tdx: Update TDX artefacts to be used with the Ubuntu 23.10 / CentOS 9 stream OSVs. #8840
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
danmihai1
approved these changes
Jan 16, 2024
fidencio
force-pushed
the
topic/update-tdx-artefacts-to-the-new-host-os
branch
4 times, most recently
from
2ce2a57
to
8ed1d1f
Compare
fidencio
force-pushed
the
topic/update-tdx-artefacts-to-the-new-host-os
branch
2 times, most recently
from
a7fb8e5
to
aaba4fb
Compare
fidencio
changed the title
fidencio
force-pushed
the
topic/update-tdx-artefacts-to-the-new-host-os
branch
2 times, most recently
from
adfb786
to
47a03cf
Compare
katacontainersbot
added
size/huge
fidencio
force-pushed
the
topic/update-tdx-artefacts-to-the-new-host-os
branch
6 times, most recently
from
3b48289
to
d53ef51
Compare
fidencio
force-pushed
the
topic/update-tdx-artefacts-to-the-new-host-os
branch
from
d53ef51
to
bf00546
Compare
katacontainersbot
added
size/large
Let's update the QEMU to the one that's officially maintained by Intel till all the TDX patches make their way upstream. We've had to also update python to explicitly use python3 and add python3-venv as part of the dependencies. Fixes: kata-containers#8810 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The private=on|off knob is required in order to properly lauunch a TDX guest VM. This is a brand new property that is part of the still in-flight patches adding TDX support on QEMU. Please, see: intel-staging/qemu-tdx@3fdd807 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This reverts commit d1b54ed. Conflicts: src/runtime/virtcontainers/qemu.go This commit was a hack that was needed in order to get QEMU + TDX to work atop of the stack our CI was running on. As we're moving to "the officially supported by distros" host OS, we need to get rid of this. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
force-pushed
the
topic/update-tdx-artefacts-to-the-new-host-os
branch
from
7cce588
to
3200af0
Compare
|
/test |
This commit is a mess, but I'm not exactly sure what's the best way to make it less messy, as we're getting QEMU TDX to work while partially reverting 1e34220. With that said, let me cover the content of this commit. Firstly, we're reverting all the changes related to "memory-backend-memfd-private", as that's what was used with the previous host stack, but it seems it didn't fly upstream. Secondly, in order to get QEMU to properly work with TDX, we need to enforce the 'private=on' knob and use the "memory-backend-ram", and we're doing so, and also making sure to test the `private=on` newly added knob. I'm sorry for the confusion, I understand this is not optimal, I just don't see an easy path to do changes without leaving the code broken during those changes. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This is done in order to match the example from: https://github.com/intel/tdx-linux/wiki/Instruction-to-set-up-TDX-host-and-guest#build-tdvf-image Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's rely on the kvm module 'tdx' parameter to do so. This aligns with both OSVs (Canonical, Red Hat, SUSE) and the TDX adoption (https://github.com/intel/tdx-linux) stacks. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
force-pushed
the
topic/update-tdx-artefacts-to-the-new-host-os
branch
from
3200af0
to
cdb8531
Compare
|
/test |
cmaf
approved these changes
Apr 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As host side patches of TDX are being shipped by distros like Ubuntu, CentOS Stream, and SuSE, let's take advantage of this and switch to using those, while on the guest side we rely on the upstream content (kernel 6.7, which has everything we need).
Please, take a look at each commit in the series for further details.