In preparation for CoCo 0.5 release, updated td-shim to
commit 10568bab569bc40034cc973f26fbb0a768dcc3e3
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
In preparation for CoCo 0.5 release, updated attestation-agent to
commit c939d211fe5ac497715008e36161aff20cabb6e6
Fixes#6650
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This patch updates the template configuration file for
the remote hypervisor to set static_sandbox_resource_mgmt
to be true. The remote hypervisor uses the peer pod config
to determine the sandbox size, so requires this to be set to
true by default.
Fixes: #6616
Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
Adding SNP components needed to the x86 payload push and release payloads.
QEMU is needed in both the after-push payload and release payload, while OVMF is only
missing from the release workflow.
Fixes: #6600
Signed-Off-By: Alex Carter <AlexCarter@ibm.com>
This is to add an artifact named `cc-rootfs-initrd` to a payload image
because it is identified that the artifact is required to run a cc-operator
e2e test.
Fixes: #6544
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
attestation-agent depends on tdx-attest-rs when cc_kbc is enabled, which
depends on libtdx-attest.so. Include the dev package in build container,
and the runtime package in the built rootfs.
The build of tdx-attest-sys (which is a dep of tdx-attest-rs) uses
bindgen, which requires libclang so install that in the build container
as well.
We specify the tdx stack DCAP v1.15
Fixes: #6519
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
An SNP runtimeclass needs a build of Qemu from https://github.com/AMDESE/qemu/tree/snp-v3.
So a new target needs to be added to add it to a kata-deploy bundle.
Building requires a qemu no_patches file
Fixes: #6061
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
For remote hypervisor, the configmap, secrets, downward-api or project-volumes are
copied from host to guest. This patch watches for changes to the host files
and copies the changes to the guest.
Note that configmap updates takes significantly longer than updates via downward-api.
This is similar across runc and Kata runtimes.
Fixes: #6341
Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Signed-off-by: Julien Ropé <jrope@redhat.com>
`ttrpc=true` parameter tells the Makefile of attestation-agent
to build the attestation-agent with ttrpc support
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
This commit brings ttrpc of image-rs. It will use the
lightweight underlying ttrpc to interact between kata-agent
and attestation-agent.
Also, this PR brings a patch for `oci-distribution`,
because two dependencies of `image-rs` depends on different
versions of `oci-distribution`, which will cause that
`image-rs` can not be built. We need a specified version of
`oci-distribution` to unify.
Fixes#6219
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
This is to add a new element `qemu-se` to the shims for a new runtime
class `kata-qemu-se`.
Fixes: #6549
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
SNP needs two builds of ovmf: the AmdSev build and the normal x86_64 build.
Adds target for vanilla ovmf build for snp
Adding another make target / kata-deploy function, and fixing the ovmf builder so these builds dont overlap.
Fixes: #5849
Signed-off-by: Alex Carter <Alex.Carter@ibm.com>
This is a preliminary work to establish an e2e test for a new runtime
class kata-qemu-se (IBM secure execution).
Fixes: #6544
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
DCAP has upgraded to 1.16, which is not compatible with the host OS used
as part of our CI (2022ww44). Let's ensure DCAP 1.15 is used instead.
Fixes: #6529
Signed-off-by: Wang, Arron <arron.wang@intel.com>
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Update the build to use the attestation-agent makefile to build it, so
we can pick up the enhancements there
Fixes: #6253
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Add support for cri-o into kata-deploy and merge in CAA features
Fixes: #6351
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Co-authored-by:: Pradipta Banerjee <pradipta.banerjee@gmail.com>
We've been seeing the 'sudo make test' job occasionally run out of space in
/tmp, which is part of the root filesystem. Removing dotnet and
`AGENT_TOOLSDIRECTORY` frees around 10GB of space and in my tests the job still
has 13GB of space left after running.
Fixes: #6401
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
{{ runner.workspace }}/kata-containers and {{ github.workspace }} resolve to
the same value, but they're being used multiple times in the workflow. Remove
multiple definitions and define the GOPATH var at job level once.
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The last remaining user of the TRAVIS variable in this repo is
tools/osbuilder/tests and it is only used to skip spinning up VMs. Travis
didn't support virtualization and the same is true for github actions hosted
runners. Replace the variable with KVM_MISSING and determine availability of
/dev/kvm at runtime.
TRAVIS is also used by '.ci/setup.sh' in kata-containers/tests to reduce the
set of dependencies that gets installed, but this is also in the process of
being removed.
Fixes: #3544
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
