Commit Graph

400 Commits

Author SHA1 Message Date
Steve Horsman
23d2dfaedc Merge pull request #11707 from fidencio/topic/switch-to-use-zstd-when-possible
kata-deploy: local-build: Use zstd instead of xz
2025-08-22 10:06:00 +01:00
stevenhorsman
381da9e603 versions: Bump golang to 1.24.6
golang 1.25 has been released, so 1.23 is EoL,
so we should update to ensure we don't end up with security issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 10:44:15 +02:00
Fabiano Fidêncio
1329ce355e versions: image / initrd: Bump to alpine 3.22
As the 3.18 is EOL'ed.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-21 19:53:55 +02:00
Mikko Ylinen
412a384aad versions: update kernel-confidential to Linux v6.16.1
Linux v6.16 brings some useful features for the confidential guests.
Most importantly, it adds an ABI to extend runtime measurement registers
(RTMR) for the TEE platforms supporting it. This is currently enabled
on Intel TDX only.

The kernel version bump from v6.12.x to v6.16 forces some CONFIG_*
changes too:

MEMORY_HOTPLUG_DEFAULT_ONLINE was dropped in favor of more config
choices. The equivalent option is MHP_DEFAULT_ONLINE_TYPE_ONLINE_AUTO.

X86_5LEVEL was made unconditional. Since this was only a TDX
configuration, dropping it completely as part of v6.16 is fine.

CRYPTO_NULL2 was merged with CRYPTO_NULL. This was only added in
confidential guest fragments (cryptsetup) so we can drop it in this update.

CRYPTO_FIPS now depends on CRYPTO_SELFTESTS which further depends on
EXPERT which we don't have. Enable both in a separate config fragment
for confidential guests. This can be moved to a common setting once
other targets bump to post v6.16.

CRYPTO_SHA256_SSE3 arch optimizations were reworked and are now enabled
by default. Instead of adding it to whitelist.conf, just drop it completely
since it was only enabled as part of "measured boot" feature for
confidential guests. CONFIG_CRYPTO_CRC32_S390 was reworked the same way.
In this case, whitelist.conf is needed.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-08-20 11:32:48 +03:00
Alex Tibbles
e20f6b2f9d versions: update to latest LTS kernel 6.12.42
Fixes #11690

Signed-off-by: Alex Tibbles <alex@bleg.org>
2025-08-19 17:32:42 -04:00
Alex Tibbles
a03dc3129d versions: sync go.mod with versions.yaml for go 1.23.12
OSV-Scanner highlights go.mod references to go stdlib 1.23.0 contrary to intention in versions.yaml, so synchronize them.
Make a converse comment for versions.yaml.

Fixes: #11700

Signed-off-by: Alex Tibbles <alex@bleg.org>
2025-08-19 11:30:19 -04:00
stevenhorsman
1a6f1fc3ac versions: Bump golang to 1.23.12
Bump go version to remediate vuln GO-2025-3849

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-12 14:46:29 +01:00
Fabiano Fidêncio
f9e16431c1 version: Bump QEMU to v10.0.3
As the new release of QEMU is out, let's switch to it and take advantage
of bug fixes and improvements.

QEMU changelog: https://wiki.qemu.org/ChangeLog/10.0

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-08-07 22:31:30 +02:00
Markus Rudy
9e38fd2562 tools: add image for Go proto bindings
In order to have a reproducible code generation process, we need to pin
the versions of the tools used. This is accomplished easiest by
generating inside a container.

This commit adds a container image definition with fixed dependencies
for Golang proto/ttrpc code generation, and changes the agent Makefile
to invoke the update-generated-proto.sh script from within that
container.

Signed-off-by: Markus Rudy <mr@edgeless.systems>
2025-07-31 17:58:25 +01:00
Kumar Mohit
5cccbb9f41 versions: Upgrade Firecracker Version to 1.12.1
Updated versions.yaml to use Firecracker v1.12.1.
Replaced firecracker and jailer binaries under /opt/kata/bin.

Tested with kata-fc runtime on Kubernetes:
- Deployed pods using gitpod/openvscode-server
- Verified microVM startup, container access, and Firecracker usage
- Confirmed Firecracker and jailer versions via CLI

Signed-off-by: Kumar Mohit <68772712+itsmohitnarayan@users.noreply.github.com>
2025-07-30 12:51:08 +05:30
Ruoqing He
14e9d2c815 versions: Upgrade to Cloud Hypervisor v47.0
Details of v47.0 release can be found in our roadmap project as
iteration v47.0: https://github.com/orgs/cloud-hypervisor/projects/6.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-07-25 20:42:24 +02:00
Steve Horsman
405f5283f0 Merge pull request #11573 from arvindskumar99/versions_comment
OVMF: Making comment in versions.yaml for SEV-SNP
2025-07-17 10:11:58 +01:00
Xynnn007
82b890349d deps(chore): bump guest-components to candidate v0.14.0
This new version of gc fixes s390x attestation, also introduces registry
configuration setting directly via initdata.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-07-17 10:19:02 +08:00
Arvind Kumar
2a52351822 OVMF: Making comment in versions.yaml for SEV-SNP
Adding comment to versions.yaml to indicate that the ovmf-sev is also
used by AMD SEV-SNP, as per the discussion in
https://github.com/kata-containers/kata-containers/pull/11561.

