Merge pull request #7402 from fidencio/topic/CCv0-converge-build-and-payload-scripts

CCv0 | Ensure kata-deploy scripts from CCv0 are as close to main as possible
2025-08-31 16:36:38 +00:00 · 2023-07-25 08:45:16 +02:00
parent 16d6e37196 068e535b9d
commit eb82e0d4b9
14 changed files with 93 additions and 833 deletions
--- a/.github/workflows/cc-payload-after-push-amd64.yaml
+++ b/.github/workflows/cc-payload-after-push-amd64.yaml
@@ -14,22 +14,22 @@ jobs:
        measured_rootfs:
          - no
        asset:
-          - cc-cloud-hypervisor
+          - cloud-hypervisor
-          - cc-qemu
+          - qemu
-          - cc-virtiofsd
+          - virtiofsd
-          - cc-sev-kernel
+          - kernel-sev
-          - cc-sev-ovmf
+          - ovmf-sev
-          - cc-x86_64-ovmf
+          - ovmf
-          - cc-snp-qemu
+          - qemu-snp-experimental
          - qemu-tdx-exprimental
          - cc-sev-rootfs-initrd
          - cc-tdx-qemu
          - cc-tdx-td-shim
-          - cc-tdx-tdvf
+          - tdvf
        include:
          - measured_rootfs: yes
-            asset: cc-kernel
+            asset: kernel
          - measured_rootfs: yes
-            asset: cc-tdx-kernel
+            asset: kernel-tdx-experimental
          - measured_rootfs: yes
            asset: cc-rootfs-image
          - measured_rootfs: yes
--- a/.github/workflows/cc-payload-after-push-s390x.yaml
+++ b/.github/workflows/cc-payload-after-push-s390x.yaml
@@ -14,13 +14,13 @@ jobs:
        measured_rootfs:
          - no
        asset:
-          - cc-qemu
+          - qemu
          - cc-rootfs-initrd
          - cc-se-image
-          - cc-virtiofsd
+          - virtiofsd
        include:
          - measured_rootfs: yes
-            asset: cc-kernel
+            asset: kernel
          - measured_rootfs: yes
            asset: cc-rootfs-image
    steps:
--- a/.github/workflows/cc-payload-amd64.yaml
+++ b/.github/workflows/cc-payload-amd64.yaml
@@ -14,22 +14,23 @@ jobs:
        measured_rootfs:
          - no
        asset:
-          - cc-cloud-hypervisor
+          - cloud-hypervisor
-          - cc-qemu
+          - qemu
-          - cc-virtiofsd
+          - virtiofsd
-          - cc-sev-kernel
+          - kernel-sev
-          - cc-sev-ovmf
+          - kernel-snp-experimental
-          - cc-x86_64-ovmf
+          - ovmf-sev
-          - cc-snp-qemu
+          - ovmf
          - qemu-snp-experimental
          - qemu-tdx-experimental
          - cc-sev-rootfs-initrd
          - cc-tdx-qemu
          - cc-tdx-td-shim
-          - cc-tdx-tdvf
+          - tdvf
        include:
          - measured_rootfs: yes
-            asset: cc-kernel
+            asset: kernel
          - measured_rootfs: yes
-            asset: cc-tdx-kernel
+            asset: kernel-tdx-experimental
          - measured_rootfs: yes
            asset: cc-rootfs-image
          - measured_rootfs: yes
--- a/.github/workflows/cc-payload-s390x.yaml
+++ b/.github/workflows/cc-payload-s390x.yaml
@@ -14,11 +14,11 @@ jobs:
        measured_rootfs:
          - no
        asset:
-          - cc-qemu
+          - qemu
-          - cc-virtiofsd
+          - virtiofsd
        include:
          - measured_rootfs: yes
-            asset: cc-kernel
+            asset: kernel
          - measured_rootfs: yes
            asset: cc-rootfs-image
    steps:
--- a/src/runtime/arch/amd64-options.mk
+++ b/src/runtime/arch/amd64-options.mk
@@ -11,7 +11,7 @@ MACHINEACCELERATORS :=
 CPUFEATURES := pmu=off
 QEMUCMD := qemu-system-x86_64
-QEMUTDXCMD := qemu-system-x86_64-tdx
+QEMUTDXCMD := qemu-system-x86_64-tdx-experimental
 TDXCPUFEATURES := -vmx-rdseed-exit,pmu=off
 QEMUSNPCMD := qemu-system-x86_64-snp-experimental
--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@@ -45,7 +45,7 @@ build_initrd() {
 		config_version=$(get_config_version)
 		kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")"
 		kernel_version=${kernel_version#v}
-		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}"
+		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}"
 		sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" KERNEL_MODULES_DIR="${module_dir}"
 	else
 		sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}"
