New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TEEs: Introduce kernel-confidential #8753
TEEs: Introduce kernel-confidential #8753
Conversation
afa227f
to
923e5bc
Compare
A few high-level notes. First, SNP support is not upstream in QEMU yet. I think the most recent patches are here. So we will probably need to continue shipping SNP QEMU for a while. Second, for SEV(-ES) to support attestation. we need a kernel module to be built into the rootfs. This is sort of related to this work because the kernel module has to be compatible with the guest kernel. In CCv0 we have this code to tell the rootfs builder about the kernel module. We assume that the module has already been built when we build the SEV kernel. In theory we can do something very similar with the generic kernel. I don't think this code for the module has made it into main yet. It might need to be added as part of @ryansavino's shim patch. I can take a closer look at this shortly and test out the SEV components at some point. |
I'll drop the QEMU part of this patch then. Thanks for letting me know! |
923e5bc
to
4d4f299
Compare
@fitzthum, could you give it a try on this latest update? In order to generate a rootfs in the same way you're used to do for SEV, please, apply also this patch (which is out of context of this series, but will come in a different one after this one gets merged).
|
/test |
4d4f299
to
ab2beb9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i like where this is headed. lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just left some minor comments/suggestions, but otherwise it looks good. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks @fidencio !
We've not been building QEMU experimental for a very long time, and the entry there has only been serving the purpose to clutter the versions.yaml (in the best case scenario) or even confuse new contributors to the project. Mind that the machinery to build the QEMU experimental is not touched, and that's used to build the TEEs capabale artefacts. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As all the supported architectures are disabling the virtiofsd build, there's no need to keep the switch statement there. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
There are lots of configs removed from latest kernel. Update them here for convenience of next kernel upgrade. Remove CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE [1] Remove CONFIG_IP_NF_TARGET_CLUSTERIP [2] Remove CONFIG_NET_SCH_CBQ [3] Remove CONFIG_AUTOFS4_FS [4] Remove CONFIG_EMBEDDED [5] [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=a7e4676e8e2cb158a4d24123de778087955e1b36 [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=9db5d918e2c07fa09fab18bc7addf3408da0c76f [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=051d442098421c28c7951625652f61b1e15c4bd5 [4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=1f2190d6b7112d22d3f8dfeca16a2f6a2f51444e [5] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v6.6&id=ef815d2cba782e96b9aad9483523d474ed41c62a Fixes: kata-containers#8408 Signed-off-by: Jianyong Wu <jianyong.wu@arm.com>
We're using a Kernel based on v6.7, which should include all te patches needed for SEV / SNP / TDX. By doing this, later on, we'll be able to stop building the specific kernel for each one of the targets we have for the TEEs. Let's note that we've introduced the "confidential" target for the kernel builder script, while the TEE specific builds are being kept as they're -- at least for now. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
SSIA. :-) Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
ab2beb9
to
c3f6eaa
Compare
I've got all your comments addressed, thanks a lot for your review! |
/test |
In order to reduce the amount of artefacts we're shipping, let's try to introduce a single kernel and QEMU that would be capable of supporting SEV / SNP / TDX.
This series only introduce such artefacts, but those are not used yet.
We'll first have those ones built, and after that start testing it as part of the CI. This gives us time to solve the redness of the AMD CIs, and the switch to a new host side stack on the Intel CI, after folks are back from vacation.