kata-containers · fidencio · Feb 2, 2024 · Jan 12, 2024 · Jan 12, 2024 · Jan 31, 2024
diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -38,9 +38,7 @@ jobs:
           - kata-ctl
           - kernel
           - kernel-confidential
-          - kernel-sev
           - kernel-dragonball-experimental
-          - kernel-tdx-experimental
           - kernel-nvidia-gpu
           - kernel-nvidia-gpu-confidential
           - nydus

diff --git a/src/runtime/Makefile b/src/runtime/Makefile
@@ -378,17 +378,9 @@ ifneq (,$(QEMUCMD))
     KERNELNAME = $(call MAKE_KERNEL_NAME,$(KERNELTYPE))
     KERNELPATH = $(KERNELDIR)/$(KERNELNAME)
 
-    KERNELSEVTYPE = compressed
-    KERNELSEVNAME = $(call MAKE_KERNEL_SEV_NAME,$(KERNELSEVTYPE))
-    KERNELSEVPATH = $(KERNELDIR)/$(KERNELSEVNAME)
-
-    KERNELTDXTYPE = compressed
-    KERNELTDXNAME = $(call MAKE_KERNEL_TDX_NAME,$(KERNELTDXTYPE))
-    KERNELTDXPATH = $(KERNELDIR)/$(KERNELTDXNAME)
-
-    KERNELSNPTYPE = compressed
-    KERNELSNPNAME = $(call MAKE_KERNEL_SNP_NAME,$(KERNELSNPTYPE))
-    KERNELSNPPATH = $(KERNELDIR)/$(KERNELSNPNAME)
+    KERNELCONFIDENTIALTYPE = compressed
+    KERNELCONFIDENTIALNAME = $(call MAKE_KERNEL_CONFIDENTIAL_NAME,$(KERNELCONFIDENTIALTYPE))
+    KERNELCONFIDENTIALPATH = $(KERNELDIR)/$(KERNELCONFIDENTIALNAME)
 
     KERNELSENAME = kata-containers-se.img
     KERNELSEPATH = $(KERNELDIR)/$(KERNELSENAME)
@@ -585,9 +577,7 @@ USER_VARS += KERNELTYPE_ACRN
 USER_VARS += KERNELTYPE_CLH
 USER_VARS += KERNELPATH_ACRN
 USER_VARS += KERNELPATH
-USER_VARS += KERNELSEVPATH
-USER_VARS += KERNELTDXPATH
-USER_VARS += KERNELSNPPATH
+USER_VARS += KERNELCONFIDENTIALPATH
 USER_VARS += KERNELSEPATH
 USER_VARS += KERNELPATH_CLH
 USER_VARS += KERNELPATH_FC
@@ -773,17 +763,8 @@ define MAKE_KERNEL_VIRTIOFS_NAME
 $(if $(findstring uncompressed,$1),vmlinux-virtiofs.container,vmlinuz-virtiofs.container)
 endef
 
-define MAKE_KERNEL_SEV_NAME
-$(if $(findstring uncompressed,$1),vmlinux-sev.container,vmlinuz-sev.container)
-endef
-
-define MAKE_KERNEL_TDX_NAME
-$(if $(findstring uncompressed,$1),vmlinux-tdx.container,vmlinuz-tdx.container)
-endef
-
-# SNP configuration uses the SEV kernel
-define MAKE_KERNEL_SNP_NAME
-$(if $(findstring uncompressed,$1),vmlinux-sev.container,vmlinuz-sev.container)
+define MAKE_KERNEL_CONFIDENTIAL_NAME
+$(if $(findstring uncompressed,$1),vmlinux-confidential.container,vmlinuz-confidential.container)
 endef
 
 GENERATED_FILES += pkg/katautils/config-settings.go

diff --git a/src/runtime/config/configuration-qemu-sev.toml.in b/src/runtime/config/configuration-qemu-sev.toml.in
@@ -12,7 +12,7 @@
 
 [hypervisor.qemu]
 path = "@QEMUPATH@"
-kernel = "@KERNELSEVPATH@"
+kernel = "@KERNELCONFIDENTIALPATH@"
 initrd = "@INITRDSEVPATH@"
 machine_type = "@MACHINETYPE@"
 

diff --git a/src/runtime/config/configuration-qemu-snp.toml.in b/src/runtime/config/configuration-qemu-snp.toml.in
@@ -14,7 +14,7 @@
 