@@ -195,4 +195,4 @@ main() {
 	popd
 }
-main $*
+main $*
--- a/tools/packaging/kata-deploy-cc/Dockerfile
+++ b/tools/packaging/kata-deploy-cc/Dockerfile
@@ -1,30 +0,0 @@
 # Copyright Intel Corporation, 2022 IBM Corp.
 #
 # SPDX-License-Identifier: Apache-2.0
 # Specify alternative base image, e.g. clefos for s390x
 ARG BASE_IMAGE_NAME=ubuntu
 ARG BASE_IMAGE_TAG=20.04
 FROM $BASE_IMAGE_NAME:$BASE_IMAGE_TAG
 ENV DEBIAN_FRONTEND=noninteractive
 ARG KATA_ARTIFACTS=./kata-static.tar.xz
 ARG DESTINATION=/opt/kata-artifacts
 COPY ${KATA_ARTIFACTS} ${WORKDIR}
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN \
 apt-get update && \
 apt-get install -y --no-install-recommends apt-transport-https ca-certificates curl xz-utils systemd && \
 mkdir -p /etc/apt/keyrings/ && \
 curl -fsSLo /etc/apt/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg && \
 echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list && \
 apt-get update && \
 apt-get install -y --no-install-recommends kubectl && \
 apt-get clean && rm -rf /var/lib/apt/lists/ && \
 mkdir -p ${DESTINATION} && \
 tar xvf ${WORKDIR}/${KATA_ARTIFACTS} -C ${DESTINATION} && \
 rm -f ${WORKDIR}/${KATA_ARTIFACTS}
 COPY scripts ${DESTINATION}/scripts
--- a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh
+++ b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh
@@ -1,384 +0,0 @@
 #!/usr/bin/env bash
 # Copyright (c) 2019 Intel Corporation
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 set -o errexit
 set -o pipefail
 set -o nounset
 crio_drop_in_conf_dir="/etc/crio/crio.conf.d/"
 crio_drop_in_conf_file="${crio_drop_in_conf_dir}/99-kata-deploy"
 containerd_conf_file="/etc/containerd/config.toml"
 containerd_conf_file_backup="${containerd_conf_file}.bak"
 shims=(
        "remote"
        "qemu"
        "qemu-tdx"
        "qemu-sev"
        "qemu-se"
        "qemu-snp"
        "clh"
        "clh-tdx"
 )
 default_shim="qemu"
 # If we fail for any reason a message will be displayed
 die() {
        msg="$*"
        echo "ERROR: $msg" >&2
        exit 1
 }
 function print_usage() {
 	echo "Usage: $0 [install/cleanup/reset]"
 }
 function get_container_runtime() {
 	local runtime=$(kubectl get node $NODE_NAME -o jsonpath='{.status.nodeInfo.containerRuntimeVersion}')
 	if [ "$?" -ne 0 ]; then
                die "invalid node name"
 	fi
 	if echo "$runtime" | grep -qE 'containerd.*-k3s'; then
 		if systemctl is-active --quiet rke2-agent; then
 			echo "rke2-agent"
 		elif systemctl is-active --quiet rke2-server; then
 			echo "rke2-server"
 		elif systemctl is-active --quiet k3s-agent; then
 			echo "k3s-agent"
 		else
 			echo "k3s"
 		fi
 	else
 		echo "$runtime" | awk -F '[:]' '{print $1}'
 	fi
 }
 function install_artifacts() {
 	echo "copying kata artifacts onto host"
 	cp -a /opt/kata-artifacts/opt/confidential-containers/* /opt/confidential-containers/
 	chmod +x /opt/confidential-containers/bin/*
 }
 function wait_till_node_is_ready() {
 	local ready="False"
 	while ! [[ "${ready}" == "True" ]]; do
 		sleep 2s
 		ready=$(kubectl get node $NODE_NAME -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}')
 	done
 }
 function configure_cri_runtime() {
 	configure_different_shims_base
 	case $1 in
 	crio)
 		configure_crio
 		;;
 	containerd | k3s | k3s-agent | rke2-agent | rke2-server)
 		configure_containerd
 		;;
 	esac
 	systemctl daemon-reload
 	systemctl restart "$1"
 	wait_till_node_is_ready
 }
 function backup_shim() {
 	local shim_file="$1"
 	local shim_backup="${shim_file}.bak"
 	if [ -f "${shim_file}" ]; then
 		echo "warning: ${shim_file} already exists" >&2
 		if [ ! -f "${shim_backup}" ]; then
 			mv "${shim_file}" "${shim_backup}"
 		else
 			rm "${shim_file}"
 		fi
 	fi
 }
 function configure_different_shims_base() {
 	# Currently containerd has an assumption on the location of the shimv2 implementation
 	# This forces kata-deploy to create files in a well-defined location that's part of
 	# the PATH, pointing to the containerd-shim-kata-v2 binary in /opt/confidential-contaienrs/bin
 	# Issues:
 	#   https://github.com/containerd/containerd/issues/3073
 	#   https://github.com/containerd/containerd/issues/5006
 	local default_shim_file="/usr/local/bin/containerd-shim-kata-v2"
 	mkdir -p /usr/local/bin
 	for shim in "${shims[@]}"; do
 		local shim_binary="containerd-shim-kata-${shim}-v2"
 		local shim_file="/usr/local/bin/${shim_binary}"
 		backup_shim "${shim_file}"
 		ln -sf /opt/confidential-containers/bin/containerd-shim-kata-v2 "${shim_file}"
 		chmod +x "$shim_file"
 		if [ "${shim}" == "${default_shim}" ]; then
 			backup_shim "${default_shim_file}"
 			echo "Creating the default shim-v2 binary"
 			ln -sf "${shim_file}" "${default_shim_file}"
 		fi
 	done
 }
 function restore_shim() {
 	local shim_file="$1"
 	local shim_backup="${shim_file}.bak"
 	if [ -f "${shim_backup}" ]; then
 		mv "$shim_backup" "$shim_file"
 	fi
 }
 function cleanup_different_shims_base() {
 	local default_shim_file="/usr/local/bin/containerd-shim-kata-v2"
 	for shim in "${shims[@]}"; do
 		local shim_binary="containerd-shim-kata-${shim}-v2"
 		local shim_file="/usr/local/bin/${shim_binary}"
 		rm "${shim_file}" || true
 		restore_shim "${shim_file}"
 	done
 	rm "${default_shim_file}" || true
 	restore_shim "${default_shim_file}"
 }
 function configure_crio_runtime() {
 	local runtime="kata"
 	local configuration="configuration"
 	if [ -n "${1-}" ]; then
 		runtime+="-$1"
 		configuration+="-$1"
 	fi
 	local kata_path="/usr/local/bin/containerd-shim-${runtime}-v2"
 	local kata_conf="crio.runtime.runtimes.${runtime}"
 	local kata_config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml"
 	cat <<EOF | tee -a "$crio_drop_in_conf_file"
 [$kata_conf]
 	runtime_path = "${kata_path}"
 	runtime_type = "vm"
 	runtime_root = "/run/vc"
 	runtime_config_path = "${kata_config_path}"
 	privileged_without_host_devices = true
 EOF
 }
 function configure_crio() {
        # Configure crio to use Kata:
        echo "Add Kata Containers as a supported runtime for CRIO:"
