New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packaging: Add confidential image / initrd #8983
packaging: Add confidential image / initrd #8983
Conversation
@@ -38,9 +38,7 @@ jobs: | |||
- kata-ctl | |||
- kernel | |||
- kernel-confidential | |||
- kernel-sev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
still has some references to them. Should we remove there too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very good point, @beraldoleal, and I should have written this as part of a note in the PR.
If we remove those right now, we'll break the build as:
- removing from the yaml file will only take effect after the PR is merged
- removong from the kata-deploy-binaries.sh will take effect during the tests
With this in mind, I'd like to remove those bits in a follow-up PR.
Does it sound reasonable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds acceptable! :) Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. I had the same comment as @beraldoleal but your point about a follow-up PR sounds good.
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
Outdated
Show resolved
Hide resolved
0459e9a
to
3793966
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
I've moved this to a draft to ensure it doesn't get merged before its dependency. |
3793966
to
c036a24
Compare
I've updated this one dropping the AMD changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM.
One thing that occurred to me whilst reviewing this (that is out of scope for this PR, but I thought might be needed to think about before we close #8183), is what are we going to do about SE image. It's not being made through this as it's only creating the confidential image in the amd64 payload, which makes sense, as the SE initrd needs to go through genprotimg tool and requires a host key document of the machine it will run on, so I'm not too sure how we want to integrate that into CI pipeline? In Anyway, that's not for this PR, so I'll try not to derail it |
c036a24
to
3301ac3
Compare
Let's use a single rootfs image / initrd for confidential workloads, instead of having those split for different TEEs. We can easily do this now as the soon-to-be-added guest-components can be built in a generic way. Fixes: kata-containers#8982 Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
3301ac3
to
a9f8888
Compare
/test |
Let's use a single rootfs image / initrd for confidential workloads,
instead of having those split for different TEEs.
We can easily do this now as the soon-to-be-added guest-components can
be built in a generic way.
Fixes: #8982
NOTE: This is rebased atop of #8978