This will allow us to run a VM in fips mode.
The intention is to check if the host is running in fips mode
and then start a container in fips mode as well.
Fixes#787
Signed-off-by: Archana Shinde <archana.m.shinde@intel.com>
This is a experimental feature for arm64 as linux kernel has
not enable kvm ptp for arm64.
ptp_kvm need co-work from host and guest, so you need add this
patch both to your guest and host. Host kernel version is better
lower than 5.0 and higher than 4.19.
another version of this patch base on kernel v5.3 is under review in kernel upstream, refer to [1]
to see the full info.
[1] https://lkml.org/lkml/2019/8/29/80Fixes: #692
Signed-off-by: Jianyong Wu jianyong.wu@arm.com
Since kernel version updated to v4.19.73, kernel config file should
also been updated accorindly.
Fixes: #736
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
Signed-off-by: Haibo Xu <haibo.xu@arm.com>
Overlay and veth support wasn't included when migrating to fragment
based configs. Re-add to fix DinD use case.
Fixes: #715
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
As per the comments in security.conf, the intention was to
enable STACKPROTECTOR and STACKPROTECTOR_STRONG.
The current config leaves them unset in the final .config
and also prevents other fragments from overriding the setting.
Set both to =y as indicated in the comments.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
common/DAX:
- ARCH_ENABLE_MEMORY_HOTPLUG: not needed (auto-selected)
- ARCH_HAS_ZONE_DEVICE: already automatically selected. This is
also removed in future kernels, so let's go ahead and drop.
- RADIX_TREE_MULTIORDER: already autoselected, and dropped in future
kernels
common/net:
- NF_NAT_NEEDED, NF_NAT_PROTO_*: these don't exist in newer kernels, as
they are refactored and unecessary in the upstream kernel. Keep them for
now, but consider dropping if we move to newer LTS. These are part of
whitelist of options we expect to be dropped with newer kernels in our
fragment building.
- NF_NAT_MASQUERADE_IPV4: this is a select, not a tristate. Also, in
the future much of the ipv4/ipv6 nat code is combined, so this config
will not exist in newer kernels. Dropped.
- INET6_XFRM_MODE_* are not needed on newer kernels. While I'm not
confident they are needed today for Kata, we will just note them and add
to whitelist for options we expect to be dropped with newer kernels in
our fragment building.
- MAY_USE_DEVLINK: removed in future kernels, and should not be needed
anyway. Dropped.
x86_64/DAX:
- ARCH_HAS_HMM: should not be needed, and is dropped in future kernels.
Dropped
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Experimental kernel is much newer, and many configuration options have
dropped since 4.19. Let's use a whitelist to itemize what we expect to
be dropped in the final config if experimental kernel us utilized.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
This isn't available in the baseline kernel, necessarily. Only
add these config options if an experimental kernel is being used.
Signed-off-by: Eric Ernst <eric.ernst@intel.com>
Now we are using the fragments, drop the x86_64 4.19 config file
so we default to fragment mode.
Signed-off-by: Graham Whaley <graham.whaley@intel.com>
Add missing kernel configs to avoid `make oldconfig` asks or
takes the default value for the missing configs.
fixes#623
Signed-off-by: Julio Montes <julio.montes@intel.com>
we need to do patch and config update for v4.19.52 on AArch64.
The config file adds a few configs involved with memory hot-plug
support.
Fixes: #591
Depends-on: github.com/kata-containers/runtime#1817
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
As shpchp used for pci hotplug on arm64 initialized
its bottom half work as a delay work for 5 seconds, pci bus
rescan triggered between up half and bottom half of shpc interrupt
handling will fail. so disable shpc and let bus rescan
to do the device hotplug on arm64.
Fixes: #498
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
This patches adds virtio-fs capability to the kata kernel along with
config changes to enable the same on kata by default. The system will
only be exercised when `shared_fs` is set to `virtio-fs` in the kata
configuration file. the default still remains to be 9p
Fixes: #387
Depends-on: github.com/kata-containers/runtime#1016
Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
This patch is update version for [1] as kernel
upgrad to v4.19.
It derives from [2] which has accept by kernel
community after v4.20. Modifacation has been done
to make it be able to enable memory hotplug using
probe method as it originally aims to using acpi.
Also some corresponding configurations in kernel
config are opened.
[1] https://github.com/kata-containers/packaging/
commit/e654dbd8367371c1b34776445a402d3c90f0dc66
[2] https://git.kernel.org/pub/scm/linux/kernel/
git/torvalds/linux.git/commit/
?id=4ab215061554ae2a4b78744a5dd3b3c6639f16a7
Change-Id: I305435f1d7e38d5cfcee22799792d1f4b0f015f8
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Jira: ENTOS-899
Unless we run kata VM as a hypervisor, we may need
CONFIG_S390_HYPFS_FS and CONFIG_SYS_HYPERVISOR.
CONFIG_S390_VMUR is for z/VM hypvervisor.
Remove CONFIG_ZSWAP and its dependencies to match other arches.
Fixes: #421
Signed-off-by: Tuan Hoang <tmhoang@linux.ibm.com>
let's open nvdimm-related kernel config parameters on arm64, such as
CONFIG_ACPI_NFIT, etc. and we also need to backport patch
'kvm:arm64:Dynamic IPA and 52bit IPA'(https://patchwork.kernel.org/cover/10616271/)
and related dependency into v4.19.X to fully support nvdimm from guest kernel.
