From fa11294b0fec1640539972fbc7c84bcf4563b4aa Mon Sep 17 00:00:00 2001 From: Alex Carter Date: Tue, 30 Aug 2022 20:12:02 +0000 Subject: [PATCH 1/2] packaging: add CC's sev-initrd target Adds a make target, and a function in the kata-deploy-binaries script. In the spirit of avoiding code duplication, making the cc-initrd function more generic. Fixes: #5118 Signed-Off-By: Alex Carter --- tools/packaging/kata-deploy/local-build/Makefile | 6 +++++- .../local-build/kata-deploy-binaries.sh | 15 +++++++++++++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 4f1239c24..b9ed149c7 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -89,7 +89,8 @@ cc: cc-cloud-hypervisor-tarball \ cc-tdx-qemu-tarball \ cc-tdx-td-shim-tarball \ cc-tdx-tdvf-tarball \ - cc-sev-ovmf-tarball + cc-sev-ovmf-tarball \ + cc-sev-rootfs-initrd-tarball cc-cloud-hypervisor-tarball: ${MAKE} $@-build @@ -103,6 +104,9 @@ cc-qemu-tarball: cc-rootfs-image-tarball: ${MAKE} $@-build +cc-sev-rootfs-initrd-tarball: cc-sev-kernel-tarball + ${MAKE} $@-build + cc-shim-v2-tarball: ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index ef7d15b26..9331b333d 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -90,6 +90,7 @@ options: cc-qemu cc-tdx-qemu cc-rootfs-image + cc-sev-initrd-image cc-shimv2 cc-virtiofsd cc-sev-ovmf @@ -113,13 +114,20 @@ install_cc_clh() { #Install cc capable guest image install_cc_image() { + export AA_KBC="${1:-offline_fs_kbc}" + image_type="${2:-image}" export SKOPEO="${SKOPEO:-yes}" export UMOCI=yes - export AA_KBC="offline_fs_kbc" export KATA_BUILD_CC=yes info "Create CC image configured with SKOPEO=${SKOPEO} UMOCI=${UMOCI} AA_KBC=${AA_KBC}" - "${rootfs_builder}" --imagetype=image --prefix="${cc_prefix}" --destdir="${destdir}" + "${rootfs_builder}" --imagetype="${image_type}" --prefix="${cc_prefix}" --destdir="${destdir}" +} + +install_cc_sev_image() { + AA_KBC="offline_sev_kbc" + image_type="initrd" + install_cc_image "${AA_KBC}" "${image_type}" } #Install CC kernel asset @@ -316,6 +324,7 @@ handle_build() { install_cc_image install_cc_shimv2 install_cc_virtiofsd + install_cc_sev_image ;; cc-cloud-hypervisor) install_cc_clh ;; @@ -326,6 +335,8 @@ handle_build() { cc-rootfs-image) install_cc_image ;; + cc-sev-initrd-image) install_cc_sev_image ;; + cc-shim-v2) install_cc_shimv2 ;; cc-virtiofsd) install_cc_virtiofsd ;; From 69230fac976b35d8918a4a623dd4234c57fe5744 Mon Sep 17 00:00:00 2001 From: Alex Carter Date: Thu, 1 Sep 2022 17:14:09 +0000 Subject: [PATCH 2/2] packaging: add efi secret module to rootfs for sev Adds the efi_secret kernel module to the sev initrd. Adds a rootfs flag for kernel module based on the AA_KBC. Finding the kernel module in the local build based on kernel version and kernel config version. Moved kernel config version checking function from kernel builder to lib script. Fixes: #5118 Signed-Off-By: Alex Carter --- tools/packaging/guest-image/build_image.sh | 15 ++++++++++++++- tools/packaging/kernel/build-kernel.sh | 16 ---------------- tools/packaging/scripts/lib.sh | 16 ++++++++++++++++ 3 files changed, 30 insertions(+), 17 deletions(-) diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index c3133c366..05d783de8 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -17,6 +17,9 @@ readonly packaging_root_dir="$(cd "${script_dir}/../" && pwd)" readonly repo_root_dir="$(cd "${script_dir}/../../../" && pwd)" readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)" +patches_path="" +readonly default_patches_dir="${packaging_root_dir}/kernel/patches" + export GOPATH=${GOPATH:-${HOME}/go} source "${packaging_root_dir}/scripts/lib.sh" @@ -32,7 +35,17 @@ build_initrd() { export USE_DOCKER=1 export AGENT_INIT="yes" # ROOTFS_BUILD_DEST is a Make variable - sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" + + if [ -z "${AA_KBC}" == "offline_sev_kbc" ]; then + config_version=$(get_config_version) + kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")" + kernel_version=${kernel_version#v} + module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/cc-sev-kernel/builddir/kata-linux-${kernel_version}-${config_version}/lib/modules/${kernel_version}" + sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" KERNEL_MODULES_DIR="${module_dir}" + else + sudo -E PATH="$PATH" make rootfs ROOTFS_BUILD_DEST="${rootfs_build_dest}" + fi + if [ -n "${INCLUDE_ROOTFS:-}" ]; then sudo cp -RL --preserve=mode "${INCLUDE_ROOTFS}/." "${rootfs_build_dest}/${initrd_distro}_rootfs/" fi diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 28989f8c0..f617276ad 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -331,22 +331,6 @@ get_default_kernel_config() { echo "${config}" } -get_config_and_patches() { - if [ -z "${patches_path}" ]; then - patches_path="${default_patches_dir}" - fi -} - -get_config_version() { - get_config_and_patches - config_version_file="${default_patches_dir}/../kata_config_version" - if [ -f "${config_version_file}" ]; then - cat "${config_version_file}" - else - die "failed to find ${config_version_file}" - fi -} - setup_kernel() { local kernel_path=${1:-} [ -n "${kernel_path}" ] || die "kernel_path not provided" diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh index d53159a8c..640b1b79e 100644 --- a/tools/packaging/scripts/lib.sh +++ b/tools/packaging/scripts/lib.sh @@ -97,3 +97,19 @@ get_kata_hash() { ref=$2 git ls-remote --heads --tags "https://github.com/${project}/${repo}.git" | grep "${ref}" | awk '{print $1}' } + +get_config_and_patches() { + if [ -z "${patches_path}" ]; then + patches_path="${default_patches_dir}" + fi +} + +get_config_version() { + get_config_and_patches + config_version_file="${default_patches_dir}/../kata_config_version" + if [ -f "${config_version_file}" ]; then + cat "${config_version_file}" + else + die "failed to find ${config_version_file}" + fi +} \ No newline at end of file