Commit Graph

1848 Commits

Author SHA1 Message Date
Steve Horsman
947862f804 Merge pull request #11904 from manuelh-dev/mahuber/conf-rootfs-nv-guest-pull
gpu: nvidia rootfs build with guest pull support
2025-10-17 16:08:05 +01:00
Manuel Huber
4ad8c31b5a gpu: build nv rootfs with guest pull support
While the local-build's folder's Makefile dependencies for the
confidential nvidia rootfs targets already declare the pause image
and coco-guest-components dependencies, the actual rootfs
composition does not contain the pause image bundle and relevant
certificates for guest pull. This change ensure the rootfs gets
composed with the relevant files.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-10-16 09:20:49 -07:00
Kevin Zhao
141070b388 Kata-deploy: Add kata-deploy set up for qemu-cca
Support launch qemu-cca in Kata-deploy.

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-10-16 17:24:52 +08:00
Kevin Zhao
af919686ab Kata-deploy: Add CCA firmware build support
runtime: pass firmware to CCA Realm

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-10-16 17:24:45 +08:00
Kevin Zhao
16e91bfb21 kata-deploy: Add support for Arm CCA Qemu build
The Qemu support is picked up from:
https://git.codelinaro.org/linaro/dcap/qemu.git, branch: cca/2025-04-16

More info regarding the CCA software stack dev and test, please refer
to link: https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29051027459/Building+an+RME+stack+for+QEMU

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
2025-10-16 17:24:08 +08:00
Seunguk Shin
c7d5f207f1 kata-deploy: support build confidential rootfs and initrd for CCA
Also add cca-attester for coco-guest-component

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
Co-authored-by: Seunguk Shin <seunguk.shin@arm.com>
2025-10-16 17:24:03 +08:00
Seunguk Shin
40dac78412 kata-deploy: support build confidential kernel and shim-v2 for CCA
After supporting the Arm CCA, it will rely on the kernel kvm.h headers to build the
runtime. The kernel-headers currently quite new with the traditional one, so that we
rely on build the kernel header first and then inject it to the shim-v2 build container.

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
Co-authored-by: Seunguk Shin <seunguk.shin@arm.com>
2025-10-16 17:23:58 +08:00
Manuel Huber
8221361915 gpu: Use variable to differentiate rootfs variants
With this change we namespace the stage one rootfs tarball name
and use the same name across all uses. This will help overcome
several subtle local build problems.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-10-15 12:39:44 +02:00
Aurélien Bombo
0c6fcde198 Merge pull request #11918 from fidencio/topic/builds-qemu-use-liburing-newer-than-2.2
builds: qemu: Use a liburing newer than 2.2
2025-10-14 10:17:16 -05:00
Fabiano Fidêncio
2ad81c4797 build: qemu: Fix cache logic
We need to ensure that any change on the Dockerfile (and its dir) leads
to the build being retriggered, rather than using the cached version.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-14 12:17:43 +02:00
Fabiano Fidêncio
2f73e34e33 builds: qemu: Use a liburing newer than 2.2
Due to a potential regression introduced by:
984a32f17e (565f3835aaed6321caab4f7c4f8560a687f6000b_379_386)

Reported-by: Aurélien Bombo <abombo@microsoft.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-14 12:17:28 +02:00
stevenhorsman
8ce714cf97 ci: Add protobuf-compiler dependencies
We are seeing more protoc related failures on the new
runners, so try adding the protobuf-compiler dependency
to these steps to see if it helps.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-10-14 10:58:58 +01:00
Fabiano Fidêncio
b0b0038689 versions: Bump QEMU to 10.1.1
QEMU 10.1.1 was released on October 8th, 2025, let's bump it on our
side.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-13 23:52:01 +02:00
Fabiano Fidêncio
fb43d3419f build: Fix nvidia kernel breakage
On commit 9602ba6ccc, from February this
year, we've introduced a check to ensure that the files needed for
signing the kernel build are present. However, we've noticed last week
that there were a reasonable amount of wrong assumptions with the
workflow. :-)

