Let's check for the cached version of the components as part of the
kata-deploy-binaries.sh as here we already have the needed info for
checking whether a component is cached or not, and to use it without
depending on changes made on each one of the builder scripts.
Fixes: #5816
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Instead of caching files generated during the component build, let's
cache the final tarball generated for each component.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's do this as the component name will be re-used later on, when we
start checking whether a cached component needs to be rebuilt or not.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This is used in several parts of the code, and can have a single
declaration as part of the `lib.sh` file, which is already imported by
all the places where it's used.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We're going to use this function from different places, so we better
move it to lib.sh and avoid rewriting it.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
If you're directly using the output of this function, the info message
will show up as part of the string, and that's not what we want.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now that we're caching the kernel, we're relying on the kernel version
being exported. This is already done for the CC kernel, but not for the
TEE specific ones.
Fixes: #5770
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
CONFIG_X86_SGX is introduced after kernel 5.11, and that config is a
default x86_64 config for Kata build-kernel.sh script.
But if we use -v to specify any kernel version below 5.11 will cause an
inevitable error because CONFIG_X86_SGX is not supported in older
kernels and that may cause problem for the situation if we need kernel
version below 5.11.
So I propose to put CONFIG_X86_SGX into whitelist.conf to avoid break
building guest kernel below 5.11.
fixes: #5741
Signed-off-by: Chao Wu <chaowu@linux.alibaba.com>
The incorrect name causes `make cc-payload` to fail, as
`cc-tdx-rootfs-tarball` is a non existent target.
Fixes: #5628
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's bump the td-shim to its `v0.2.0` release.
Together with the bump, let's also adapt its build scripts so we're able
to build the `v0.2.0` as part of our infra.
Fixes: #5593
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're switching TDX to using EAA KBC instead of OfflineFS KBC, let's
add the configuration files needed for testing this before we fully
switch TDX to using such an image.
Fixes: #5563
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The specific TDX image relies on having EAA KBC, instead of using the
default `offline_fs_kbc`.
This image is, with this commit, built and distributed, but not yet used
by TDX specific configurations, which will be done in a follow-up
commit.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Instead of removing the non-needed packages under `/usr/share` and then
installing new components, let's make sure we do the removal at the end
of our script.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's do that instead of updating and installing the
`software-properties-common` package, as it reduces the final size of
the image.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
First of all, EAA KBC is only used with TDX, thus we can safely assume
that eaa_kbc means TDX, at least for now.
A `/etc/tdx-attest.conf` file, with the data "port=4050" is needed as
that's the default configuration for the Quote Generation Service (QGS)
which is present on the guest side.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will become very handy by the moment we start building different
images targetting different TEEs.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This PR implements the use of a cached cc qemu tarball to speed up
the CI and avoid building the cc qemu tarball when it is not
necessary.
Fixes#5363
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Inclavare released a rats-tls-tdx package, which we depend on for using
verdictd.
Let's install it when using EAA_KBC, as already done for the rats-tls
package.
One thin to note here is that rats-tls-tdx depends on libtdx-attest,
which depends on libprotobuf-c1, thus we had to add the intel-sgx repo
together with enabling the universe channel.
Fixes: #5543
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We're currently using Ubuntu 20.04 as the base for the Ubuntu rootfs,
meaning that right now there's no issue with the approach currently
taken. However, if we do a bump of an Ubuntu version, we could face
issues as the rats-tls package is only provided for Ubuntu 20.04.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Add tag entry to the attestation agent entry of the versions file.
Checkout tag commit after cloning AA in rootfs builder.
Fixes: #5373
Fixes: kata-containers#5373
Signed-Off-By: Alex Carter <alex.carter@ibm.com>
The compile option link-self-contained=yes asks rustc to use
C library startup object files that come with the compiler,
which are not available on the target s390x-unknown-linux-gnu.
A build does not contain any startup files leading to a
broken executable entry point (causing segmentation fault).
Fixes: #5522
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This, combined with the effort of caching builder images *and* only
performing the build itself inside the builder images, is the very first
step for reproducible builds for the project.
Reproducible builds are quite important when we talk about Confidential
Containers, as users may want to verify the content used / provided by
the CSPs, and this is the first step towards that direction.
Fixes: #5517
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We need to do that in order to avoid trying to use the image in an
architecture which is not yet supported (such as trying to use the x6_64
image on a s390x machine)
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will help to not have to build those on every CI run, and rather
take advantage of the cached image.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This reverts commit c1aac0cdea.
The reason this has to be reverted is because we cannot cache an image
that has a specific user, uid, gid, docker_host_id, and expect that to
work equally on different machines. Unfortunately, this is one of the
images that cannot be cached at all.
