Merge pull request #12647 from sprt/gp-improve

genpolicy: Improve emptyDir storage options and mount point validation
gpu: Obsolete the NVIDIA initrd build
2026-03-17 10:12:24 +00:00 · 2026-03-17 13:56:42 +08:00 · 2026-03-16 21:29:58 -04:00 · 2026-03-10 11:22:10 -05:00
8 changed files with 6 additions and 48 deletions
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -168,8 +168,6 @@ jobs:
          - rootfs-image-nvidia-gpu-confidential
          - rootfs-initrd
          - rootfs-initrd-confidential
-          - rootfs-initrd-nvidia-gpu
-          - rootfs-initrd-nvidia-gpu-confidential
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -152,7 +152,6 @@ jobs:
          - rootfs-image
          - rootfs-image-nvidia-gpu
          - rootfs-initrd
-          - rootfs-initrd-nvidia-gpu
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -65,8 +65,6 @@ INITRDCONFIDENTIALNAME = $(PROJECT_TAG)-initrd-confidential.img

 IMAGENAME_NV = $(PROJECT_TAG)-nvidia-gpu.img
 IMAGENAME_CONFIDENTIAL_NV = $(PROJECT_TAG)-nvidia-gpu-confidential.img
-INITRDNAME_NV = $(PROJECT_TAG)-initrd-nvidia-gpu.img
-INITRDNAME_CONFIDENTIAL_NV = $(PROJECT_TAG)-initrd-nvidia-gpu-confidential.img

 TARGET = $(BIN_PREFIX)-runtime
 RUNTIME_OUTPUT = $(CURDIR)/$(TARGET)
@@ -136,8 +134,6 @@ INITRDCONFIDENTIALPATH := $(PKGDATADIR)/$(INITRDCONFIDENTIALNAME)

 IMAGEPATH_NV := $(PKGDATADIR)/$(IMAGENAME_NV)
 IMAGEPATH_CONFIDENTIAL_NV := $(PKGDATADIR)/$(IMAGENAME_CONFIDENTIAL_NV)
-INITRDPATH_NV := $(PKGDATADIR)/$(INITRDNAME_NV)
-INITRDPATH_CONFIDENTIAL_NV := $(PKGDATADIR)/$(INITRDNAME_CONFIDENTIAL_NV)

 ROOTFSTYPE_EXT4 := \"ext4\"
 ROOTFSTYPE_XFS := \"xfs\"
@@ -656,10 +652,6 @@ USER_VARS += IMAGENAME_NV
 USER_VARS += IMAGENAME_CONFIDENTIAL_NV
 USER_VARS += IMAGEPATH_NV
 USER_VARS += IMAGEPATH_CONFIDENTIAL_NV
-USER_VARS += INITRDNAME_NV
-USER_VARS += INITRDNAME_CONFIDENTIAL_NV
-USER_VARS += INITRDPATH_NV
-USER_VARS += INITRDPATH_CONFIDENTIAL_NV
 USER_VARS += KERNELNAME_NV
 USER_VARS += KERNELPATH_NV
 USER_VARS += KERNELNAME_CONFIDENTIAL_NV
--- a/src/tools/genpolicy/genpolicy-settings.json
+++ b/src/tools/genpolicy/genpolicy-settings.json
@@ -173,7 +173,7 @@
                "encryption_key=ephemeral"
            ],
            "source": "",
-            "mount_point": "^$(spath)/$(b64_device_id)$",
+            "mount_point": "$(spath)/$(b64_device_id)",
            "fstype": "ext4",
            "options": [],
            "shared": true
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -1306,6 +1306,7 @@ allow_storage_source(p_storage, i_storage, bundle_id) if {
 allow_storage_options(p_storage, i_storage) if {
    print("allow_storage_options 1: start")

+    p_storage.driver != "blk"
    p_storage.driver != "overlayfs"
    p_storage.options == i_storage.options

@@ -1389,7 +1390,7 @@ allow_mount_point_by_device_id(p_storage, i_storage) if {
    mount3 := replace(mount2, "$(b64_device_id)", base64url.encode(i_storage.source))
    print("allow_mount_point_by_device_id: mount3 =", mount3)