Zvonko fixed the majority of those, but this bit was left and it'd cause
breakages when using kernel that was cached ... although passing when
building new kernels.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-13 19:28:40 +02:00
Zvonko Kaiser
b00013c717 kernel: Add KBUILD_SIGN_PIN pass through
This is needed to the kernel setup picks up the correct
config values from our fragments directories.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-10 15:45:34 -04:00
Zvonko Kaiser
37bd5e3c9d gpu: Add kernel CONFIG check
We need to make sure that the kernel we're using has the
correct configs set, otherwise the module signing will not work.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-10 15:45:34 -04:00
Fabiano Fidêncio
496e255ea2 build: Fix KBUILD_SIGN_PIN usage
What was done in the past, trying to set the env var on the same step
it'd be used, simply does not work.

Instead, we need to properly set it through the `env` set up, as done
now.

We're also bumping the kata_config_version to ensure we retrigger the
kernel builds.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 15:25:10 +02:00
Fabiano Fidêncio
a1f90fe350 tests: k8s: Unify k8s TEE tests
There's no reason to have the code duplication between the SNP / TDX
tests for CoCo, as those are basically using the same configuration
nowadays.

Note that for the TEEs case, as the nydus-snapshotter is deployed by the
admin, once, instead of deploying it on every run ... I'm actually
removing the nydus-snapshotter steps so we make it clear that those
steps are not performed by the CI.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 09:51:59 +02:00
Zvonko Kaiser
91739d4425 gpu: PPCIE support DGX like systems
For DGX like systems we need additional binaries and libraries,
enable the Kata AND CoCo use-case.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>

Update tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-10-09 00:00:12 +00:00
Aurélien Bombo
07645cf58b ci: actionlint: Address issues and set as required
Address issues just introduced and set actionlint as a required by removing
the path filter.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 16:55:27 -05:00
Aurélien Bombo
b3a551d438 ci: zizmor: Reestablish as required test
We can re-require this now that we've addressed all the issues.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-08 16:55:27 -05:00
Fabiano Fidêncio
dbb1eb959c kata-deploy: Allow users to set experimental_force_guest_pull
For those who are not willing to use the nydus-snapshotter for pulling
the image inside the guest, let's allow them setting the
experimetal_force_guest_pull, introduced by Edgeless, as part of our
helm-chart.

This option can be set as:
_experimentalForceGuestPull: "qemu-tdx,qemu-coco-dev"

Which would them ensure that the configuration for `qemu-tdx` and
`qemu-coco-dev` would have the option enabled.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-08 17:43:09 +02:00
Fabiano Fidêncio
8c4bad68a8 kata-deploy: Remove kustomize yamls, rely on helm-chart only
As the kata-deploy helm chart has been the only way we've been testing
kata-containers deployment as part of our CI, it's time to finally get
rid of the kustomize yamls and avoid us having to maintain two different
methods (with one of those not being tested).

Here I removed:
* kata-deploy yamls and kustomize yamls
* kata-cleanup yamls and kustomize yamls
* kata-rbac yals and kustomize yamls
* README.md for the kustomize yamls was removed

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-08 16:54:19 +02:00
Zvonko Kaiser
59b4e3d3f8 gpu: Add CONFIG_FW_LOADER to the kernel
We need it for the newer CC kernel

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-08 10:01:27 +02:00
Zvonko Kaiser
7061f64db5 gpu: Fix confidential build
NVRC introduced the confidential feature flag and we
haven't updated the rootfs build to accomodate.
If rootfs_type==confidential user --feature=confidential

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-08 10:01:27 +02:00
Zvonko Kaiser
2260f66339 gpu: Some fixes regarding the rootfs v580
With the 580 driver version we need new dependencies
in the rootfs.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-08 10:01:27 +02:00
Szymon Klimek
8dc6b24e7d kata-deploy: accept 25.10 as supported distro for TDX
Canonical TDX release is not needed for vanilla Ubuntu 25.10 but
GRUB_CMDLINE_LINUX_DEFAULT needs to contain `nohibernate` and
`kvm_intel.tdx=1`