        # As we don't touch the original configuration file in any way,
        # let's just ensure we remove any exist configuration from a
        # previous deployment.
        mkdir -p "$crio_drop_in_conf_dir"
        rm -f "$crio_drop_in_conf_file"
        touch "$crio_drop_in_conf_file"
        configure_crio_runtime
        for shim in "${shims[@]}"; do
                configure_crio_runtime $shim
        done
 }
 function configure_containerd_runtime() {
 	local runtime="kata"
 	local configuration="configuration"
 	if [ -n "${1-}" ]; then
 		runtime+="-$1"
 		configuration+="-$1"
 	fi
 	local pluginid=cri
 	if grep -q "version = 2\>" $containerd_conf_file; then
 		pluginid=\"io.containerd.grpc.v1.cri\"
 	fi
 	local runtime_table="plugins.${pluginid}.containerd.runtimes.$runtime"
 	local runtime_type="io.containerd.$runtime.v2"
 	local cri_handler_value="cc"
 	if [ "$runtime" == "kata-remote" ]; then
 		cri_handler_value=""
 	fi
 	local options_table="$runtime_table.options"
 	local config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml"
 	if grep -q "\[$runtime_table\]" $containerd_conf_file; then
 		echo "Configuration exists for $runtime_table, overwriting"
 		sed -i "/\[$runtime_table\]/,+1s#runtime_type.*#runtime_type = \"${runtime_type}\"#" $containerd_conf_file
 	else
 		cat <<EOF | tee -a "$containerd_conf_file"
 [$runtime_table]
  cri_handler = "${cri_handler_value}"
  runtime_type = "${runtime_type}"
  privileged_without_host_devices = true
  pod_annotations = ["io.katacontainers.*"]
 EOF
 	fi
 	if grep -q "\[$options_table\]" $containerd_conf_file; then
 		echo "Configuration exists for $options_table, overwriting"
 		sed -i "/\[$options_table\]/,+1s#ConfigPath.*#ConfigPath = \"${config_path}\"#" $containerd_conf_file
 	else
 		cat <<EOF | tee -a "$containerd_conf_file"
  [$options_table]
    ConfigPath = "${config_path}"
 EOF
 	fi
 }
 function configure_containerd() {
 	# Configure containerd to use Kata:
 	echo "Add Kata Containers as a supported runtime for containerd"
 	mkdir -p /etc/containerd/
 	if [ -f "$containerd_conf_file" ]; then
 		# backup the config.toml only if a backup doesn't already exist (don't override original)
 		cp -n "$containerd_conf_file" "$containerd_conf_file_backup"
 	fi
 	# Add default Kata runtime configuration
 	configure_containerd_runtime
 	for shim in "${shims[@]}"; do
 		configure_containerd_runtime $shim
 	done
 }
 function remove_artifacts() {
 	echo "deleting kata artifacts"
