packaging: Add confidential image / initrd

Let's use a single rootfs image / initrd for confidential workloads, instead of having those split for different TEEs. We can easily do this now as the soon-to-be-added guest-components can be built in a generic way. Fixes: #8982 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
kata-containers · Feb 1, 2024 · 3793966 · 3793966
1 parent bc98acb
commit 3793966
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 0 deletions.
diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -49,8 +49,10 @@ jobs:
           - qemu-tdx-experimental
           - stratovirt
           - rootfs-image
+          - rootfs-image-confidential
           - rootfs-image-tdx
           - rootfs-initrd
+          - rootfs-initrd-confidential
           - rootfs-initrd-mariner
           - rootfs-initrd-sev
           - runk

diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
@@ -39,7 +39,9 @@ BASE_TARBALLS = serial-targets \
 	tdvf-tarball \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-image-confidential-tarball \
 	rootfs-image-tdx-tarball \
+	rootfs-initrd-confidential-tarball \
 	rootfs-initrd-mariner-tarball \
 	rootfs-initrd-sev-tarball \
 	rootfs-initrd-tarball \
@@ -160,12 +162,18 @@ stratovirt-tarball:
 rootfs-image-tarball: agent-tarball
 	${MAKE} $@-build
 
+rootfs-image-confidential-tarball: agent-opa-tarball kernel-confidential-tarball
+	${MAKE} $@-build
+
 rootfs-image-tdx-tarball: agent-opa-tarball kernel-confidential-tarball
 	${MAKE} $@-build
 
 rootfs-initrd-mariner-tarball: agent-opa-tarball
 	${MAKE} $@-build
 
+rootfs-initrd-confidential-tarball: agent-opa-tarball kernel-confidential-tarball
+	${MAKE} $@-build
+
 rootfs-initrd-sev-tarball: agent-opa-tarball kernel-confidential-tarball
 	${MAKE} $@-build
 

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -112,8 +112,10 @@ options:
 	qemu-tdx-experimental
 	stratovirt
 	rootfs-image
+	rootfs-image-confidential
 	rootfs-image-tdx
 	rootfs-initrd
+	rootfs-initrd-confidential
 	rootfs-initrd-mariner
 	rootfs-initrd-sev
 	runk
@@ -214,6 +216,12 @@ install_image() {
 	"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
 }
 
+#Install guest image for confidential guests
+install_image_confidential() {
+	export AGENT_POLICY=yes
+	install_image "confidential"
+}
+
 #Install guest image for tdx
 install_image_tdx() {
 	export AGENT_POLICY=yes
@@ -268,6 +276,12 @@ install_initrd() {
 	"${rootfs_builder}" --osname="${os_name}" --osversion="${os_version}" --imagetype=initrd --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${variant}"
 }
 
+#Install guest initrd for confidential guests
+install_initrd_confidential() {
+	export AGENT_POLICY=yes
+	install_initrd "confidential"
+}
+
 #Install Mariner guest initrd
 install_initrd_mariner() {
 	export AGENT_POLICY=yes
@@ -815,7 +829,9 @@ handle_build() {
 		install_clh
 		install_firecracker
 		install_image
+		install_image_confidential
 		install_initrd
+		install_initrd_confidential
 		install_initrd_mariner
 		install_initrd_sev
 		install_kata_ctl
@@ -892,10 +908,14 @@ handle_build() {
 
 	rootfs-image) install_image ;;
 
+	rootfs-image-confidential) install_image_confidential ;;
+
 	rootfs-image-tdx) install_image_tdx ;;
 
 	rootfs-initrd) install_initrd ;;
 
+	rootfs-initrd-confidential) install_initrd_confidential ;;
+
 	rootfs-initrd-mariner) install_initrd_mariner ;;
 
 	rootfs-initrd-sev) install_initrd_sev ;;
@@ -975,7 +995,9 @@ main() {
 		qemu
 		stratovirt
 		rootfs-image
+		rootfs-image-confidential
 		rootfs-initrd
+		rootfs-initrd-confidential
 		rootfs-initrd-mariner
 		runk
 		shim-v2

diff --git a/versions.yaml b/versions.yaml
@@ -133,6 +133,9 @@ assets:
       x86_64:
         name: *default-image-name
         version: *default-image-version
+        confidential:
+          name: *default-image-name
+          version: *default-image-version
         tdx:
           name: *default-image-name
           version: *default-image-version
@@ -159,6 +162,9 @@ assets:
       x86_64:
         name: *default-initrd-name
         version: *default-initrd-version
+        confidential:
+          name: *glibc-initrd-name
+          version: *glibc-initrd-version
         mariner:
           name: "cbl-mariner"
           version: "2.0"