e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 21 Jul 2023 10:33:46 +0200 Subject: [PATCH 10/14] kata-deploy-binaries: Temporarily disable using cached components MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We need to rebuild those with the appropriate path. Signed-off-by: Fabiano Fidêncio --- .../local-build/kata-deploy-binaries.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index c357b40276..8d00e9da5a 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -124,6 +124,12 @@ cleanup_and_fail() { } install_cached_tarball_component() { + case ${5} in + "kata-static-cc-rootfs-image.tar.xz" | "kata-static-cc-rootfs-initrd.tar.xz" | "kata-static-cc-se-image.tar.xz" | "kata-static-cc-tdx-rootfs-image.tar.xz" | "kata-static-cc-tdx-td-shim.tar.xz" | "kata-static-cc-sev-rootfs-initrd.tar.xz" ) + USE_CACHE="no" + ;; + esac + if [ "${USE_CACHE}" != "yes" ]; then return 1 fi @@ -163,6 +169,16 @@ install_cached_tarball_component() { # we have to rely and check some artefacts coming from the cc-rootfs-image and the # cc-tdx-rootfs-image jobs. install_cached_cc_shim_v2() { + case ${5} in + "kata-static-cc-shim-v2.tar.xz") + USE_CACHE="no" + ;; + esac + + if [ "${USE_CACHE}" != "yes" ]; then + return 1 + fi + local component="${1}" local jenkins_build_url="${2}" local current_version="${3}" From 0f022d5771f586e395c9df306443b1c55cacc30e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 21 Jul 2023 19:50:31 +0200 Subject: [PATCH 11/14] guest-image: Update kernel_module_dir to main sev kernel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As we're building SEV kernel from the main branch, we can stop relying on the path produced by the one from the CCv0 branch (which is now removed). Fixes: #7422 Signed-off-by: Fabiano Fidêncio --- tools/packaging/guest-image/build_image.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index 7b2faa93c2..c98ec51c39 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -45,7 +45,7 @@ build_initrd() { config_version=$(get_config_version) kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")" kernel_version=${kernel_version#v} - module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}" + module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}" sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" KERNEL_MODULES_DIR="${module_dir}" else sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" @@ -195,4 +195,4 @@ main() { popd } -main $* \ No newline at end of file +main $* From b8abd6bfeeba24f8c5d1a2d65e95896b1e1097c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 25 Jul 2023 00:17:25 +0200 Subject: [PATCH 12/14] kata-deploy-binaries: Adjust TDVF edk2 tarball name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We must use "edk2-staging-tdx" instead of "edk2-tdx". The reason for that is versions diverging between main and CCv0. Signed-off-by: Fabiano Fidêncio --- tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 8d00e9da5a..88f4364ec3 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -793,7 +793,7 @@ install_ovmf() { # Install TDVF install_tdvf() { - install_ovmf "tdx" "edk2-tdx.tar.gz" + install_ovmf "tdx" "edk2-staging-tdx.tar.gz" } # Install OVMF SEV From 7204b991e7ca2921e5d90a3c62d9301d97366efb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Fri, 21 Jul 2023 19:05:37 +0200 Subject: [PATCH 13/14] kata-deploy-binaries: kernel_cache: Take module_dir into account MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `module_dir` has been passed to the function but was never assigned to a var, leading to errors when trying to use it. Fixes: #7416 Signed-off-by: Fabiano Fidêncio (cherry picked from commit d4eba3698012efacd7cb78379e40d301028f517a) --- .../kata-deploy/local-build/kata-deploy-binaries.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 88f4364ec3..61014578d4 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -437,6 +437,7 @@ install_initrd_sev() { #Install kernel component helper install_cached_kernel_tarball_component() { local kernel_name=${1} + local module_dir=${2:-""} install_cached_tarball_component \ "${kernel_name}" \ @@ -461,8 +462,10 @@ install_cached_kernel_tarball_component() { "${workdir}/kata-static-kernel-sev-modules.tar.xz" \ || return 1 - mkdir -p "${module_dir}" - tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C "${module_dir}" && return 0 + if [[ -n "${module_dir}" ]]; then + mkdir -p "${module_dir}" + tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C "${module_dir}" && return 0 + fi return 1 } From 068e535b9d91ef53ff0224dc59120da78463a5c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 25 Jul 2023 00:39:52 +0200 Subject: [PATCH 14/14] runtime: tdx: Adjust QEMU TDX path MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We need to use qemu-system-x86_64-tdx-experimental instead of qemu-system-x86_64-tdx. Signed-off-by: Fabiano Fidêncio --- src/runtime/arch/amd64-options.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/runtime/arch/amd64-options.mk b/src/runtime/arch/amd64-options.mk index fd55b062c2..ec894241dc 100644 --- a/src/runtime/arch/amd64-options.mk +++ b/src/runtime/arch/amd64-options.mk @@ -11,7 +11,7 @@ MACHINEACCELERATORS := CPUFEATURES := pmu=off QEMUCMD := qemu-system-x86_64 -QEMUTDXCMD := qemu-system-x86_64-tdx +QEMUTDXCMD := qemu-system-x86_64-tdx-experimental TDXCPUFEATURES := -vmx-rdseed-exit,pmu=off QEMUSNPCMD := qemu-system-x86_64-snp-experimental