mmio devices are required in firecracker, and for now, x86_64 and
aarch64 are all supporting kata containers with firecracker.
So, we need to move mmio-related configs to common dir.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
There exists a few security-related configs, which are x86-64 specific.
CONFIG_LEGACY_VSYSCALL_NONE=y
CONFIG_RETPOLINE=y
CONFIG_RELOCATABLE and CONFIG_RANDOMIZE_BASE are kinds of tangled on
aarch64, if CONFIG_RANDOMIZE_BASE=y, then CONFIG_RELOCATABLE will be
selected automatically.
CONFIG_RANDOMIZE_BASE will randomize the virtual address at which the
kernel image is loaded, which as a security feature could deter exploit
attempts relying on knowledge of the location of kernel internals.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
There exists a few configs about linux guest support or optimization
that are not supported on aarch64.
CONFIG_HYPERVISOR_GUEST is only defined under arch/x86/Kconfig and
unfortunately, CONFIG_KVM_GUEST is not supported on aarch64 for now.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
For now, a few configs as follows in common acpi dir are truly x86-spcecific
or disable by default on arm64.
CONFIG_ACPI_CPU_FREQ_PSS=y
CONFIG_ACPI_HOTPLUG_IOAPIC=y
CONFIG_ACPI_LEGACY_TABLES_LOOKUP
CONFIG_ACPI_LPIT=y
CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
CONFIG_ACPI_PROCESSOR_CSTATE=y
CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
CONFIG_HAVE_ACPI_APEI_NMI=y
And I also add a few configs which are aarch64-specific.
Like CONFIG_ACPI_REDUCED_HARDWARE_ONLY=y, since ARM64 can run properly
in ACPI hardware reduced mode.
Fixes: #1004
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
The enablement of ptp_kvm for arm is under review, see [1].
So we have to apply private patch to enable it in 5.4 kernel.
ptp_kvm can offer the capability of time sync in kata even there
is no network available and higher precision than time sync
service depend on network.
note:
If you want to use this feature on your arm machine, the host kernel
also need apply this patch. we recommend that your host kernel version
is the 5.4, then you can apply this patch smoothly.
[1] https://patchwork.kernel.org/cover/11372743/Fixes: #997
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
To support booting from pmem with cloud-hypervisor, we need to enable
the virtio-pmem in our kernel.
Fixes: #1013
Signed-off-by: Bo Chen <chen.bo@intel.com>
This patch add patch file for virtio-fs-v0.3 kernel to enable memory hot
remove to let virtio-fs available on arm64. Also, kernel config file for
virtio-fs-v0.3x for arm64 is offered.
Fixes: #973
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
libcontainer's cgroups V2 implementation requires BPF to run a BPF
program in the container
fixes#955
Signed-off-by: Julio Montes <julio.montes@intel.com>
Linux has embraced another LTS kernel version v5.4.x.
Update the kernel config for Power as well.
Fixes: #936
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
Dont think these are options are required at all.
Remove them from fragments and whitelist.
Fixes#924
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Since we don't know how many CPUs can have the host, we should
use the maximum number of CPUs supported by KVM (240).
255 is the maximum number of CPUs supported in the kernel, but the
maximmum number of CPUs recommended by KVM is 240, if more than 240
CPUs are used, next error will be returned by QEMU
```
Number of hotpluggable cpus requested (255) exceeds the
recommended cpus supported by KVM (240)
```
fixes#922fixeskata-containers/runtime#2413
Signed-off-by: Julio Montes <julio.montes@intel.com>
Although CONFIG_IPV6 is enabled, this additional config is
needed so that multiple route tables are used for ipv6.
Without this, the kernel adds routes for "fe80::/64"
with proto kernel in the main table instead of the
local routing table.
This makes the behaviour similar to regular containers.
Fixes#920
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
Firecracker needs CONFIG_X86_MPPARSE to support `vcpu_count`, otherwise the
amount of cpus wil always be 1.
fixes#901
Signed-off-by: Julio Montes <julio.montes@intel.com>
Linux has embraced another LTS kernel version v5.4.x.
If we, AArch64, update stable guest kernel version
to v5.4.x, we could get rid of huge chunkes of backport
patches under patches/4.19.x/.
Except following configs are penny-defined turned on/off,
all the other are sort of `built-in` defined or inherited
from v4.19.x.
1. CONFIG_IO_URING = y
This option enables support for the io_uring interface.
2. CONFIG_RODATA_FULL_DEFAULT_ENABLED = n
Apply read-only attributes of VM areas to the linear
alias of the backing pages as well.
3. CONFIG_ARM64_TAGGED_ADDR_ABI = n
When this option is enabled, user applications can opt in to
a relaxed ABI allow virtual tagged addresses to be passed to
system calls as pointer arguments.
4. CONFIG_ARM64_PTR_AUTH = n
Pointer authentication provides instructions for signing and
authenticating pointers against secret keys, which can be used to
mitigate Return Oriented Programming (ROP) and other attacks.
Fixes: #882
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
As no printk time enabled for arm64, printk and dmesg will show
without timestamp.
This patch enables printk_time in kernel for arm64.
Fixes: #875
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
This will allow us to run a VM in fips mode.
The intention is to check if the host is running in fips mode
and then start a container in fips mode as well.
Fixes#787
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This is a experimental feature for arm64 as linux kernel has
not enable kvm ptp for arm64.
ptp_kvm need co-work from host and guest, so you need add this
patch both to your guest and host. Host kernel version is better
lower than 5.0 and higher than 4.19.
another version of this patch base on kernel v5.3 is under review in kernel upstream, refer to [1]
to see the full info.