 	rm -rf \
 		/opt/confidential-containers/libexec/ \
 		/opt/confidential-containers/share/ \
 		/opt/confidential-containers/bin/kata-monitor \
 		/opt/confidential-containers/bin/containerd-shim-kata-v2 \
 		/opt/confidential-containers/bin/kata-runtime \
 		/opt/confidential-containers/bin/kata-collect-data.sh \
 		/opt/confidential-containers/bin/qemu-system-x86_64 \
 		/opt/confidential-containers/bin/qemu-system-x86_64-snp-experimental \
 		/opt/confidential-containers/bin/qemu-system-x86_64-tdx \
 		/opt/confidential-containers/bin/qemu-system-s390x \
 		/opt/confidential-containers/bin/cloud-hypervisor \
 		/opt/confidential-containers/runtime-rs
        # Try to remove the /opt/confidential-containers directory.
        # If it's not empty, don't bother force removing it, as the
        # pre-install script also drops files here.
        rmdir --ignore-fail-on-non-empty -p /opt/confidential-containers/bin
 }
 function cleanup_cri_runtime() {
 	cleanup_different_shims_base
 	case $1 in
 	crio)
 		cleanup_crio
 		;;
 	containerd | k3s | k3s-agent | rke2-agent | rke2-server)
 		cleanup_containerd
 		;;
 	esac
 }
 function cleanup_crio() {
 	rm $crio_drop_in_conf_file
 }
 function cleanup_containerd() {
 	rm -f $containerd_conf_file
 	if [ -f "$containerd_conf_file_backup" ]; then
 		mv "$containerd_conf_file_backup" "$containerd_conf_file"
 	fi
 }
 function reset_runtime() {
 	kubectl label node "$NODE_NAME" katacontainers.io/kata-runtime-
 	systemctl daemon-reload
 	systemctl restart "$1"
 	if [ "$1" == "crio" ] || [ "$1" == "containerd" ]; then
 		systemctl restart kubelet
 	fi
 	wait_till_node_is_ready
 }
 function main() {
 	# script requires that user is root
 	euid=$(id -u)
 	if [[ $euid -ne 0 ]]; then
 	   die  "This script must be run as root"
 	fi
 	runtime=$(get_container_runtime)
 	# CRI-O isn't consistent with the naming -- let's use crio to match the service file
 	if [ "$runtime" == "cri-o" ]; then
 		runtime="crio"
 	elif [ "$runtime" == "k3s" ] || [ "$runtime" == "k3s-agent" ] || [ "$runtime" == "rke2-agent" ] || [ "$runtime" == "rke2-server" ]; then
 		containerd_conf_tmpl_file="${containerd_conf_file}.tmpl"
 		if [ ! -f "$containerd_conf_tmpl_file" ]; then
 			cp "$containerd_conf_file" "$containerd_conf_tmpl_file"
 		fi
 		containerd_conf_file="${containerd_conf_tmpl_file}"
 		containerd_conf_file_backup="${containerd_conf_file}.bak"
 	else
 		# runtime == containerd
 		if [ ! -f "$containerd_conf_file" ] && [ -d $(dirname "$containerd_conf_file") ] && \
 			[ -x $(command -v containerd) ]; then
 			containerd config default > "$containerd_conf_file"
 		fi
 	fi
 	action=${1:-}
 	if [ -z "$action" ]; then
 		print_usage
 		die "invalid arguments"
 	fi
 	# only install / remove / update if we are dealing with CRIO or containerd
 	if [[ "$runtime" =~ ^(crio|containerd|k3s|k3s-agent|rke2-agent|rke2-server)$ ]]; then
 		case "$action" in
 		install)
 			install_artifacts
 			configure_cri_runtime "$runtime"
 			kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true
 			;;
 		cleanup)
 			cleanup_cri_runtime "$runtime"
 			kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=cleanup
 			remove_artifacts
 			;;
 		reset)
 			reset_runtime $runtime
 			;;
 		*)
 			echo invalid arguments
 			print_usage
 			;;
 		esac
 	fi
 	#It is assumed this script will be called as a daemonset. As a result, do
        # not return, otherwise the daemon will restart and rexecute the script
 	sleep infinity
 }
 main "$@"
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -11,15 +11,15 @@ V := 1
 ARCH := $(shell uname -m)
 ifeq ($(ARCH), x86_64)
-EXTRA_TARBALL=cc-cloud-hypervisor-tarball \
+EXTRA_TARBALL=\
-	cc-tdx-kernel-tarball \
+	kernel-tdx-experimental-tarball \
-	cc-tdx-qemu-tarball \
+	tdvf-tarball \
 	ovmf-sev-tarball \
 	ovmf-tarball \
 	qemu-snp-experimental-tarball \
 	qemu-tdx-experimental-tarball \
 	cc-tdx-td-shim-tarball \
 	cc-tdx-tdvf-tarball \
 	cc-sev-ovmf-tarball \
 	cc-x86_64-ovmf-tarball \
 	cc-sev-rootfs-initrd-tarball \
 	cc-snp-qemu-tarball \
 	cc-tdx-rootfs-image-tarball
 endif
@@ -155,63 +155,30 @@ cc-tarball: | cc merge-builds
 cc-parallel: $(MK_DIR)/dockerbuild/install_yq.sh
 	${MAKE} -f $(MK_PATH) cc -j$$(( $$(nproc) - 1  )) V=
-cc: cc-kernel-tarball \
+cc:	kernel-tarball \
-	cc-qemu-tarball \
+	qemu-tarball \
 	virtiofsd-tarball \
 	cc-rootfs-image-tarball \
 	cc-virtiofsd-tarball \
 	cc-shim-v2-tarball \
 	${EXTRA_TARBALL}
 cc-cloud-hypervisor-tarball:
 	${MAKE} $@-build
 cc-kernel-tarball:
 	${MAKE} $@-build
 cc-qemu-tarball:
 	${MAKE} $@-build
 cc-snp-qemu-tarball:
 	${MAKE} $@-build
 cc-rootfs-image-tarball:
 	${MAKE} $@-build
 cc-rootfs-initrd-tarball:
 	${MAKE} $@-build
-cc-sev-rootfs-initrd-tarball: cc-sev-kernel-tarball
+cc-sev-rootfs-initrd-tarball: kernel-sev-tarball
 	${MAKE} $@-build
-cc-se-image-tarball: cc-kernel-tarball cc-rootfs-initrd-tarball
