kernel: add confidential guest build option

Includes support for SEV guest kernels Fixes #1870 Signed-off-by: Jim Cadden <jcadden@ibm.com>
2025-04-29 12:14:48 +00:00 · 2021-05-10 18:12:31 -04:00 · 2021-05-10 18:12:31 -04:00 · f8a16c170a
commit f8a16c170a
parent 2c4e4ca1ac
3 changed files with 29 additions and 1 deletions
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@ -49,6 +49,8 @@ experimental_kernel="false"
 force_setup_generate_config="false"
 #GPU kernel support
 gpu_vendor=""
+#Confidential guest type 
+conf_guest=""
 #
 patches_path=""
 #
@ -98,6 +100,7 @@ Options:
 	-p <path>   	: Path to a directory with patches to apply to kernel.
 	-t <hypervisor>	: Hypervisor_target.
 	-v <version>	: Kernel version to use if kernel path not provided.
+	-x <type>	: Confidential guest protection type, such as sev
 EOT
 	exit "$exit_code"
 }
@ -209,6 +212,12 @@ get_kernel_frag_path() {
 		all_configs="${all_configs} ${gpu_configs}"
 	fi

+	if [[ "${conf_guest}" != "" ]];then
+		info "Enabling config for '${conf_guest}' confidential guest protection"
+		local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)"
+		all_configs="${all_configs} ${conf_configs}"
+	fi
+
 	info "Constructing config from fragments: ${config_path}"


@ -387,6 +396,10 @@ install_kata() {
 		suffix="-${gpu_vendor}-gpu${suffix}"
 	fi

+	if [[ ${conf_guest} != "" ]];then
+		suffix="-${conf_guest}${suffix}"
+	fi
+
 	vmlinuz="vmlinuz-${kernel_version}-${config_version}${suffix}"
 	vmlinux="vmlinux-${kernel_version}-${config_version}${suffix}"

@ -424,7 +437,7 @@ install_kata() {
 }

 main() {
-	while getopts "a:c:defg:hk:p:t:v:" opt; do
+	while getopts "a:c:defg:hk:p:t:v:x:" opt; do
 		case "$opt" in
 			a)
 				arch_target="${OPTARG}"
@ -461,6 +474,13 @@ main() {
 			v)
 				kernel_version="${OPTARG}"
 				;;
+			x)
+				conf_guest="${OPTARG}"
+				case "$conf_guest" in
+					sev) ;;
+					*) die "Confidential guest type '$conf_guest' not supported" ;;
+				esac
+				;;
 		esac
 	done

--- a/tools/packaging/kernel/configs/fragments/whitelist.conf
+++ b/tools/packaging/kernel/configs/fragments/whitelist.conf
@ -8,3 +8,5 @@ CONFIG_NF_NAT_PROTO_SCTP
 CONFIG_NF_NAT_PROTO_UDPLITE
 CONFIG_REFCOUNT_FULL
 CONFIG_MEMCG_SWAP_ENABLED
+CONFIG_CRYPTO_DEV_SP_PSP
+CONFIG_CRYPTO_DEV_CCP
--- a/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf
+++ b/tools/packaging/kernel/configs/fragments/x86_64/sev/sev.conf
@ -0,0 +1,6 @@
+# AMD Secure Encrypted Virtualization (SEV)
+ 
+CONFIG_AMD_MEM_ENCRYPT=y
+CONFIG_AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT=y
+CONFIG_CRYPTO_DEV_SP_PSP=y
+CONFIG_CRYPTO_DEV_CCP=y