Signed-off-by: Szymon Klimek <szymon.klimek@intel.com>
2025-10-07 23:41:52 +02:00
Fabiano Fidêncio
000c9cce23 kata-deploy: chart: Add _experimentalSetupSnapshotter
Let's expose the EXPERIMENTAL_SETUP_SNAPSHOTTER script environment
variable to our chart, allowing then users of our helm chart to take
advantage of this experimental feature.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-07 10:32:46 +02:00
Fabiano Fidêncio
d6a1881b8b kata-deploy: scripts: Allow setting up multiple snapshotters
We may deploy in scenarios where we want to have both snapshotters set
up, sometimes even for simple test on which one behaves better.

With this in mind, let's allow EXTERNAL_SETUP_SNAPSHOTTER to receive a
comma separated list of snapshotters, such as:
```
EXPERIMENTAL_SETUP_SNAPSHOTTER="erofs,nydus"
```

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-07 10:32:46 +02:00
Fabiano Fidêncio
445af6c09b kata-deploy: scripts: Allow deploying erofs-snapshotters
Similarly to what's been done for the nydus-snapshotter, let's allow
users to have erofs-snapshotter set up by simply passing:
```
EXPERIMENTAL_SETUP_SNAPSHOTTER="erofs".
```

Mind that erofs, although a built-in containerd snapshotter, has system
depdencies that we will *NOT* install and it's up to the admin to do so.
These dependencies are:
* erofs-utils
* fsverity
* erofs module loaded

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-07 10:32:46 +02:00
Fabiano Fidêncio
2e0ce2f39f kata-deploy: scripts: Allow deploying nydus-snapshotter
Let's introduce a new EXPERIMENTAL_SETUP_SNAPSHOTTER environemnt
variable that, when set, allows kata-deploy to put the nydus snapshotter
in the correct place, and configure containerd accordingly.

Mind, this is a stop gap till the nydus-snapshotter helm chart is ready
to be used and behaving well enough to become a weak dependency of our
helm chart.  When that happens this code can be deleted entirely.

Users can have nydus-snapshotter deployed and configured for the
guest-pull use case by simply passing:
```
EXPERIMENTAL_SETUP_SNAPSHOTTER="nydus"
```

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-07 10:32:46 +02:00
Fabiano Fidêncio
1e2c86c068 kata-deploy: scripts: Only add conf file to the imports once
Otherwise we'd end up adding a the file several times, which could lead
to problems when removing the entry, leading to containerd not being
able to start due to an import file not being present.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-07 10:32:46 +02:00
Fabiano Fidêncio
300f7e686e build: Fix initramfs build
We have noticed in the CI that the `gen_init_cpio ...` was returning 255
and breaking the build. Why? I am not sure.

When chatting with Steve, he suggested to split the command, so it'd be
easier to see what's actually breaking. But guess what? There's no
breakage when we split the command.

So, let's try it out and see whether the CI passes after it.

If someone is willing to educate us on this one, please, that would be
helpful! :-)

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-02 20:58:22 +02:00
Zvonko Kaiser
2693daf503 gpu: Install dcgm export from the CUDA repo
Do not use the repo to install the exporter,
we rely on the version tested with Ubuntu <version>

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-02 18:05:13 +02:00
Zvonko Kaiser
56c6512781 gpu: Bump to noble and rearrange repos
Moving the CUDA repo to the top for all essential packages
and adding a repo priority favouring NVIDIA based repos.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-10-02 18:05:13 +02:00
Manuel Huber
e36f788570 kernel: add required configs for openvpn support
Currently, use of openvpn clients/servers is not possible in Kata UVMs.
Following error message can be expected:
ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)

To support opevpn scenarios using bridging and TAP, we enable various
kernel networking config options.

