packaging: Add confidential image / initrd #8983
Conversation
| @@ -38,9 +38,7 @@ jobs: | |||
| - kata-ctl | |||
| - kernel | |||
| - kernel-confidential | |||
| - kernel-sev | |||
There was a problem hiding this comment.
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh still has some references to them. Should we remove there too?
There was a problem hiding this comment.
Very good point, @beraldoleal, and I should have written this as part of a note in the PR.
If we remove those right now, we'll break the build as:
- removing from the yaml file will only take effect after the PR is merged
- removong from the kata-deploy-binaries.sh will take effect during the tests
With this in mind, I'd like to remove those bits in a follow-up PR.
Does it sound reasonable?
There was a problem hiding this comment.
Sounds acceptable! :) Thanks.
There was a problem hiding this comment.
Looks good to me. I had the same comment as @beraldoleal but your point about a follow-up PR sounds good.
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
Outdated
Show resolved
Hide resolved
fidencio
force-pushed
the
topic/add-confidential-image
branch
from
0459e9a
to
3793966
Compare
|
I've moved this to a draft to ensure it doesn't get merged before its dependency. |
fidencio
changed the title
fidencio
force-pushed
the
topic/add-confidential-image
branch
from
3793966
to
c036a24
Compare
fidencio
changed the title
|
I've updated this one dropping the AMD changes. |
|
One thing that occurred to me whilst reviewing this (that is out of scope for this PR, but I thought might be needed to think about before we close #8183), is what are we going to do about SE image. It's not being made through this as it's only creating the confidential image in the amd64 payload, which makes sense, as the SE initrd needs to go through genprotimg tool and requires a host key document of the machine it will run on, so I'm not too sure how we want to integrate that into CI pipeline? In Anyway, that's not for this PR, so I'll try not to derail it |
fidencio
force-pushed
the
topic/add-confidential-image
branch
from
c036a24
to
3301ac3
Compare
katacontainersbot
added
size/small
Let's use a single rootfs image / initrd for confidential workloads, instead of having those split for different TEEs. We can easily do this now as the soon-to-be-added guest-components can be built in a generic way. Fixes: kata-containers#8982 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
fidencio
force-pushed
the
topic/add-confidential-image
branch
from
3301ac3
to
a9f8888
Compare
|
/test |
Let's use a single rootfs image / initrd for confidential workloads,
instead of having those split for different TEEs.
We can easily do this now as the soon-to-be-added guest-components can
be built in a generic way.
Fixes: #8982
NOTE: This is rebased atop of #8978