 [hypervisor.qemu]
 path = "@QEMUSNPPATH@"
-kernel = "@KERNELSNPPATH@"
+kernel = "@KERNELCONFIDENTIALPATH@"
 #image = "@IMAGEPATH@"
 initrd = "@INITRDSEVPATH@"
 machine_type = "@MACHINETYPE@"

diff --git a/src/runtime/config/configuration-qemu-tdx.toml.in b/src/runtime/config/configuration-qemu-tdx.toml.in
@@ -13,7 +13,7 @@
 
 [hypervisor.qemu]
 path = "@QEMUTDXPATH@"
-kernel = "@KERNELTDXPATH@"
+kernel = "@KERNELCONFIDENTIALPATH@"
 image = "@IMAGETDXPATH@"
 # initrd = "@INITRDPATH@"
 machine_type = "@MACHINETYPE@"

diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
@@ -160,13 +160,13 @@ stratovirt-tarball:
 rootfs-image-tarball: agent-tarball
 	${MAKE} $@-build
 
-rootfs-image-tdx-tarball: agent-opa-tarball kernel-tdx-experimental-tarball
+rootfs-image-tdx-tarball: agent-opa-tarball kernel-confidential-tarball
 	${MAKE} $@-build
 
 rootfs-initrd-mariner-tarball: agent-opa-tarball
 	${MAKE} $@-build
 
-rootfs-initrd-sev-tarball: agent-opa-tarball kernel-sev-tarball
+rootfs-initrd-sev-tarball: agent-opa-tarball kernel-confidential-tarball
 	${MAKE} $@-build
 
 rootfs-initrd-tarball: agent-tarball

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -141,7 +141,16 @@ get_kernel_modules_dir() {
 	local dots=$(echo ${version} | grep -o '\.' | wc -l)
 	[ "${dots}" == "1" ] && numeric_final_version="${version}.0"
 
-	echo "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/${kernel_name}/builddir/kata-linux-${version}-${kernel_kata_config_version}/lib/modules/${numeric_final_version}"
+	local kernel_modules_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/${kernel_name}/builddir/kata-linux-${version}-${kernel_kata_config_version}/lib/modules/${numeric_final_version}"
+	case ${kernel_name} in
+		kernel-nvidia-gpu-confidential)
+			kernel_modules_dir+="-nvidia-gpu-confidential"
+			;;
+		*)
+			;;
+	esac
+
+	echo ${kernel_modules_dir}
 }
 
 cleanup_and_fail() {
@@ -213,6 +222,15 @@ get_agent_tarball_path() {
 	echo "${agent_local_build_dir}/${agent_tarball_name}"
 }
 
+get_latest_kernel_confidential_artefact_and_builder_image_version() {
+		local kernel_version=$(get_from_kata_deps "assets.kernel.confidential.version")
+		local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
+		local latest_kernel_artefact="${kernel_version}-${kernel_kata_config_version}-$(get_last_modification $(dirname $kernel_builder))"
+		local latest_kernel_builder_image="$(get_kernel_image_name)"
+
+		echo "${latest_kernel_artefact}-${latest_kernel_builder_image}"
+}
+
 #Install guest image
 install_image() {
 	local variant="${1:-}"
@@ -234,7 +252,14 @@ install_image() {
 		"$(get_last_modification "${repo_root_dir}/src/agent")" \
 		"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")
 
+
 	latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}"
+	if [ "${variant}" == "tdx" ]; then
+		# For the TDX image we depend on the kernel built in order to ensure that
+		# measured boot is used
+		latest_artefacts+="-$(get_latest_kernel_confidential_artefact_and_builder_image_version)"
+	fi
+
 	latest_builder_image=""
 
 	install_cached_tarball_component \
@@ -287,6 +312,12 @@ install_initrd() {
 		"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")
 
 	latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}"
+	if [ "${variant}" == "tdx" ]; then
+		# For the TDX image we depend on the kernel built in order to ensure that
+		# measured boot is used
+		latest_artefacts+="-$(get_latest_kernel_confidential_artefact_and_builder_image_version)"
+	fi
+
 	latest_builder_image=""
 
 	[[ "${ARCH}" == "aarch64" && "${CROSS_BUILD}" == "true" ]] && echo "warning: Don't cross build initrd for aarch64 as it's too slow" && exit 0
@@ -400,6 +431,8 @@ install_kernel() {
 install_kernel_confidential() {
 	local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
 
+	export MEASURED_ROOTFS=yes
+
 	install_kernel_helper \
 		"assets.kernel.confidential.version" \
 		"kernel-confidential" \

diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-123
+124