New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
runtime: packaging: Use confidential kernel instead of the TDX one #8978
runtime: packaging: Use confidential kernel instead of the TDX one #8978
Conversation
547e02a
to
fa653ce
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good
I'm adding a `do-not-merge as Ryan wants to test a few things outside of the CI. |
bc98acb
to
a735752
Compare
Folks, I've dropped the AMD bits from here in order to have this one moving, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
/test |
fb8bc5c
to
69de09d
Compare
With this we can properly generate and the the `-confidential` kernel, which supports SEV / SNP / TDX as part of our configuration files. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're building a single confidential kernel, we should rely on it rather than keep using the specific ones for TDX / SEV / SNP. However, for debugability-sake, let's do this change TEE by TEE. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
69de09d
to
16cd315
Compare
16cd315
to
b9eeeb5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Just a brief update here based on the slack discussion:
There is a SNP guest kernel patch in the current AMDESE/linux fork for a bug that addresses an issue when more than 1 TB is allocated for a guest. This will get pulled in when we update to a newer kernel at a later point in time.
@niteeshkd we should make sure to rebase your forked branch once this gets into main. |
As we're building a single confidential kernel, we should rely on it rather than keep using the specific ones for TDX / SEV / SNP. However, for debugability-sake, let's do this change TEE by TEE. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're building a single confidential kernel, we should rely on it rather than keep using the specific ones for TDX / SEV / SNP. However, for debugability-sake, let's do this change TEE by TEE. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As this is not used anymore, we can go ahead and just remove it. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As this is not used anymore, we can go ahead and just remove it Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As this is not used anymore, we can go ahead and just remove it Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We're using the confidential kernel instead from now on. Fixes: kata-containers#8981 -- part I Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The modules dir has an extra "-nvidia-gpu-confidential" string in its name. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This is already done for the TDX kernel, and should have been done also for the confidential one. This action requires us to bump the kernel version as the resulting kernel will be different from the cached one. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We need to do this in order to ensure that the measure boot will be taking the latest kernel bits, as needed. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now that we're using the kernel-confidential, let the rootfs depending on it, instead of depending on the TEE specific ones. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
b9eeeb5
to
e9de0ef
Compare
Cool, I've re-added the AMD related bits to this PR. Thanks. |
/test |
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Now we're using a "confidential" image that has support for all of those. Fixes: kata-containers#9010 -- part II kata-containers#8982 -- part II kata-containers#8978 -- part II Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We've been building a 6.7 kernel for some time and it can be used for all the TEEs. For now I'm just enabling this for TDX, at least till the SEV / SNP CIs are up and running again.