+cc-se-image-tarball: kernel-tarball cc-rootfs-initrd-tarball
 	${MAKE} $@-build
 cc-tdx-rootfs-image-tarball:
 	${MAKE} $@-build
 cc-shim-v2-tarball:
 	${MAKE} $@-build
 cc-virtiofsd-tarball:
 	${MAKE} $@-build
 cc-tdx-kernel-tarball:
 	${MAKE} $@-build
 cc-sev-kernel-tarball:
 	${MAKE} $@-build
 cc-tdx-qemu-tarball:
 	${MAKE} $@-build
 cc-tdx-td-shim-tarball:
 	${MAKE} $@-build
-cc-tdx-tdvf-tarball:
+cc-shim-v2-tarball:
 	${MAKE} $@-build
 cc-sev-ovmf-tarball:
 	${MAKE} $@-build
 cc-x86_64-ovmf-tarball:
 	${MAKE} $@-build
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -29,7 +29,6 @@ readonly kernel_builder="${static_build_dir}/kernel/build.sh"
 readonly ovmf_builder="${static_build_dir}/ovmf/build.sh"
 readonly qemu_builder="${static_build_dir}/qemu/build-static-qemu.sh"
 readonly qemu_experimental_builder="${static_build_dir}/qemu/build-static-qemu-experimental.sh"
 readonly qemu_experimental_cc_builder="${static_build_dir}/qemu/build-static-qemu-experimental-cc.sh"
 readonly shimv2_builder="${static_build_dir}/shim-v2/build.sh"
 readonly td_shim_builder="${static_build_dir}/td-shim/build.sh"
 readonly virtiofsd_builder="${static_build_dir}/virtiofsd/build.sh"
@@ -38,9 +37,6 @@ readonly nydus_builder="${static_build_dir}/nydus/build.sh"
 readonly rootfs_builder="${repo_root_dir}/tools/packaging/guest-image/build_image.sh"
 readonly se_image_builder="${repo_root_dir}/tools/packaging/guest-image/build_se_image.sh"
 readonly cc_prefix="/opt/confidential-containers"
 readonly qemu_cc_builder="${static_build_dir}/qemu/build-static-qemu-cc.sh"
 source "${script_dir}/../../scripts/lib.sh"
 readonly jenkins_url="http://jenkins.katacontainers.io"
@@ -112,21 +108,11 @@ options:
 	tdvf
 	virtiofsd
 	cc
 	cc-cloud-hypervisor
 	cc-kernel
 	cc-tdx-kernel
 	cc-sev-kernel
 	cc-qemu
 	cc-snp-qemu
 	cc-tdx-qemu
 	cc-rootfs-image
 	cc-rootfs-initrd
 	cc-sev-rootfs-initrd
 	cc-se-image
 	cc-shimv2
 	cc-virtiofsd
 	cc-sev-ovmf
 	cc-x86_64-ovmf
 EOF
 	exit "${return_code}"
@@ -138,6 +124,12 @@ cleanup_and_fail() {
 }
 install_cached_tarball_component() {
 	case ${5} in
 		"kata-static-cc-rootfs-image.tar.xz" | "kata-static-cc-rootfs-initrd.tar.xz" | "kata-static-cc-se-image.tar.xz" | "kata-static-cc-tdx-rootfs-image.tar.xz" | "kata-static-cc-tdx-td-shim.tar.xz" | "kata-static-cc-sev-rootfs-initrd.tar.xz" )
 			USE_CACHE="no"
 			;;
 	esac
 	if [ "${USE_CACHE}" != "yes" ]; then
 		return 1
 	fi
@@ -177,6 +169,16 @@ install_cached_tarball_component() {
 # we have to rely and check some artefacts coming from the cc-rootfs-image and the
 # cc-tdx-rootfs-image jobs.
 install_cached_cc_shim_v2() {
 	case ${5} in
 		"kata-static-cc-shim-v2.tar.xz")
 			USE_CACHE="no"
 			;;
 	esac
 	if [ "${USE_CACHE}" != "yes" ]; then
 		return 1
 	fi
 	local component="${1}"
 	local jenkins_build_url="${2}"
 	local current_version="${3}"
@@ -231,28 +233,6 @@ install_cached_cc_shim_v2() {
 		"$(basename ${root_hash_tdx})"
 }
 # Install static CC cloud-hypervisor asset
 install_cc_clh() {
 	install_cached_tarball_component \
 		"cloud-hypervisor" \
 		"${jenkins_url}/job/kata-containers-2.0-clh-cc-$(uname -m)/${cached_artifacts_path}" \
 		"$(get_from_kata_deps "assets.hypervisor.cloud_hypervisor.version")" \
 		"" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
 		&& return 0
 	if [[ "${ARCH}" == "x86_64" ]]; then
 		export features="tdx"
 	fi
 	info "build static CC cloud-hypervisor"
 	"${clh_builder}"
 	info "Install static CC cloud-hypervisor"
 	mkdir -p "${destdir}/${cc_prefix}/bin/"
 	sudo install -D --owner root --group root --mode 0744 cloud-hypervisor/cloud-hypervisor "${destdir}/${cc_prefix}/bin/cloud-hypervisor"
 }
 #Install cc capable guest image
 install_cc_image() {
 	export AA_KBC="${1:-offline_fs_kbc}"
@@ -307,7 +287,7 @@ install_cc_image() {
 	info "Create CC image configured with AA_KBC=${AA_KBC}"
 	"${rootfs_builder}" \
 		--imagetype="${image_type}" \
-		--prefix="${cc_prefix}" \
+		--prefix="${prefix}" \
 		--destdir="${destdir}" \
 		--image_initrd_suffix="${image_initrd_suffix}" \
 		--root_hash_suffix="${root_hash_suffix}"
@@ -332,48 +312,6 @@ install_cc_tdx_image() {
 	install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}" "tdx"
 }
 #Install CC kernel asset
 install_cc_kernel() {
 	export KATA_BUILD_CC=yes
 	export kernel_version="$(yq r $versions_yaml assets.kernel.version)"
 	local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
 	install_cached_tarball_component \
 		"kernel" \
 		"${jenkins_url}/job/kata-containers-2.0-kernel-cc-$(uname -m)/${cached_artifacts_path}" \
 		"${kernel_version}-${kernel_kata_config_version}" \
 		"$(get_kernel_image_name)" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
 		&& return 0
 	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
 		info "build initramfs for cc kernel"
 		"${initramfs_builder}"
 	fi
 	DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -f -v "${kernel_version}"
