Merge pull request #5120 from Alex-Carter01/initrd-efi-dep

CC, packaging: add sev-initrd target, and add efi_secret module to sev's initrd
2026-01-19 14:24:26 +01:00 · 2022-09-14 08:03:55 -03:00
parent 9b49a6ddc6 69230fac97
commit 895150e383
5 changed files with 48 additions and 20 deletions
--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@@ -17,6 +17,9 @@ readonly packaging_root_dir="$(cd "${script_dir}/../" && pwd)"
 readonly repo_root_dir="$(cd "${script_dir}/../../../" && pwd)"
 readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)"

+patches_path=""
+readonly default_patches_dir="${packaging_root_dir}/kernel/patches"
+
 export GOPATH=${GOPATH:-${HOME}/go}
 source "${packaging_root_dir}/scripts/lib.sh"

@@ -32,7 +35,17 @@ build_initrd() {
 	export USE_DOCKER=1
 	export AGENT_INIT="yes"
 	# ROOTFS_BUILD_DEST is a Make variable
-	sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}"
+
+	if [ -z "${AA_KBC}" == "offline_sev_kbc" ]; then
+		config_version=$(get_config_version)
+		kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")"
+		kernel_version=${kernel_version#v}
+		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}"
+		sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" KERNEL_MODULES_DIR="${module_dir}"
+	else
+		sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}"
+	fi
+
 	if [ -n "${INCLUDE_ROOTFS:-}" ]; then
 		sudo cp -RL --preserve=mode "${INCLUDE_ROOTFS}/." "${rootfs_build_dest}/${initrd_distro}_rootfs/"
 	fi
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -89,7 +89,8 @@ cc: cc-cloud-hypervisor-tarball \
 	cc-tdx-qemu-tarball \
 	cc-tdx-td-shim-tarball \
 	cc-tdx-tdvf-tarball \
-	cc-sev-ovmf-tarball
+	cc-sev-ovmf-tarball \
+	cc-sev-rootfs-initrd-tarball

 cc-cloud-hypervisor-tarball:
 	${MAKE} $@-build
@@ -103,6 +104,9 @@ cc-qemu-tarball:
 cc-rootfs-image-tarball:
 	${MAKE} $@-build

+cc-sev-rootfs-initrd-tarball: cc-sev-kernel-tarball
+	${MAKE} $@-build
+
 cc-shim-v2-tarball:
 	${MAKE} $@-build

--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -90,6 +90,7 @@ options:
 	cc-qemu
 	cc-tdx-qemu
 	cc-rootfs-image
+	cc-sev-initrd-image
 	cc-shimv2
 	cc-virtiofsd
 	cc-sev-ovmf
@@ -113,13 +114,20 @@ install_cc_clh() {

 #Install cc capable guest image
 install_cc_image() {
+	export AA_KBC="${1:-offline_fs_kbc}"
+	image_type="${2:-image}"
 	export SKOPEO="${SKOPEO:-yes}"
 	export UMOCI=yes
-	export AA_KBC="offline_fs_kbc"
 	export KATA_BUILD_CC=yes

 	info "Create CC image configured with SKOPEO=${SKOPEO} UMOCI=${UMOCI} AA_KBC=${AA_KBC}"
-	"${rootfs_builder}" --imagetype=image --prefix="${cc_prefix}" --destdir="${destdir}"
+	"${rootfs_builder}" --imagetype="${image_type}" --prefix="${cc_prefix}" --destdir="${destdir}"
+}
+
+install_cc_sev_image() {
+	AA_KBC="offline_sev_kbc"
+	image_type="initrd"
+	install_cc_image "${AA_KBC}" "${image_type}"
 }

 #Install CC kernel asset
@@ -316,6 +324,7 @@ handle_build() {
 		install_cc_image
 		install_cc_shimv2
 		install_cc_virtiofsd
+		install_cc_sev_image
 		;;

 	cc-cloud-hypervisor) install_cc_clh ;;
@@ -326,6 +335,8 @@ handle_build() {

 	cc-rootfs-image) install_cc_image ;;

+	cc-sev-initrd-image) install_cc_sev_image ;;
+
 	cc-shim-v2) install_cc_shimv2 ;;

 	cc-virtiofsd) install_cc_virtiofsd ;;
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -331,22 +331,6 @@ get_default_kernel_config() {
 	echo "${config}"
 }

-get_config_and_patches() {
-	if [ -z "${patches_path}" ]; then
-		patches_path="${default_patches_dir}"
-	fi
-}
-
-get_config_version() {
-	get_config_and_patches
-	config_version_file="${default_patches_dir}/../kata_config_version"
-	if [ -f "${config_version_file}" ]; then
-		cat "${config_version_file}"
-	else
-		die "failed to find ${config_version_file}"
-	fi
-}
-
 setup_kernel() {
 	local kernel_path=${1:-}
 	[ -n "${kernel_path}" ] || die "kernel_path not provided"
--- a/tools/packaging/scripts/lib.sh
+++ b/tools/packaging/scripts/lib.sh
@@ -97,3 +97,19 @@ get_kata_hash() {
 	ref=$2
 	git ls-remote --heads --tags "https://github.com/${project}/${repo}.git" | grep "${ref}" | awk '{print $1}'
 }
+
+get_config_and_patches() {
+	if [ -z "${patches_path}" ]; then
+		patches_path="${default_patches_dir}"
+	fi
+}
+
+get_config_version() {
+	get_config_and_patches
+	config_version_file="${default_patches_dir}/../kata_config_version"
+	if [ -f "${config_version_file}" ]; then
+		cat "${config_version_file}"
+	else
+		die "failed to find ${config_version_file}"
+	fi
+}