build: Add QEMU Confidential

We're using a QEMU based on v8.1.0, which should already include all the needed patches for SEV / SNP, with the patches for TDX atop of that. By doing this, later on, we'll be able to stop building the specific QEMU TDX experimental and QEMU SNP experimental targets. Fixes: kata-containers#8572 Related: kata-containers#8570 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio · Dec 29, 2023 · b83be40 · b83be40
1 parent 43e9507
commit b83be40
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 3 deletions.
diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -45,6 +45,7 @@ jobs:
           - ovmf
           - ovmf-sev
           - qemu
+          - qemu-confidential
           - qemu-snp-experimental
           - qemu-tdx-experimental
           - stratovirt

diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
@@ -31,6 +31,7 @@ BASE_TARBALLS = serial-targets \
 	ovmf-tarball \
 	qemu-snp-experimental-tarball \
 	qemu-tarball \
+	qemu-confidential-tarball \
 	qemu-tdx-experimental-tarball \
 	stratovirt-tarball \
 	shim-v2-tarball \
@@ -125,6 +126,9 @@ ovmf-sev-tarball:
 ovmf-tarball:
 	${MAKE} $@-build
 
+qemu-confidential-tarball:
+	${MAKE} $@-build
+
 qemu-snp-experimental-tarball:
 	${MAKE} $@-build
 

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -103,6 +103,7 @@ options:
 	ovmf
 	ovmf-sev
 	qemu
+	qemu-confidential
 	qemu-snp-experimental
 	qemu-tdx-experimental
 	stratovirt
@@ -427,6 +428,17 @@ install_qemu() {
 		"${qemu_builder}"
 }
 
+install_qemu_confidential() {
+	export qemu_suffix="confidential"
+	export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz"
+
+	install_qemu_helper \
+		"assets.hypervisor.qemu-${qemu_suffix}.url" \
+		"assets.hypervisor.qemu-${qemu_suffix}.tag" \
+		"qemu-${qemu_suffix}" \
+		"${qemu_experimental_builder}"
+}
+
 install_qemu_tdx_experimental() {
 	export qemu_suffix="tdx-experimental"
 	export qemu_tarball_name="kata-static-qemu-${qemu_suffix}.tar.gz"
@@ -748,6 +760,7 @@ handle_build() {
 		install_ovmf
 		install_ovmf_sev
 		install_qemu
+		install_qemu_confidential
 		install_qemu_snp_experimental
 		install_qemu_tdx_experimental
 		install_stratovirt
@@ -796,6 +809,8 @@ handle_build() {
 
 	qemu) install_qemu ;;
 
+	qemu-confidential) install_qemu_confidential ;;
+
 	qemu-snp-experimental) install_qemu_snp_experimental ;;
 
 	qemu-tdx-experimental) install_qemu_tdx_experimental ;;

diff --git a/tools/packaging/scripts/configure-hypervisor.sh b/tools/packaging/scripts/configure-hypervisor.sh
@@ -331,7 +331,12 @@ generate_qemu_options() {
 	# From Kata Containers 2.5.0-alpha2 all arches but powerpc have been
 	# using the new implementation of virtiofs daemon, which is not part
 	# of QEMU.
-	qemu_options+=(functionality:--disable-virtiofsd)
+	#
+	# The `--disable-virtiofsd` option has been removed by the commit
+	# a6bfdaed4a735a2cf59f265e6955fe2adcc99637, since v8.0.0-rc0
+	if ! gt_eq "${qemu_version}" "8.0.0" ; then
+		qemu_options+=(functionality:--disable-virtiofsd)
+	fi
 
 	qemu_options+=(functionality:--enable-virtfs)
 

diff --git a/tools/packaging/static-build/qemu/Dockerfile b/tools/packaging/static-build/qemu/Dockerfile
@@ -58,8 +58,9 @@ RUN apt-get update && apt-get upgrade -y && \
 	    libseccomp-dev${DPKG_ARCH} \
 	    libseccomp2${DPKG_ARCH} \
 	    patch \
-	    python \
-	    python-dev \
+	    python3\
+	    python3-dev \
+	    python3-venv \
 	    rsync \
 	    zlib1g-dev${DPKG_ARCH} && \
     if [ "${ARCH}" != s390x ]; then apt-get install -y --no-install-recommends libpmem-dev${DPKG_ARCH}; fi && \

diff --git a/versions.yaml b/versions.yaml
@@ -99,6 +99,11 @@ assets:
         https://github.com/qemu/qemu/tags
         .*/v?(\d\S+)\.tar\.gz
 
+    qemu-confidential:
+      description: "QEMU with (x86_64) TEE support (SEV, SNP, and TDX)"
+      url: "https://github.com/intel/qemu-tdx" 
+      tag: "tdx-qemu-upstream-2023.9.21-v8.1.0"
+
     qemu-tdx-experimental:
       # yamllint disable-line rule:line-length
       description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"