 }
 # Install static CC qemu asset
 install_cc_qemu() {
 	info "build static CC qemu"
 	export qemu_repo="$(yq r $versions_yaml assets.hypervisor.qemu.url)"
 	export qemu_version="$(yq r $versions_yaml assets.hypervisor.qemu.version)"
 	install_cached_tarball_component \
 		"QEMU" \
 		"${jenkins_url}/job/kata-containers-2.0-qemu-cc-$(uname -m)/${cached_artifacts_path}" \
 		"${qemu_version}-$(calc_qemu_files_sha256sum)" \
 		"$(get_qemu_image_name)" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
 		&& return 0
 	"${qemu_cc_builder}"
 	tar xvf "${builddir}/kata-static-qemu-cc.tar.gz" -C "${destdir}"
 }
 #Install all components that are not assets
 install_cc_shimv2() {
 	local shim_v2_last_commit="$(get_last_modification "${repo_root_dir}/src/runtime")"
@@ -413,119 +351,7 @@ install_cc_shimv2() {
 		fi
 	fi
 	info "extra_opts: ${extra_opts}"
-	DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}"
+	DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}"
 }
 # Install static CC virtiofsd asset
 install_cc_virtiofsd() {
 	local virtiofsd_version="$(get_from_kata_deps "externals.virtiofsd.version")-$(get_from_kata_deps "externals.virtiofsd.toolchain")"
 	install_cached_tarball_component \
 		"virtiofsd" \
 		"${jenkins_url}/job/kata-containers-2.0-virtiofsd-cc-$(uname -m)/${cached_artifacts_path}" \
 		"${virtiofsd_version}" \
 		"$(get_virtiofsd_image_name)" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
 		&& return 0
 	info "build static CC virtiofsd"
 	"${virtiofsd_builder}"
 	info "Install static CC virtiofsd"
 	mkdir -p "${destdir}/${cc_prefix}/libexec/"
 	sudo install -D --owner root --group root --mode 0744 virtiofsd/virtiofsd "${destdir}/${cc_prefix}/libexec/virtiofsd"
 }
 # Install cached kernel compoenent
 install_cached_kernel_component() {
 	tee="${1}"
 	kernel_version="${2}"
 	module_dir="${3:-}"
 	local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
 	install_cached_tarball_component \
 		"kernel" \
 		"${jenkins_url}/job/kata-containers-2.0-kernel-${tee}-cc-$(uname -m)/${cached_artifacts_path}" \
 		"${kernel_version}-${kernel_kata_config_version}" \
 		"$(get_kernel_image_name)" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
 		|| return 1
 	[ "${tee}" == "tdx" ] && return 0
 	# SEV specific code path
 	install_cached_tarball_component \
 		"kernel-modules" \
 		"${jenkins_url}/job/kata-containers-2.0-kernel-sev-cc-$(uname -m)/${cached_artifacts_path}" \
 		"${kernel_version}" \
 		"$(get_kernel_image_name)" \
 		"kata-static-cc-sev-kernel-modules.tar.xz" \
 		"${workdir}/kata-static-cc-sev-kernel-modules.tar.xz" \
 	|| return 1
 	mkdir -p "${module_dir}"
 	tar xvf "${workdir}/kata-static-cc-sev-kernel-modules.tar.xz" -C  "${module_dir}" && return 0
 	return 1
 }
 #Install CC kernel assert, with TEE support
 install_cc_tee_kernel() {
 	export KATA_BUILD_CC=yes
 	tee="${1}"
 	kernel_version="${2}"
 	module_dir="${3:-}"
 	[[ "${tee}" != "tdx" && "${tee}" != "sev" ]] && die "Non supported TEE"
 	export kernel_version=${kernel_version}
 	install_cached_kernel_component "${tee}" "${kernel_version}" "${module_dir}" && return 0
 	info "build initramfs for TEE kernel"
 	"${initramfs_builder}"
 	kernel_url="$(yq r $versions_yaml assets.kernel.${tee}.url)"
 	DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${kernel_builder}" -x "${tee}" -v "${kernel_version}" -u "${kernel_url}"
 }
 #Install CC kernel assert for Intel TDX
 install_cc_tdx_kernel() {
 	kernel_version="$(yq r $versions_yaml assets.kernel.tdx.tag)"
 	install_cc_tee_kernel "tdx" "${kernel_version}"
 }
 install_cc_sev_kernel() {
 	kernel_version="$(yq r $versions_yaml assets.kernel.sev.version)"
 	default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
 	module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version#v}-$(get_config_version)/lib/modules/${kernel_version#v}"
 	install_cc_tee_kernel "sev" "${kernel_version}" "${module_dir}"
 }
 install_cc_tee_qemu() {
 	tee="${1}"
 	[ "${tee}" != "tdx" ] && die "Non supported TEE"
 	export qemu_repo="$(yq r $versions_yaml assets.hypervisor.qemu.${tee}.url)"
 	export qemu_version="$(yq r $versions_yaml assets.hypervisor.qemu.${tee}.tag)"
 	export tee="${tee}"
 	install_cached_tarball_component \
 		"QEMU ${tee}" \
 		"${jenkins_url}/job/kata-containers-2.0-qemu-${tee}-cc-$(uname -m)/${cached_artifacts_path}" \
 		"${qemu_version}-$(calc_qemu_files_sha256sum)" \
 		"$(get_qemu_image_name)" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
 		&& return 0
 	"${qemu_cc_builder}"
 	tar xvf "${builddir}/kata-static-${tee}-qemu-cc.tar.gz" -C "${destdir}"
 }
 install_cc_tdx_qemu() {
 	install_cc_tee_qemu "tdx"
 }
 install_cc_tdx_td_shim() {
@@ -538,42 +364,10 @@ install_cc_tdx_td_shim() {
 		"${final_tarball_path}" \
 		&& return 0
-	DESTDIR="${destdir}" PREFIX="${cc_prefix}" "${td_shim_builder}"
+	DESTDIR="${destdir}" PREFIX="${prefix}" "${td_shim_builder}"