Former patch has already been merged into v4.20.X.
Fixes: #376
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
enable ZONE_DEVICE config to support map pages, pmem_should_map_pages()
function fails if this config is not enabled.
fixes#378
Signed-off-by: Julio Montes <julio.montes@intel.com
This will add missing config option (DRM_FBDEV_LEAK_PHYS_SMEM) that are
being asked while running the installation script for kata kernel. Also,
this jumps to the current kernel version that is being used at the runtime.
Fixes#372
Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
Add CONFIG_CFS_BANDWIDTH so CPU hotplug feature works on s390x. Note
that CPU hot-unplug does not work yet due to limitations in qemu s390x.
Fixes#360
Signed-off-by: Tuan Hoang <tmhoang@linux.vnet.ibm.com>
We want to make sure Kata runs on latest stable kernels so that it
benefits from the latest features.
Fixes: #358
Signed-off-by: Nitesh Konkar <niteshkonkar@in.ibm.com>
we add the rough kernel config v4.19.23 for arm64, here we let
'make oldconfig'(setting default) to do the transformation from
v4.14.X to v4.19.X.
Fixes: #337
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
As memory hotplug for arm64 by acpi is not ready on qemu, we choose
"probe" instead. You can refer to [1] to get more infomation about
"probe". The process of memory hotplug by "probe" in kata lies below:
firstly, add memory in qemu qmp; secondly, echo the start phyical address
of that memory to /sys/devices/system/memory/probe, which will be done
through kata-agent; thirdly, excute online op, then this newly added
memory is capable to be used.
All functions in this patch will be called after "echo" op. It can be
divided into two parts:
1. create page table for that memory;
2. add that memory to memblock.
In this patch, NUMA must be turned off for not all arm64 machine supports
NUMA.
As the newly added memory should be placed from 2T to 6T which is decided
in qemu and phyical address and virtual address will be one-one mapping
when create pgd for that memory, we must config ARM64_VA_BITS as 48.
Also some configs should be turned on, especially "ARCH_MEMORY_PROBE".
We have tested this patch integrated with another patch which performed
that echo op. It works well when using "-m" in command line when start a
kata-container on aarch64 machine.
This patch derived from Maciej Bielski. You can refer to [2] to get full
infomation about it.
[1] https://www.kernel.org/doc/Documentation/memory-hotplug.txt
[2] https://lkml.org/lkml/2017/11/23/183Fixes: #309
Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
Signed-off-by: Jia He <justin.he@arm.com>
Signed-off-by: Penny Zheng <penny.zheng@arm.com>
We want to make sure Kata runs on latest stable kernels so that it
benefits from the latest features.
For instance, in case of Kata relying on NEMU hypervisor, the recent
kernel patches reworking the way timer calibration is handled are
solving some boot latency issues.
Fixes#287
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
Remove configs s390_kata_kvm_4.14.x
The patch 0003-serial-forbid-8250-on-s390 is no longer necessary as it
has been upstreamed since version 4.16
The kernel configs have been generated as described in https://github.com/kata-containers/packaging/issues/246
plus the vsock options have been manually enabled:
CONFIG_VSOCKETS=y
CONFIG_VIRTIO_VSOCKETS=y
CONFIG_VIRTIO_VSOCKETS_COMMON=y
Fixes: #280
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Remove modules from default kernel config.
Modules are not used in default kata images.
Lets remove them.
Fixes: #276
Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
The s390_kata_kvm_4.14.x configs have been obtained by applying the patch
serial-forbid-8250-on-s390 and the combination:
make defconfig kvmconfig localyesconfig
Fixes: #246
Signed-off-by: Alice Frosi <afrosi@de.ibm.com>
Without Real time clock the date could not work properly for Arm64.
fixes: #238
Change-Id: I5834a5e90dc648cc9599c50f259d5ae273052a39
Signed-off-by: Wei Chen <wei.chen@arm.com>
The Intel GPU support has been enabled in kata runtime, but the
guest kernel of kata container lacks the support of Intel GPU,
so this commit enables it as default in guest kernel.
CONFIG_DRM, CONFIG_DRM_I915 and CONFIG_DRM_I915_USERPTR are necessary.
Others are obtained by running command "make menuconfig" and selecting
the following options.
Device Drivers
---> Graphics support
---> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support)
Device Drivers
---> Graphics support
---> Intel 8xx/9xx/G3x/G4x/HD Graphics
Fixes#232
Signed-off-by: Zhao Xinda <xinda.zhao@intel.com>
As discussed in issue #171 IPv6-in-IPv4 tunnel is useless in guest. So we
decide to disable the CONFIG_IPV6_SIT by default for Arm64.
Fixed#230
Signed-off-by: Wei Chen <wei.chen@arm.com>
As x86_64 has updated the guest kernel to enable EFI support for NEMU,
because OVMF that is used by NEMU is an EFI firmware. Although the
NEMU is not ready for Arm64, we'd better to enable EFI support in
kernel to keep sync with x86_64.
Fixes#228
Signed-off-by: Wei Chen <wei.chen@arm.com>
This commit bumps the default config from 4.14.49 to 4.14.67 first,
and then enables the support for EFI firmware as OVMF used by NEMU
is an EFI firmware.
Fixes#220
Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