Signed-off-by: Arvind Kumar <arvinkum@amd.com>
2025-07-16 06:35:21 +02:00
Xynnn007
19001af1e2 deps(chore): update guest-components and trustee
to the version of pre v0.14.0

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-07-15 09:12:47 +08:00
Fabiano Fidêncio
842e17b756 tests: k0s: Always use latest version, apart from CRI-O tests
We've been pinning a specific version of k0s for CRI-O tests, which may
make sense for CRI-O, but doesn't make sense at all when it comes to
testing that we can install kata-deploy on latest k0s (and currently our
test for that is broken).

Let's bump to the latest, and from this point we start debugging,
instead of debugging on an ancient version of the project.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-09 13:27:18 +02:00
Steve Horsman
7bc25b0259 Merge pull request #11494 from katexochen/p/opa-1.6
versions: bump opa 1.5.1 -> 1.6.0
2025-07-09 11:45:54 +01:00
Arvind Kumar
afedad0965 kernel: Removing SEV kernel packages
Removing kernel config files realting
to SEV as part of the SEV deprecation
efforts.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
2025-07-07 11:21:11 -05:00
Paul Meyer
ff7ac58579 versions: bump opa 1.5.1 -> 1.6.0
Bumping opa to latest release.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-07-07 14:19:08 +02:00
Fabiano Fidêncio
a2faf93211 kernel: Bump to v6.12.36
As that's the latest releasesd LTS.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-07-06 23:48:20 +02:00
stevenhorsman
61b12d4e1b version: Bump nydus-snapshotter
Bump to version v0.15.2 to pick up fix to mount source in
https://github.com/containerd/nydus-snapshotter/pull/636

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-27 14:04:00 +01:00
stevenhorsman
c7da62dd1e versions: Bump guest-components
Bump to pick up the new guest-components
and matching trustee which use rust 1.85.1

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-25 15:05:07 +01:00
stevenhorsman
aedbaa1545 versions: Bump golang to 1.23.10
Bump golang to fix CVEs GO-2025-3751
and GO-2025-3563

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-18 11:11:32 +01:00
Hyounggyu Choi
4be261f248 rootfs: Bump rootfs-{image,initrd} to 24.04
Since #11197 was merged, all confidential k8s e2e tests for s390x
have been failing with the following errors:

```
attestation-agent: error while loading shared libraries:
libcurl.so.4: cannot open shared object file
libnghttp2.so.14: cannot open shared object file
```

In line with the update on x86_64, we need to upgrade the OS used
in rootfs-{image,initrd} on s390x.
This commit also bumps all 22.04 to 24.04 for all architectures.
For s390x, this ensures the missing packages listed above are
installed.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-06-17 22:03:26 +02:00
Xynnn007
e0b4cd2dba initrd/image: update x86_64 base to ubuntu 24.04
The Multistrap issue has been fixed in noble thus we can use the LTS.

Also, this will fix the error reported by CDH
```
/lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.38' not found
```

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Xynnn007
5bab460224 chore(deps): update guest-components
This patch updates the guest-components to new version with better
error logging for CDH. It also allows the config of AA not having a
coco_as token config.

Also, the new version of CDH requires to build aws-lc-sys thus needs to
install cmake for build.

See

https://github.com/kata-containers/kata-containers/actions/runs/15327923347/job/43127108813?pr=11197#step:6:1609

for details.

Besides, the new version of guest-components have some fixes for SNP
stack, which requires the updates of trustee side.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-06-16 13:54:15 +08:00
Dan Mihai
0f8e453518 Merge pull request #11412 from katexochen/rego-v1
genpolicy: fix rules syntax issues, rego v1 compatibility; ci: checks for rego parsing
2025-06-13 07:30:34 -07:00
Paul Meyer
71796f7b12 ci/static-checks: install opa
Make open-policy-agent available for static checks as prerequisite for rego checks.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2025-06-12 10:46:43 +02:00
Ruoqing He
26c7f941aa versions: Bump rust to 1.85.1
As discussed in 2025-05-22's AC call, bump rust toolchian to 1.85.1.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-06-11 13:50:10 +00:00
Gao Xiang
b441890749 kernel: drop outdated erofs patches for 6.1.y kernels
Patches 0001..0004 have been included upstream as dependencies
since Linux 6.1.113.

Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
2025-05-26 15:48:24 +08:00
Steve Horsman
f8c5aa6df6 Merge pull request #11259 from fitzthum/bump-gc-0140
Update Trustee and Guest Components for CoCo v0.14.0
2025-05-20 18:05:17 +01:00
Fabiano Fidêncio
219d6e8ea6 Merge pull request #11257 from mythi/coco-guest-hardening
confidential guest kernel hardening changes
2025-05-16 08:52:36 +02:00
Seunguk Shin
5cabce1a25 packaging: Build edk2 for arm64
The edk2 is required for memory hot plug on qemu for arm64.
This adds the edk2 to static tarball for arm64.

Signed-off-by: Seunguk Shin <seunguk.shin@arm.com>
Reviewed-by: Nick Connolly <nick.connolly@arm.com>
2025-05-15 10:12:24 +01:00
Mikko Ylinen
a44dfb8d37 versions: bump LTS kernel
6.12.28 has been released, let's bump to it.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-05-12 17:14:51 +03:00
Tobin Feldman-Fitzthum
de6f4ae99c versions: update Trustee version for CoCo v0.14.0
This hash will be tagged as Trustee v0.13.0 after the CoCo release is
finished.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2025-05-09 13:40:28 -05:00
Tobin Feldman-Fitzthum
f9a9967e21 versions: update guest-components for CoCo v0.14.0
Pick up changes to guest components. This hash is right before the
changes to GC to support image pull via the CDH.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2025-05-09 13:40:28 -05:00
Steve Horsman
9248634baa Merge pull request #11098 from stevenhorsman/golang-1.23.7
versions: Bump golang version
2025-04-28 13:46:11 +01:00
stevenhorsman
09052faaa0 versions: Switch gperf mirror
Every so often the main gnu site has an outage, so
we can't download gperf. GNU providesthe generic URL https://ftpmirror.gnu.org to
automatically choose a nearby and up-to-date mirror,
so switch to this to help avoid this problem

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-23 15:29:54 +01:00
stevenhorsman
ed56050a99 versions: Bump golangci-lint version
v1.60.0+ is needed for go 1.23 support, so
bump to the current latest 1.x version

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-23 12:37:48 +01:00
stevenhorsman
c37840ce80 versions: Bump golang version
Bump golang version to the latest minor 1.23.x release
now that 1.24 has been released and 1.22.x is no longer
stable and receiving security fixes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-23 12:37:48 +01:00
Fabiano Fidêncio
5e363dc277 virtiofsd: Update to v1.13.1
It's been released for some time already ... and although we did have
the necessary patches in, we better to stick to a released version of
the project.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-04-14 13:23:31 +02:00
stevenhorsman
93830cbf4d rust: Add rust-toolchain.toml
Add a top-level rust-toolchain.toml with the version
that matches version.yaml to ensure that we stay in sync

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-11 09:24:04 +01:00
RuoqingHe
713cbb0c62 Merge pull request #11121 from fidencio/topic/bump-kernel-lts
versions: Bump LTS kernel
2025-04-08 17:28:31 +08:00
Fabiano Fidêncio
bc04c390bd versions: Bump LTS kernel
6.12.22 has been released Yesterday, let's bump to it.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-04-07 21:46:29 +02:00
Bo Chen
ee84068aed versions: Upgrade to Cloud Hypervisor v45.0
Details of this release can be found in our roadmap project as iteration
v45.0: https://github.com/orgs/cloud-hypervisor/projects/6.

Fixes: #10723

Signed-off-by: Bo Chen <bchen@crusoe.ai>
Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-04-07 20:33:34 +02:00
Tobin Feldman-Fitzthum
63ec1609bc versions: update guest-components for coco v0.13.0
Update to the latest hash of guest-components. This will pick up some
nice new features including using ec key for the rcar handshake.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2025-03-14 10:44:10 -05:00
Tobin Feldman-Fitzthum
c352905998 versions: bump trustee for coco v0.13.0
Update to new hashes for Trustee. The MSRV for Trustee is now 1.80.0 so
bump the rust toolchain as well.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
2025-03-14 10:44:04 -05:00
Xuewei Niu
644af52968 Merge pull request #10876 from lifupan/fupan_containerd
ci: cri-containerd: upgrade the LTS / Active versions for containerd
2025-03-06 17:08:40 +08:00
Fupan Li
7024d3c600 CI: cri-containerd: upgrade the LTS / Active versions for containerd
As we're testing against the LTS and the Active versions of
containers, let's upgrade the lts version from 1.6 to 1.7 and
active version from 1.7 to 2.0 to cover the sandboxapi tests.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-03-05 23:09:24 +08:00
Zvonko Kaiser
33460386b9 Merge pull request #10803 from ryansavino/update-confidential-initrd-22.04
versions: update confidential initrd to 22.04
2025-02-27 09:29:36 -05:00