 	tar xvf "${builddir}/td-shim.tar.gz" -C "${destdir}"
 }
 install_cc_tee_ovmf() {
 	tee="${1}"
 	tarball_name="${2}"
 	local component_name="ovmf"
 	local component_version="$(get_from_kata_deps "externals.ovmf.${tee}.version")"
 	[ "${tee}" == "tdx" ] && component_name="tdvf"
 	install_cached_tarball_component \
 		"${component_name}" \
 		"${jenkins_url}/job/kata-containers-2.0-${component_name}-cc-$(uname -m)/${cached_artifacts_path}" \
 		"${component_version}" \
 		"$(get_ovmf_image_name)" \
 		"${final_tarball_name}" \
 		"${final_tarball_path}" \
 		&& return 0
 	DESTDIR="${destdir}" PREFIX="${cc_prefix}" ovmf_build="${tee}" "${ovmf_builder}"
 	tar xvf "${builddir}/${tarball_name}" -C "${destdir}"
 }
 install_cc_tdx_tdvf() {
 	install_cc_tee_ovmf "tdx" "edk2-staging-tdx.tar.gz"
 }
 install_cc_sev_ovmf(){
 	install_cc_tee_ovmf "sev" "edk2-sev.tar.gz"
 }
 install_cc_x86_64_ovmf(){
 	install_cc_tee_ovmf "x86_64" "edk2-x86_64.tar.gz"
 }
 #Install guest image
 install_image() {
 	local image_type="${1:-"image"}"
@@ -643,6 +437,7 @@ install_initrd_sev() {
 #Install kernel component helper
 install_cached_kernel_tarball_component() {
 	local kernel_name=${1}
 	local module_dir=${2:-""}
 	install_cached_tarball_component \
 		"${kernel_name}" \
@@ -667,8 +462,10 @@ install_cached_kernel_tarball_component() {
 		"${workdir}/kata-static-kernel-sev-modules.tar.xz" \
 		|| return 1
-	mkdir -p "${module_dir}"
+	if [[ -n "${module_dir}" ]]; then
-	tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C  "${module_dir}" && return 0
+		mkdir -p "${module_dir}"
 		tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C  "${module_dir}" && return 0
 	fi
 	return 1
 }
@@ -676,7 +473,7 @@ install_cached_kernel_tarball_component() {
 install_cc_initrd() {
 	export AA_KBC="${AA_KBC:-offline_fs_kbc}"
 	info "Create CC initrd configured with AA_KBC=${AA_KBC}"
-	"${rootfs_builder}" --imagetype=initrd --prefix="${cc_prefix}" --destdir="${destdir}"
+	"${rootfs_builder}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}"
 }
 #Install kernel asset
@@ -827,16 +624,15 @@ install_qemu_tdx_experimental() {
 		"${qemu_experimental_builder}"
 }
-install_cc_snp_qemu_experimental() {
+install_qemu_snp_experimental() {
 	export qemu_suffix="snp-experimental"
-	export qemu_tarball_name="kata-static-qemu-${qemu_suffix}-cc.tar.gz"
+	export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz"
 	export tee="snp"
 	install_qemu_helper \
 		"assets.hypervisor.qemu-${qemu_suffix}.url" \
 		"assets.hypervisor.qemu-${qemu_suffix}.tag" \
 		"qemu-${qemu_suffix}" \
-		"${qemu_experimental_cc_builder}"
+		"${qemu_experimental_builder}"
 }
 # Install static firecracker asset
@@ -1000,7 +796,7 @@ install_ovmf() {
 # Install TDVF
 install_tdvf() {
-	install_ovmf "tdx" "edk2-tdx.tar.gz"
+	install_ovmf "tdx" "edk2-staging-tdx.tar.gz"
 }
 # Install OVMF SEV
@@ -1044,24 +840,11 @@ handle_build() {
 		;;
 	cc)
 		install_cc_clh
 		install_cc_kernel
 		install_cc_qemu
 		install_cc_snp_qemu_experimental
 		install_cc_image
 		install_cc_shimv2
 		install_cc_virtiofsd
 		install_cc_sev_image
 		;;
 	cc-cloud-hypervisor) install_cc_clh ;;
 	cc-kernel) install_cc_kernel ;;
 	cc-qemu) install_cc_qemu ;;
 	cc-snp-qemu) install_cc_snp_qemu_experimental ;;
 	cc-rootfs-image) install_cc_image ;;
 	cc-rootfs-initrd) install_cc_initrd ;;
@@ -1074,22 +857,8 @@ handle_build() {
 	cc-shim-v2) install_cc_shimv2 ;;
 	cc-virtiofsd) install_cc_virtiofsd ;;
 	cc-tdx-kernel) install_cc_tdx_kernel ;;
 	cc-sev-kernel) install_cc_sev_kernel ;;
 	cc-tdx-qemu) install_cc_tdx_qemu ;;
 	cc-tdx-td-shim) install_cc_tdx_td_shim ;;
 	cc-tdx-tdvf) install_cc_tdx_tdvf ;;
 	cc-sev-ovmf) install_cc_sev_ovmf ;;
 	cc-x86_64-ovmf) install_cc_x86_64_ovmf ;;
 	cloud-hypervisor) install_clh ;;
 	cloud-hypervisor-glibc) install_clh_glibc ;;
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh
@@ -11,7 +11,7 @@ set -o nounset
 set -o pipefail
 set -o errtrace
-KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy-cc"
+KATA_DEPLOY_DIR="`dirname ${0}`/../../kata-deploy"
 KATA_DEPLOY_ARTIFACT="${1:-"kata-static.tar.xz"}"
 REGISTRY="${2:-"quay.io/confidential-containers/runtime-payload"}"
 TAG="${3:-}"
--- a/tools/packaging/static-build/qemu/build-static-qemu-cc.sh
+++ b/tools/packaging/static-build/qemu/build-static-qemu-cc.sh
@@ -1,34 +0,0 @@
 #!/usr/bin/env bash
 #
 # Copyright (c) 2022 Intel Corporation
 #
 # SPDX-License-Identifier: Apache-2.0
 set -o errexit
 set -o nounset
 set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${script_dir}/../../scripts/lib.sh"
 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
 tee="${tee:-}"
 export prefix="/opt/confidential-containers/"
 if [ -z "${qemu_repo}" ]; then
 	info "Get qemu information from runtime versions.yaml"
 	export qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu.url")
 	[ -n "${qemu_url}" ] || die "failed to get qemu url"
