runtime: packaging: Use confidential kernel instead of the TDX one #8978
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fidencio
force-pushed
the
topic/use-the-kernel-confidential-when-possible
branch
2 times, most recently
from
547e02a
to
fa653ce
Compare
|
/test |
danmihai1
approved these changes
Feb 1, 2024
|
I'm adding a `do-not-merge as Ryan wants to test a few things outside of the CI. |
fidencio
force-pushed
the
topic/use-the-kernel-confidential-when-possible
branch
from
bc98acb
to
a735752
Compare
fidencio
changed the title
|
Folks, I've dropped the AMD bits from here in order to have this one moving, |
|
/test |
fidencio
force-pushed
the
topic/use-the-kernel-confidential-when-possible
branch
4 times, most recently
from
fb8bc5c
to
69de09d
Compare
katacontainersbot
added
size/medium
With this we can properly generate and the the `-confidential` kernel, which supports SEV / SNP / TDX as part of our configuration files. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're building a single confidential kernel, we should rely on it rather than keep using the specific ones for TDX / SEV / SNP. However, for debugability-sake, let's do this change TEE by TEE. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
force-pushed
the
topic/use-the-kernel-confidential-when-possible
branch
from
69de09d
to
16cd315
Compare
fidencio
force-pushed
the
topic/use-the-kernel-confidential-when-possible
branch
from
16cd315
to
b9eeeb5
Compare
ryansavino
approved these changes
Feb 2, 2024
There was a problem hiding this comment.
LGTM.
Just a brief update here based on the slack discussion:
There is a SNP guest kernel patch in the current AMDESE/linux fork for a bug that addresses an issue when more than 1 TB is allocated for a guest. This will get pulled in when we update to a newer kernel at a later point in time.
|
@niteeshkd we should make sure to rebase your forked branch once this gets into main. |
As we're building a single confidential kernel, we should rely on it rather than keep using the specific ones for TDX / SEV / SNP. However, for debugability-sake, let's do this change TEE by TEE. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're building a single confidential kernel, we should rely on it rather than keep using the specific ones for TDX / SEV / SNP. However, for debugability-sake, let's do this change TEE by TEE. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As this is not used anymore, we can go ahead and just remove it. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As this is not used anymore, we can go ahead and just remove it Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As this is not used anymore, we can go ahead and just remove it Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We're using the confidential kernel instead from now on. Fixes: kata-containers#8981 -- part I Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The modules dir has an extra "-nvidia-gpu-confidential" string in its name. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This is already done for the TDX kernel, and should have been done also for the confidential one. This action requires us to bump the kernel version as the resulting kernel will be different from the cached one. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We need to do this in order to ensure that the measure boot will be taking the latest kernel bits, as needed. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now that we're using the kernel-confidential, let the rootfs depending on it, instead of depending on the TEE specific ones. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
force-pushed
the
topic/use-the-kernel-confidential-when-possible
branch
from
b9eeeb5
to
e9de0ef
Compare
katacontainersbot
added
size/medium
Cool, I've re-added the AMD related bits to this PR. Thanks. |
|
/test |
fidencio
added a commit
to fidencio/kata-containers
that referenced
this pull request
Feb 5, 2024
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this pull request
Feb 13, 2024
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this pull request
Feb 13, 2024
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this pull request
Feb 13, 2024
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this pull request
Feb 13, 2024
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
added a commit
to fidencio/kata-containers
that referenced
this pull request
Feb 13, 2024
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
c3d
pushed a commit
to c3d/kata-containers
that referenced
this pull request
Feb 23, 2024
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We've been building a 6.7 kernel for some time and it can be used for all the TEEs. For now I'm just enabling this for TDX, at least till the SEV / SNP CIs are up and running again.