TEEs: Introduce kernel-confidential #8753
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
katacontainersbot
added
the
size/huge
fidencio
requested review from
zvonkok,
ryansavino,
arronwy,
stevenhorsman,
ChengyuZhu6 and
fitzthum
fidencio
force-pushed
the
topic/add-confidential-artefacts
branch
from
afa227f
to
923e5bc
Compare
|
A few high-level notes. First, SNP support is not upstream in QEMU yet. I think the most recent patches are here. So we will probably need to continue shipping SNP QEMU for a while. Second, for SEV(-ES) to support attestation. we need a kernel module to be built into the rootfs. This is sort of related to this work because the kernel module has to be compatible with the guest kernel. In CCv0 we have this code to tell the rootfs builder about the kernel module. We assume that the module has already been built when we build the SEV kernel. In theory we can do something very similar with the generic kernel. I don't think this code for the module has made it into main yet. It might need to be added as part of @ryansavino's shim patch. I can take a closer look at this shortly and test out the SEV components at some point. |
I'll drop the QEMU part of this patch then. Thanks for letting me know! |
fidencio
force-pushed
the
topic/add-confidential-artefacts
branch
from
923e5bc
to
4d4f299
Compare
|
@fitzthum, could you give it a try on this latest update? In order to generate a rootfs in the same way you're used to do for SEV, please, apply also this patch (which is out of context of this series, but will come in a different one after this one gets merged). |
fidencio
changed the title
|
/test |
fidencio
force-pushed
the
topic/add-confidential-artefacts
branch
from
4d4f299
to
ab2beb9
Compare
gkurz
reviewed
Jan 9, 2024
gkurz
reviewed
Jan 9, 2024
jepio
approved these changes
Jan 9, 2024
stevenhorsman
approved these changes
Jan 9, 2024
gkurz
approved these changes
Jan 9, 2024
We've not been building QEMU experimental for a very long time, and the entry there has only been serving the purpose to clutter the versions.yaml (in the best case scenario) or even confuse new contributors to the project. Mind that the machinery to build the QEMU experimental is not touched, and that's used to build the TEEs capabale artefacts. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As all the supported architectures are disabling the virtiofsd build, there's no need to keep the switch statement there. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
There are lots of configs removed from latest kernel. Update them here for convenience of next kernel upgrade. Remove CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE [1] Remove CONFIG_IP_NF_TARGET_CLUSTERIP [2] Remove CONFIG_NET_SCH_CBQ [3] Remove CONFIG_AUTOFS4_FS [4] Remove CONFIG_EMBEDDED [5] [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=a7e4676e8e2cb158a4d24123de778087955e1b36 [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=9db5d918e2c07fa09fab18bc7addf3408da0c76f [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=051d442098421c28c7951625652f61b1e15c4bd5 [4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=1f2190d6b7112d22d3f8dfeca16a2f6a2f51444e [5] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=ef815d2cba782e96b9aad9483523d474ed41c62a Fixes: kata-containers#8408 Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
We're using a Kernel based on v6.7, which should include all te patches needed for SEV / SNP / TDX. By doing this, later on, we'll be able to stop building the specific kernel for each one of the targets we have for the TEEs. Let's note that we've introduced the "confidential" target for the kernel builder script, while the TEE specific builds are being kept as they're -- at least for now. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
SSIA. :-) Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
force-pushed
the
topic/add-confidential-artefacts
branch
from
ab2beb9
to
c3f6eaa
Compare
katacontainersbot
removed
the
size/huge
|
I've got all your comments addressed, thanks a lot for your review! |
|
/test |
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In order to reduce the amount of artefacts we're shipping, let's try to introduce a single kernel and QEMU that would be capable of supporting SEV / SNP / TDX.
This series only introduce such artefacts, but those are not used yet.
We'll first have those ones built, and after that start testing it as part of the CI. This gives us time to solve the redness of the AMD CIs, and the switch to a new host side stack on the Intel CI, after folks are back from vacation.