-    regex.match(mount3, i_storage.mount_point)
+    mount3 == i_storage.mount_point

    print("allow_mount_point_by_device_id: true")
 }
--- a/src/tools/genpolicy/src/mount_and_storage.rs
+++ b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -168,10 +168,10 @@ fn get_empty_dir_mount_and_storage(
            source: settings_empty_dir.source.clone(),
            fstype: settings_empty_dir.fstype.clone(),
            options,
-            mount_point: if settings_empty_dir.mount_point.ends_with('$') {
-                settings_empty_dir.mount_point.clone()
-            } else {
+            mount_point: if settings_empty_dir.mount_point.ends_with('/') {
                format!("{}{}$", &settings_empty_dir.mount_point, &yaml_mount.name)
+            } else {
+                settings_empty_dir.mount_point.clone()
            },
            fs_group: protobuf::MessageField::none(),
            shared: settings_empty_dir.shared,
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -191,15 +191,9 @@ rootfs-initrd-tarball: agent-tarball
 rootfs-image-nvidia-gpu-tarball: agent-tarball busybox-tarball kernel-nvidia-gpu-tarball
 	${MAKE} $@-build

-rootfs-initrd-nvidia-gpu-tarball: agent-tarball busybox-tarball kernel-nvidia-gpu-tarball
-	${MAKE} $@-build
-
 rootfs-image-nvidia-gpu-confidential-tarball: agent-tarball busybox-tarball pause-image-tarball coco-guest-components-tarball kernel-nvidia-gpu-tarball
 	${MAKE} $@-build

-rootfs-initrd-nvidia-gpu-confidential-tarball: agent-tarball busybox-tarball pause-image-tarball coco-guest-components-tarball kernel-nvidia-gpu-tarball
-	${MAKE} $@-build
-
 rootfs-cca-confidential-image-tarball: agent-tarball pause-image-tarball coco-guest-components-tarball kernel-cca-confidential-tarball
 	${MAKE} $@-build

--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -607,16 +607,6 @@ install_image_nvidia_gpu() {
 	install_image "nvidia-gpu"
 }

-# Install NVIDIA GPU initrd
-install_initrd_nvidia_gpu() {
-	export AGENT_POLICY
-	export MEASURED_ROOTFS="no"
-	local version=$(get_from_kata_deps .externals.nvidia.driver.version)
-	EXTRA_PKGS="apt curl ${EXTRA_PKGS}"
-	NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"driver=${version},compute,dcgm,nvswitch"}
-	install_initrd "nvidia-gpu"
-}
-
 # Instal NVIDIA GPU confidential image
 install_image_nvidia_gpu_confidential() {
 	export CONFIDENTIAL_GUEST="yes"
@@ -628,18 +618,6 @@ install_image_nvidia_gpu_confidential() {
 	install_image "nvidia-gpu-confidential"
 }

-# Install NVIDIA GPU confidential initrd
-install_initrd_nvidia_gpu_confidential() {
-	export CONFIDENTIAL_GUEST="yes"
-	export AGENT_POLICY
-	export MEASURED_ROOTFS="no"
-	local version=$(get_from_kata_deps .externals.nvidia.driver.version)
-	EXTRA_PKGS="apt curl ${EXTRA_PKGS}"
-	NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"driver=${version},compute,dcgm,nvswitch"}
-	install_initrd "nvidia-gpu-confidential"
-}
-
-
 install_se_image() {
 	info "Create IBM SE image configured with AA_KBC=${AA_KBC}"
 	"${se_image_builder}" --destdir="${destdir}"
@@ -1383,12 +1361,8 @@ handle_build() {

 	rootfs-image-nvidia-gpu) install_image_nvidia_gpu ;;

-	rootfs-initrd-nvidia-gpu) install_initrd_nvidia_gpu ;;
-
 	rootfs-image-nvidia-gpu-confidential) install_image_nvidia_gpu_confidential ;;

-	rootfs-initrd-nvidia-gpu-confidential) install_initrd_nvidia_gpu_confidential ;;
-
 	rootfs-cca-confidential-image) install_image_confidential ;;

 	rootfs-cca-confidential-initrd) install_initrd_confidential ;;