New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packaging: Add IBM Z SE artifacts to main #6755
packaging: Add IBM Z SE artifacts to main #6755
Conversation
6a43d6e
to
c92c911
Compare
hi @BbolroC , thanks for helping on the CCv0 -> main merge! I left a few comments. Overall it looks good but it would be better if you could break it into smaller commits. Could you do that? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments
Yes, I will follow your suggestion. Thanks a lot! |
c92c911
to
b05827a
Compare
edccb79
to
b8a1b3f
Compare
278ab7f
to
0d09bc7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few more comments.
@@ -54,6 +54,8 @@ docker run \ | |||
-v "${kata_dir}:${kata_dir}" \ | |||
--env CI="${CI:-}" \ | |||
--env USER=${USER} \ | |||
--env AA_KBC="${AA_KBC:-}" \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we use the AA_KBC variable in main yet, but I guess this doesn't hurt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the info.
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
Outdated
Show resolved
Hide resolved
0d09bc7
to
e2d0348
Compare
e2d0348
to
e8b7f3a
Compare
This PR should be merged after #6586 due to the cross-compilation. |
On my workstation (x86_64) I rebased this PR on top of #6586 (enable cross build for non-x86) then I ran the following command to build the SE boot image:
It failed to build the kernel (pre-req of the boot image):
Have I done it wrong? |
/test |
This is to rule out unnecessary build targets for s390x. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to increase resources for relaxing the limitation of hotplug for SE. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to add SE configuration which is used by kata runtime. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is add a build target boot-image-se with a host-key-document config for s390x. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to install s390-tools including genprotimg during the docker build. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to add a build target boot-image-se for s390x. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to add an artifact for IBM Z SE(TEE) to main. Fixes: kata-containers#6754 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
29c8259
to
0900a04
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @BbolroC ! Sorry for taking months to re-review it. I couldn't build the boot-image-se due the lack of host key document on my laptop, then I reviewed the code carefully and didn't find any problem. The shim-v2, on the other hand, I could build and I see the configuration-qemu-se.toml generated and it looks good.
This is to make a base builder image build genprotimg without a package manager under the cross-compilation environment. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to make kernel parameters configurable during the secure image build by adding an environment variable SE_KERNEL_PARAMS. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to make `build_se_image.sh` incorporate the key verification originally supported by `genprotimg`. It can be achieved by specifying two environment variables called `SIGNING_KEY_CERT_PATH` and `INTERMEDIATE_CA_CERT_PATH`. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
It is to remove the build redundancy of `kernel` and `rootfs-initrd` by making `boot-image-se` built based on them at the second build stage. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to adjust a name of the binary `strip` to a target architecture for cross-compilation. Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
0900a04
to
3fab169
Compare
/test |
The existing confidential basic test titled `Test unencrypted confidential container launch success and verify that we are running in a secure enclave` has been updated to incorporate IBM Secure Execution (`qemu-se`). Previously, a secure image was absent from kata-deploy, hindering the inclusion of IBM SE in the test. Thanks to the kata-containers#6755 update, it is now possible to test the TEE. This modification extends the existing test by introducing `qemu-se`. The specific changes are outlined below: - Add an additional test `cc-se-e2e-tests` to s390x nightly - Expansion of `REMOTE_COMMAND_PER_HYPERVISOR` for `qemu-se` - Temporary exclusion of two test cases currently incompatible with IBM SE (`cpu-ns` is a common issue across all TEEs, while `inotify` will be addressed in a subsequent pull request). Fixes: kata-containers#8913 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
The existing confidential basic test titled `Test unencrypted confidential container launch success and verify that we are running in a secure enclave` has been updated to incorporate IBM Secure Execution (`qemu-se`). Previously, a secure image was absent from kata-deploy, hindering the inclusion of IBM SE in the test. Thanks to the kata-containers#6755 update, it is now possible to test the TEE. This modification extends the existing test by introducing `qemu-se`. The specific changes are outlined below: - Add an additional test `cc-se-e2e-tests` to s390x nightly - Expansion of `REMOTE_COMMAND_PER_HYPERVISOR` for `qemu-se` - Temporary exclusion of two test cases currently incompatible with IBM SE (`cpu-ns` is a common issue across all TEEs, while `inotify` will be addressed in a subsequent pull request). Fixes: kata-containers#8913 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
The existing confidential basic test titled `Test unencrypted confidential container launch success and verify that we are running in a secure enclave` has been updated to incorporate IBM Secure Execution (`qemu-se`). Previously, a secure image was absent from kata-deploy, hindering the inclusion of IBM SE in the test. Thanks to the kata-containers#6755 update, it is now possible to test the TEE. This modification extends the existing test by introducing `qemu-se`. The specific changes are outlined below: - Add an additional test `cc-se-e2e-tests` to s390x nightly - Expansion of `REMOTE_COMMAND_PER_HYPERVISOR` for `qemu-se` - Temporary exclusion of two test cases currently incompatible with IBM SE (`cpu-ns` is a common issue across all TEEs, while `inotify` will be addressed in a subsequent pull request). Fixes: kata-containers#8913 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
The existing confidential basic test titled `Test unencrypted confidential container launch success and verify that we are running in a secure enclave` has been updated to incorporate IBM Secure Execution (`qemu-se`). Previously, a secure image was absent from kata-deploy, hindering the inclusion of IBM SE in the test. Thanks to the kata-containers#6755 update, it is now possible to test the TEE. This modification extends the existing test by introducing `qemu-se`. The specific changes are outlined below: - Add an additional test `cc-se-e2e-tests` to s390x nightly - Expansion of `REMOTE_COMMAND_PER_HYPERVISOR` for `qemu-se` - Temporary exclusion of two test cases currently incompatible with IBM SE (`cpu-ns` is a common issue across all TEEs, while `inotify` will be addressed in a subsequent pull request). Fixes: kata-containers#8913 Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This is to add artifacts for IBM Z SE(TEE) to main.
This PR MUST be merged after #6586.
Fixes: #6754
Signed-off-by: Hyounggyu Choi Hyounggyu.Choi@ibm.com