[1] https://lkml.org/lkml/2019/8/29/80Fixes: #692
Signed-off-by: Jianyong Wu jianyong.wu@arm.com
Since kernel version updated to v4.19.73, kernel config file should
also been updated accorindly.
Fixes: #736
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Overlay and veth support wasn't included when migrating to fragment
based configs. Re-add to fix DinD use case.
Fixes: #715
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
As per the comments in security.conf, the intention was to
enable STACKPROTECTOR and STACKPROTECTOR_STRONG.
The current config leaves them unset in the final .config
and also prevents other fragments from overriding the setting.
Set both to =y as indicated in the comments.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
common/DAX:
- ARCH_ENABLE_MEMORY_HOTPLUG: not needed (auto-selected)
- ARCH_HAS_ZONE_DEVICE: already automatically selected. This is
also removed in future kernels, so let's go ahead and drop.
- RADIX_TREE_MULTIORDER: already autoselected, and dropped in future
kernels
common/net:
- NF_NAT_NEEDED, NF_NAT_PROTO_*: these don't exist in newer kernels, as
they are refactored and unecessary in the upstream kernel. Keep them for
now, but consider dropping if we move to newer LTS. These are part of
whitelist of options we expect to be dropped with newer kernels in our
fragment building.
- NF_NAT_MASQUERADE_IPV4: this is a select, not a tristate. Also, in
the future much of the ipv4/ipv6 nat code is combined, so this config
will not exist in newer kernels. Dropped.
- INET6_XFRM_MODE_* are not needed on newer kernels. While I'm not
confident they are needed today for Kata, we will just note them and add
to whitelist for options we expect to be dropped with newer kernels in
our fragment building.
- MAY_USE_DEVLINK: removed in future kernels, and should not be needed
anyway. Dropped.
x86_64/DAX:
- ARCH_HAS_HMM: should not be needed, and is dropped in future kernels.
Dropped
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Experimental kernel is much newer, and many configuration options have
dropped since 4.19. Let's use a whitelist to itemize what we expect to
be dropped in the final config if experimental kernel us utilized.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
This isn't available in the baseline kernel, necessarily. Only
add these config options if an experimental kernel is being used.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Now we are using the fragments, drop the x86_64 4.19 config file
so we default to fragment mode.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Add missing kernel configs to avoid `make oldconfig` asks or
takes the default value for the missing configs.
fixes#623
Signed-off-by: Julio Montes <julio.montes@intel.com>
we need to do patch and config update for v4.19.52 on AArch64.
The config file adds a few configs involved with memory hot-plug
support.
Fixes: #591
Depends-on: github.com/kata-containers/runtime#1817
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
As shpchp used for pci hotplug on arm64 initialized
its bottom half work as a delay work for 5 seconds, pci bus
rescan triggered between up half and bottom half of shpc interrupt
handling will fail. so disable shpc and let bus rescan
to do the device hotplug on arm64.
Fixes: #498
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
This patches adds virtio-fs capability to the kata kernel along with
config changes to enable the same on kata by default. The system will
only be exercised when `shared_fs` is set to `virtio-fs` in the kata
configuration file. the default still remains to be 9p
Fixes: #387
Depends-on: github.com/kata-containers/runtime#1016
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
This patch is update version for [1] as kernel
upgrad to v4.19.
It derives from [2] which has accept by kernel
community after v4.20. Modifacation has been done
to make it be able to enable memory hotplug using
probe method as it originally aims to using acpi.
Also some corresponding configurations in kernel
config are opened.
[1] https://github.com/kata-containers/packaging/
commit/e654dbd8367371c1b34776445a402d3c90f0dc66
[2] https://git.kernel.org/pub/scm/linux/kernel/
git/torvalds/linux.git/commit/
?id=4ab215061554ae2a4b78744a5dd3b3c6639f16a7
Change-Id: I305435f1d7e38d5cfcee22799792d1f4b0f015f8
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Jira: ENTOS-899
Unless we run kata VM as a hypervisor, we may need
CONFIG_S390_HYPFS_FS and CONFIG_SYS_HYPERVISOR.
CONFIG_S390_VMUR is for z/VM hypvervisor.
Remove CONFIG_ZSWAP and its dependencies to match other arches.
Fixes: #421
Signed-off-by: Tuan Hoang <tmhoang@linux.ibm.com>
let's open nvdimm-related kernel config parameters on arm64, such as
CONFIG_ACPI_NFIT, etc. and we also need to backport patch
'kvm:arm64:Dynamic IPA and 52bit IPA'(https://patchwork.kernel.org/cover/10616271/)
and related dependency into v4.19.X to fully support nvdimm from guest kernel.
Former patch has already been merged into v4.20.X.
Fixes: #376
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
enable ZONE_DEVICE config to support map pages, pmem_should_map_pages()
function fails if this config is not enabled.
fixes#378
Signed-off-by: Julio Montes <julio.montes@intel.com
This will add missing config option (DRM_FBDEV_LEAK_PHYS_SMEM) that are
being asked while running the installation script for kata kernel. Also,
this jumps to the current kernel version that is being used at the runtime.
Fixes#372
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Add CONFIG_CFS_BANDWIDTH so CPU hotplug feature works on s390x. Note
that CPU hot-unplug does not work yet due to limitations in qemu s390x.
Fixes#360
Signed-off-by: Tuan Hoang <tmhoang@linux.vnet.ibm.com>
