cce5d4abf6
Bump both the kernel and kernel-confidential versions from v6.12.x and
v6.16.x to v6.18.4, aligning with the new LTS release.
Kernel 6.18 introduced several configuration changes that required
updates to our kernel config fragments:
* CRYPTO_FIPS dependencies changed:
- In 6.12: depended on !CRYPTO_MANAGER_DISABLE_TESTS
- In 6.18: now depends on CRYPTO_SELFTESTS (which requires EXPERT)
Added CONFIG_EXPERT=y and CONFIG_CRYPTO_SELFTESTS=y to crypto.conf
to satisfy the new dependency chain.
* CONFIG_EXPERT is a naughty one, as it disables / enables a bunch
of things behind ones back, probably just to prove a point that
it is for experts ;-) ... regardless, a reasonable amount of
options had to be re-added in order to make sure anything ends
up broken.
* Legacy iptables support:
Kernel 6.18 requires explicit legacy xtables/iptables configs for
IP_NF_* options. Added CONFIG_NETFILTER_XTABLES_LEGACY,
CONFIG_IP_NF_IPTABLES_LEGACY, and CONFIG_IP6_NF_IPTABLES_LEGACY
to netfilter.conf.
* Module signing dependencies:
Added CONFIG_MODULES=y and other required dependencies to
module_signing.conf to ensure MODULE_SIG can be properly enabled.
* Whitelist updates:
- Added CONFIG_NF_CT_PROTO_DCCP (removed in 6.18+)
- Added CONFIG_CRYPTO_SELFTESTS, CONFIG_NETFILTER_XTABLES_LEGACY,
CONFIG_IP_NF_IPTABLES_LEGACY, CONFIG_IP6_NF_IPTABLES_LEGACY
(added in 6.18+, not present in older kernels like 6.12)
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Kata Containers kernel config files
This directory contains Linux Kernel config files used to configure Kata Containers VM kernels.
Types of config files
This directory holds config files for the Kata Linux Kernel in two forms:
- A tree of config file
fragmentsin thefragmentssub-folder, that are constructed into a complete config file using the kernelscripts/kconfig/merge_config.shscript. - As complete config files that can be used as-is.
Kernel config fragments are the preferred method of constructing .config files
to build Kata Containers kernels, due to their improved clarity and ease of maintenance
over single file monolithic .configs.
How to use config files
The recommended way to set up a kernel tree, populate it with a relevant .config file,
and build a kernel, is to use the build_kernel.sh script. For
example:
$ ./build-kernel.sh setup
The build-kernel.sh script understands both full and fragment based config files.
Run ./build-kernel.sh help for more information.
How to modify config files
Complete config files can be modified either with an editor, or preferably
using the kernel Kconfig configuration tools, for example:
$ cp x86_kata_kvm_4.14.x linux-4.14.22/.config
$ pushd linux-4.14.22
$ make menuconfig
$ popd
$ cp linux-4.14.22/.config x86_kata_kvm_4.14.x
Kernel fragments are best constructed using an editor. Tools such as grep and
diff can help find the differences between two config files to be placed
into a fragment.
If adding config entries for a new subsystem or feature, consider making a new fragment with an appropriately descriptive name.
If you want to disable an entire fragment for a specific configuration, you can add the tag # !${arch} or # !confidential in the first line of the fragment. You can also exclude multiple tags on the same line. Note the # at the beginning of the line, this is required to avoid that the tag is interpreted as a configuration.
Example of valid exclusion:
# !s390x !ppc64le
The fragment gathering tool performs some basic sanity checks, and the build-kernel.sh will
fail and report the error in the cases of:
- A duplicate
CONFIGsymbol appearing. - A
CONFIGsymbol being in a fragment, but not appearing in the final .config- which indicates that
CONFIGvariable is not a part of the kernelKconfigsetup, which can indicate a typing mistake in the name of the symbol.
- which indicates that
- A
CONFIGsymbol appearing in the fragments with multiple different values.