github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-29 20:24:31 +00:00
Code Issues Projects Releases Wiki Activity

kernel: add confidential guest build option

Browse Source 
Includes support for SEV guest kernels

Fixes #1870

Signed-off-by: Jim Cadden <jcadden@ibm.com>
This commit is contained in:
Jim Cadden 2021-05-10 18:12:31 -04:00
parent 2c4e4ca1ac
commit f8a16c170a
3 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
tools/packaging/kernel/build-kernel.sh
View File

@ -49,6 +49,8 @@ experimental_kernel="false"
force_setup_generate_config="false" force_setup_generate_config="false"
#GPU kernel support #GPU kernel support
gpu_vendor="" gpu_vendor=""
#Confidential guest type
conf_guest=""
# #
patches_path="" patches_path=""
# #
@ -98,6 +100,7 @@ Options:
-p <path> : Path to a directory with patches to apply to kernel. -p <path> : Path to a directory with patches to apply to kernel.
-t <hypervisor> : Hypervisor_target. -t <hypervisor> : Hypervisor_target.
-v <version> : Kernel version to use if kernel path not provided. -v <version> : Kernel version to use if kernel path not provided.
-x <type> : Confidential guest protection type, such as sev
EOT EOT
exit "$exit_code" exit "$exit_code"
} }
@ -209,6 +212,12 @@ get_kernel_frag_path() {
all_configs="${all_configs} ${gpu_configs}" all_configs="${all_configs} ${gpu_configs}"
fi fi
if [[ "${conf_guest}" != "" ]];then
info "Enabling config for '${conf_guest}' confidential guest protection"
local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)"
all_configs="${all_configs} ${conf_configs}"
fi
info "Constructing config from fragments: ${config_path}" info "Constructing config from fragments: ${config_path}"
@ -387,6 +396,10 @@ install_kata() {
suffix="-${gpu_vendor}-gpu${suffix}" suffix="-${gpu_vendor}-gpu${suffix}"
fi fi
if [[ ${conf_guest} != "" ]];then
suffix="-${conf_guest}${suffix}"
fi
vmlinuz="vmlinuz-${kernel_version}-${config_version}${suffix}" vmlinuz="vmlinuz-${kernel_version}-${config_version}${suffix}"
vmlinux="vmlinux-${kernel_version}-${config_version}${suffix}" vmlinux="vmlinux-${kernel_version}-${config_version}${suffix}"
@ -424,7 +437,7 @@ install_kata() {
} }
main() { main() {
while getopts "a:c:defg:hk:p:t:v:" opt; do while getopts "a:c:defg:hk:p:t:v:x:" opt; do
case "$opt" in case "$opt" in
a) a)
arch_target="${OPTARG}" arch_target="${OPTARG}"
@ -461,6 +474,13 @@ main() {
v) v)
kernel_version="${OPTARG}" kernel_version="${OPTARG}"
;; ;;
x)
conf_guest="${OPTARG}"
case "$conf_guest" in
sev) ;;
*) die "Confidential guest type '$conf_guest' not supported" ;;
esac
;;
esac esac
done done

2
tools/packaging/kernel/configs/fragments/whitelist.conf
View File

@ -8,3 +8,5 @@ CONFIG_NF_NAT_PROTO_SCTP
CONFIG_NF_NAT_PROTO_UDPLITE CONFIG_NF_NAT_PROTO_UDPLITE
CONFIG_REFCOUNT_FULL CONFIG_REFCOUNT_FULL
CONFIG_MEMCG_SWAP_ENABLED CONFIG_MEMCG_SWAP_ENABLED
CONFIG_CRYPTO_DEV_SP_PSP
CONFIG_CRYPTO_DEV_CCP

6
tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf Normal file
View File

@ -0,0 +1,6 @@
# AMD Secure Encrypted Virtualization (SEV)
CONFIG_AMD_MEM_ENCRYPT=y
CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y
CONFIG_CRYPTO_DEV_SP_PSP=y
CONFIG_CRYPTO_DEV_CCP=y