 	export qemu_repo="${qemu_url}.git"
 fi
 [ -n "${qemu_repo}" ] || die "failed to get qemu repo"
 [ -n "${qemu_version}" ] || export qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version")
 [ -n "${qemu_version}" ] || die "failed to get qemu version"
 qemu_tarball_name="kata-static-qemu-cc.tar.gz"
 [ -n "${tee}" ] && qemu_tarball_name="kata-static-${tee}-qemu-cc.tar.gz"
 "${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${tee}" "${qemu_tarball_name}"
--- a/tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh
+++ b/tools/packaging/static-build/qemu/build-static-qemu-experimental-cc.sh
@@ -1,36 +0,0 @@
 #!/usr/bin/env bash
 #
 # Copyright (c) 2022 Intel Corporation
 #
 # SPDX-License-Identifier: Apache-2.0
 set -o errexit
 set -o nounset
 set -o pipefail
 script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${script_dir}/../../scripts/lib.sh"
 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
 qemu_suffix="${qemu_suffix:-experimental}"
 tee="${tee:-}"
 qemu_tarball_name="${qemu_tarball_name:-kata-static-qemu-experimental.tar.gz}"
 export prefix="/opt/confidential-containers/"
 if [ -z "${qemu_repo}" ]; then
 	info "Get qemu information from runtime versions.yaml"
 	export qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu.url")
 	[ -n "${qemu_url}" ] || die "failed to get qemu url"
 	export qemu_repo="${qemu_url}.git"
 fi
 [ -n "${qemu_repo}" ] || die "failed to get qemu repo"
 [ -n "${qemu_version}" ] || export qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu.version")
 [ -n "${qemu_version}" ] || die "failed to get qemu version"
 qemu_tarball_name="kata-static-qemu-experimental-cc.tar.gz"
 [ -n "${tee}" ] && qemu_tarball_name="kata-static-qemu-${tee}-experimental-cc.tar.gz"
 "${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${qemu_suffix}" "${qemu_tarball_name}"
--- a/versions.yaml
+++ b/versions.yaml
@@ -71,7 +71,8 @@ assets:
    description: "Component used to create virtual machines"
    cloud_hypervisor:
-      description: "Cloud Hypervisor is an open source Virtual Machine Monitor"
+      # yamllint disable-line rule:line-length
      description: "Cloud Hypervisor is an open source Virtual Machine Monitor -- DO NOT TOUCH on main -> CCv0 merges"
      url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
      uscan-url: >-
        https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
@@ -98,16 +99,18 @@ assets:
      uscan-url: >-
        https://github.com/qemu/qemu/tags
        .*/v?(\d\S+)\.tar\.gz
      tdx:
        description: "VMM that uses KVM and supports TDX"
        url: "https://github.com/kata-containers/qemu"
        tag: "TDX-v3.1"
    qemu-experimental:
      description: "QEMU with virtiofs support"
      url: "https://github.com/qemu/qemu"
      version: "7a800cf9496fddddf71b21a00991e0ec757a170a"
    qemu-tdx-experimental:
      # yamllint disable-line rule:line-length
      description: "QEMU with TDX support - DO NOT TOUCH on main -> CCv0 merges"
      url: "https://github.com/kata-containers/qemu"
      tag: "TDX-v3.1"
    qemu-snp-experimental:
      description: "QEMU with experimental SNP support (no UPM)"
      url: "https://github.com/AMDESE/qemu"
@@ -160,10 +163,6 @@ assets:
    description: "Linux kernel optimised for virtual machines"
    url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
    version: "v5.19.2"
    tdx:
      description: "Linux kernel that supports TDX"
      url: "https://github.com/kata-containers/linux/archive/refs/tags"
      tag: "5.15-plus-TDX"
    sev:
      description: "Linux kernel that supports SEV and SNP"
      url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
@@ -188,6 +187,12 @@ assets:
    url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
    version: "v5.10.25"
  kernel-tdx-experimental:
    # yamllint disable-line rule:line-length
    description: "Linux kernel with TDX support -- DO NOT TOUCH on main -> CCv0 merges"
    url: "https://github.com/kata-containers/linux/archive/refs/tags"
    version: "5.15-plus-TDX"
 externals:
  description: "Third-party projects used by the system"
@@ -303,13 +308,15 @@ externals:
      package_output_dir: "AmdSev"
    tdx:
      url: "https://github.com/tianocore/edk2-staging"
-      description: "TDVF build needed for TDX measured direct boot."
+      # yamllint disable-line rule:line-length
      description: "TDVF build needed for TDX measured direct boot. -- DO NOT TOUCH on main -> CCv0 merges"
      version: "2022-tdvf-ww28.5"
      package: "OvmfPkg/OvmfPkgX64.dsc"
      package_output_dir: "OvmfX64"
  td-shim:
-    description: "Confidential Containers Shim Firmware"
+    # yamllint disable-line rule:line-length
    description: "Confidential Containers Shim Firmware -- DO NOT TOUCH on main -> CCv0 merges"
    url: "https://github.com/confidential-containers/td-shim"
    version: "v0.7.0"
    toolchain: "nightly-2022-11-15"