From 8b2f43a2c2049a9f5ac9a9d8844b11f4dbfc39d6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Mon, 8 Jan 2024 13:11:42 -0300
Subject: [PATCH] build: Add "confidential" kernel
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We're using a Kernel based on v6.7, which should include all te
patches needed for SEV / SNP / TDX.

By doing this, later on, we'll be able to stop building the specific
kernel for each one of the targets we have for the TEEs.

Let's note that we've introduced the "confidential" target for the
kernel builder script, while the TEE specific builds are being kept as
they're -- at least for now.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 .../build-kata-static-tarball-amd64.yaml      |  1 +
 .../kata-deploy/local-build/Makefile          |  4 +++
 .../local-build/kata-deploy-binaries.sh       | 25 ++++++++++++++++---
 tools/packaging/kernel/build-kernel.sh        |  6 ++---
 .../fragments/x86_64/confidential/sev.conf    |  1 +
 .../fragments/x86_64/confidential/snp.conf    |  1 +
 .../fragments/x86_64/confidential/tdx.conf    |  1 +
 tools/packaging/kernel/kata_config_version    |  2 +-
 .../kernel/patches/6.7.x/no_patches.txt       |  0
 versions.yaml                                 |  4 +++
 10 files changed, 37 insertions(+), 8 deletions(-)
 create mode 120000 tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
 create mode 120000 tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
 create mode 120000 tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
 create mode 100644 tools/packaging/kernel/patches/6.7.x/no_patches.txt

diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index 41ca2cc8b..a58ebb088 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -35,6 +35,7 @@ jobs:
           - firecracker
           - kata-ctl
           - kernel
+          - kernel-confidential
           - kernel-sev
           - kernel-dragonball-experimental
           - kernel-tdx-experimental
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index b2de80dac..21ad3626d 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -20,6 +20,7 @@ endif
 ifeq ($(ARCH), x86_64)
 BASE_TARBALLS = serial-targets \
 	firecracker-tarball \
+	kernel-confidential-tarball \
 	kernel-dragonball-experimental-tarball \
 	kernel-nvidia-gpu-tarball \
 	kernel-nvidia-gpu-snp-tarball \
@@ -110,6 +111,9 @@ kernel-nvidia-gpu-tdx-experimental-tarball:
 kernel-tarball:
 	${MAKE} $@-build
 
+kernel-confidential-tarball:
+	${MAKE} $@-build
+
 kernel-tdx-experimental-tarball:
 	${MAKE} $@-build
 
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index f02302907..8f0c2dd63 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -92,6 +92,7 @@ options:
 	firecracker
 	kata-ctl
 	kernel
+	kernel-confidential
 	kernel-dragonball-experimental
 	kernel-experimental
 	kernel-nvidia-gpu
@@ -280,7 +281,7 @@ install_cached_kernel_tarball_component() {
 		"${final_tarball_path}" \
 		|| return 1
 	
-	if [[ "${kernel_name}" != "kernel-sev" ]]; then
+	if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel-confidential" ]]; then
 		return 0
 	fi
 
@@ -289,13 +290,13 @@ install_cached_kernel_tarball_component() {
 		"${kernel_name}" \
 		"${latest_artefact}" \
 		"${latest_builder_image}" \
-		"kata-static-kernel-sev-modules.tar.xz" \
-		"${workdir}/kata-static-kernel-sev-modules.tar.xz" \
+		"kata-static-${kernel_name}-modules.tar.xz" \
+		"${workdir}/kata-static-${kernel_name}-modules.tar.xz" \
 		|| return 1
 
 	if [[ -n "${module_dir}" ]]; then
 		mkdir -p "${module_dir}"
-		tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C  "${module_dir}" && return 0
+		tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C  "${module_dir}" && return 0
 	fi
 
 	return 1
@@ -315,6 +316,10 @@ install_kernel_helper() {
 		kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
 		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
 		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
+	elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
+		kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
+		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
+		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
 	fi
 
 	install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
@@ -332,6 +337,15 @@ install_kernel() {
 		"-f"
 }
 
+install_kernel_confidential() {
+	local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
+
+	install_kernel_helper \
+		"assets.kernel.confidential.version" \
+		"kernel" \
+		"-x confidential -u ${kernel_url}"
+}
+
 install_kernel_dragonball_experimental() {
 	install_kernel_helper \
 		"assets.kernel-dragonball-experimental.version" \
@@ -741,6 +755,7 @@ handle_build() {
 		install_initrd_sev
 		install_kata_ctl
 		install_kernel
+		install_kernel_confidential
 		install_kernel_dragonball_experimental
 		install_kernel_tdx_experimental
 		install_log_parser_rs
@@ -776,6 +791,8 @@ handle_build() {
 
 	kernel) install_kernel ;;
 
+	kernel-confidential) install_kernel_confidential ;;
+
 	kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
 
 	kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;
diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index f1d1bb62c..05cd63399 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -110,7 +110,7 @@ Options:
 	-t <hypervisor>	: Hypervisor_target.
 	-u <url>	: Kernel URL to be used to download the kernel tarball.
 	-v <version>	: Kernel version to use if kernel path not provided.
-	-x <type>	: Confidential guest protection type, such as sev, snp and tdx
+	-x <type>	: Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those).
 EOF
 	exit "$exit_code"
 }
@@ -457,7 +457,7 @@ build_kernel() {
 	arch_target=$(arch_to_kernel "${arch_target}")
 	pushd "${kernel_path}" >>/dev/null
 	make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
-	if [ "${conf_guest}" == "sev" ]; then
+	if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then
 		make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
 	fi
 	[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
@@ -603,7 +603,7 @@ main() {
 			x)
 				conf_guest="${OPTARG}"
 				case "$conf_guest" in
-					sev|snp|tdx) ;;
+					confidential|sev|snp|tdx) ;;
 					*) die "Confidential guest type '$conf_guest' not supported" ;;
 				esac
 				;;
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
new file mode 120000
index 000000000..9dda7d6ea
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
@@ -0,0 +1 @@
+../sev/sev.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
new file mode 120000
index 000000000..83464ffe3
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
@@ -0,0 +1 @@
+../snp/snp.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
new file mode 120000
index 000000000..f4f9ffeb3
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
@@ -0,0 +1 @@
+../tdx/tdx.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index 52bd8e43a..9289ddcee 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-120
+121
diff --git a/tools/packaging/kernel/patches/6.7.x/no_patches.txt b/tools/packaging/kernel/patches/6.7.x/no_patches.txt
new file mode 100644
index 000000000..e69de29bb
diff --git a/versions.yaml b/versions.yaml
index dcc308e8b..564e42de0 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -170,6 +170,10 @@ assets:
     description: "Linux kernel optimised for virtual machines"
     url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
     version: "v6.1.62"
+    confidential:
+      description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
+      url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
+      version: "v6.7"
     sev:
       description: "Linux kernel that supports SEV and SNP"
       url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"