Signed-off-by: Manuel Huber <mahuber@microsoft.com>
2025-10-02 11:40:49 +02:00
Zvonko Kaiser
3743eb4cea gpu: Add ligcc for RUST libc=gnul builds
Since we cannot build all components with libc=musl and
static RUSTFLAG we still need to ship libcc for AA or other guest
components.

Without this change the guest components do not work and we see

/usr/local/bin/attestation-agent: error while loading shared
libraries: libgcc_s.so.1: cannot open shared object file: No such file or directory

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-09-26 15:08:58 -04:00
Aurélien Bombo
0b40ad066a gha: Set Zizmor check as non-required
As a consequence of moving away from Advanced Security for Zizmor, it now
checks the entire codebase and will error out on this PR and future.

To be reverted once we address all Zizmor findings in a future PR.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 10:50:49 -05:00
stevenhorsman
c2b0650491 release: Bump version to 3.21.0
Bump VERSION and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-23 20:59:00 +02:00
Steve Horsman
3e67f92e34 Merge commit from fork
Fix malicious host can circumvent initdata verification on TDX
2025-09-23 13:31:29 +01:00
Mikko Ylinen
5cb1332348 build: enable nvidia-attester for coco-guest-components
coco-guest-components tarball is used as is for both vanilla coco
rootfs and the nvidia enabled rootfs. nvidia-attester can be built
without nvml so make it globally enabled for coco-guest-components.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-09-23 12:38:32 +03:00
Zvonko Kaiser
e6f12d8f86 gpu: Add latest driver per default
Lets make sure that we use latest driver for CI and release.
There was a sort step missing.

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-09-20 23:50:35 +00:00
Fabiano Fidêncio
54e8081222 qemu: Fix submodules location change
The submodule change led to a breakage on our build of QEMU.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-09-20 22:12:27 +02:00
Fabiano Fidêncio
d056fb20fe initramfs: Enforce --panic-on-corruption for veritysetup
Let's enforce an error on veritysetup in case there's any tampering with
the rootfs.

Signed-off-by: Fabiano Fidêncio <fidencio@northflank.com>
2025-09-16 21:35:00 +02:00
Mikko Ylinen
86fe419774 versions: update kernel-confidential to Linux v6.16.7
update to the latest available v6.16 stable series kernel for CoCo.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-09-15 20:29:22 +02:00
Fabiano Fidêncio
d741544fa6 kata-deploy: Don't fail if the runtimeclass is already deleted
I've hit this when using a machine with slow internet connection, which
took ages to download the kata-cleanup image, and then helm timed out in
the middle of the cleanup, leading to the cleanup job being restarted
and then bailing with an error as the runtimeclasses that kata-deploy
tries to delete were already deleted.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-09-15 15:27:54 +02:00
Alex Tibbles
66a3d4b4a2 versions: bump kernel to 6.12.47
Update LTS kernel to latest.

Signed-off-by: Alex Tibbles <alex@bleg.org>
2025-09-15 14:19:48 +02:00
Alex Tibbles
710c117a24 version: Bump QEMU to v10.1.0
A minor release of QEMU is out, so update to it for fixes and features.

QEMU changelog: https://wiki.qemu.org/ChangeLog/10.1

Notes:
* AVX support is not an option to be enabled / disabled anymore.
* Passt requires Glibc 2.40.+, which means a dependency on Ubuntu 25.04
  or newer, thus we're disabling it.

Signed-off-by: Alex Tibbles <alex@bleg.org>
2025-09-15 14:19:25 +02:00
Dan Mihai
5d59341f7f Merge pull request #11780 from ryansavino/snp-guest-kernel-upgrade-issue
packaging: add required modules for confidential guest kernel
2025-09-10 18:21:26 -07:00
Ruoqing He
6a2d813196 ci: gatekeeper: Mark make test libs not required
There are still some issues to be address before we can mark `make test`
for `libs` as required. Mark this case as not required temporarily.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-09-10 03:52:20 +00:00