diff --git a/tools/build/README.md b/tools/build/README.md index 4278d34..fc337b2 100644 --- a/tools/build/README.md +++ b/tools/build/README.md @@ -9,7 +9,7 @@ is available on Ubuntu 23.10, and [this Github repository](https://github.com/ca provides guidance and straightforward instructions on how to get started. Please follow the instructions to create a guest image and set up the TDX environment. -Some additional patches are provided in [kernel](kernel/) directory for CCNP container measurement, +Some additional patches are provided in [kernel/patches](kernel/patches) directory for CCNP container measurement, here is the information about the patches: | Patch Number | Comments | @@ -23,4 +23,20 @@ Install the build dependencies and build the packages ```Shell sudo ./build.sh -``` \ No newline at end of file +``` + +*Note: this build script is based on Ubuntu 23.10 TDX early preview kernel, please make sure this kernel has been installed.* + +## Install + +All the packages are built in `output` directory, please follow [cvm-image-rewriter plugin](../cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/README.md) or install them by `apt`/`dpkg` + +```Shell +sudo apt install -y ./output/*.deb +``` + +or + +```Shell +sudo dpkg -i ./output/*.deb +``` diff --git a/tools/build/build.sh b/tools/build/build.sh index a9d2db3..4d882c7 100755 --- a/tools/build/build.sh +++ b/tools/build/build.sh @@ -2,26 +2,15 @@ set -e +BASE_KERNEL_VERSION="6.5.0-1003-intel-opt" + CUR_DIR=$(dirname "$(readlink -f "$0")") -KERNEL_PATCHES_DIR=${CUR_DIR}/kernel +KERNEL_DIR=${CUR_DIR}/kernel TMP_DIR=$(mktemp -d /tmp/ccnp_build.XXXXXX) OUT_DIR=${CUR_DIR}/output -KERNEL_CONFIG_ANNOTATIONS=$(cat << EOF - -CONFIG_TSM_REPORTS policy<{'amd64': 'm'}> -CONFIG_TSM_REPORTS note<'Required for ConfigFS TSM support'> - -CONFIG_IMA_CGPATH_TEMPLATE policy<{'amd64': 'n'}> -CONFIG_IMA_CGPATH_TEMPLATE note<'CGPATH for CCNP container measurement'> - -CONFIG_IMA_DEP_CGN_TEMPLATE policy<{'amd64': 'n'}> -CONFIG_IMA_DEP_CGN_TEMPLATE note<'CGN for CCNP container measurement'> -EOF -) - patch_kernel() { - for p in "${KERNEL_PATCHES_DIR}"/* + for p in "${KERNEL_DIR}"/patches/* do patch -p1 -F1 -s < "${p}" done @@ -32,9 +21,9 @@ build_ubuntu_kernel() { add-apt-repository -s -y ppa:kobuk-team/tdx-release # Install the build dependencies DEBIAN_FRONTEND=noninteractive apt update && apt install -y devscripts && \ - apt build-dep -y linux-image-unsigned-"$(uname -r)" + apt build-dep -y linux-image-unsigned-"${BASE_KERNEL_VERSION}" # Download the source codes - apt source linux-image-unsigned-"$(uname -r)" + apt source linux-image-unsigned-"${BASE_KERNEL_VERSION}" # A workaround to fix build issue of DKMS mv /lib/modules/"$(uname -r)"/modules.dep /lib/modules/"$(uname -r)"/modules.dep.bk touch /lib/modules/"$(uname -r)"/modules.dep @@ -42,8 +31,10 @@ build_ubuntu_kernel() { pushd linux-*/ patch_kernel # Add new configs in the patch - echo "${KERNEL_CONFIG_ANNOTATIONS}" | sed -i "/CONFIG_TDX_GUEST_DRIVER *note.*/ r /dev/stdin" \ + sed -i "/CONFIG_TDX_GUEST_DRIVER *note.*/ r ${KERNEL_DIR}/ubuntu/annotations" \ debian.intel-opt/config/annotations + # Change kernel version in changelog + sed -i "0 r ${KERNEL_DIR}/ubuntu/changelog" debian/changelog debian.intel-opt/changelog debuild -uc -us -b popd diff --git a/tools/build/kernel/0001-ima-support-for-boot-aggregate-and-runtime-measureme.patch b/tools/build/kernel/patches/0001-ima-support-for-boot-aggregate-and-runtime-measureme.patch similarity index 100% rename from tools/build/kernel/0001-ima-support-for-boot-aggregate-and-runtime-measureme.patch rename to tools/build/kernel/patches/0001-ima-support-for-boot-aggregate-and-runtime-measureme.patch diff --git a/tools/build/kernel/0002-ima-initialize-fake-TPM-device-for-TDX-RTMR.patch b/tools/build/kernel/patches/0002-ima-initialize-fake-TPM-device-for-TDX-RTMR.patch similarity index 100% rename from tools/build/kernel/0002-ima-initialize-fake-TPM-device-for-TDX-RTMR.patch rename to tools/build/kernel/patches/0002-ima-initialize-fake-TPM-device-for-TDX-RTMR.patch diff --git a/tools/build/kernel/0003-fix-remove-comparison-on-RTMR-2-measurement.patch b/tools/build/kernel/patches/0003-fix-remove-comparison-on-RTMR-2-measurement.patch similarity index 100% rename from tools/build/kernel/0003-fix-remove-comparison-on-RTMR-2-measurement.patch rename to tools/build/kernel/patches/0003-fix-remove-comparison-on-RTMR-2-measurement.patch diff --git a/tools/build/kernel/0004-fix-fix-sha-index-issue-in-IMA.patch b/tools/build/kernel/patches/0004-fix-fix-sha-index-issue-in-IMA.patch similarity index 100% rename from tools/build/kernel/0004-fix-fix-sha-index-issue-in-IMA.patch rename to tools/build/kernel/patches/0004-fix-fix-sha-index-issue-in-IMA.patch diff --git a/tools/build/kernel/0005-ima-use-SHA384-hash-algorithm-for-measurement-in-ker.patch b/tools/build/kernel/patches/0005-ima-use-SHA384-hash-algorithm-for-measurement-in-ker.patch similarity index 100% rename from tools/build/kernel/0005-ima-use-SHA384-hash-algorithm-for-measurement-in-ker.patch rename to tools/build/kernel/patches/0005-ima-use-SHA384-hash-algorithm-for-measurement-in-ker.patch diff --git a/tools/build/kernel/0006-x86-tdx-rtmr-extend-TDX-RTMR-interface-for-kernel-IM.patch b/tools/build/kernel/patches/0006-x86-tdx-rtmr-extend-TDX-RTMR-interface-for-kernel-IM.patch similarity index 100% rename from tools/build/kernel/0006-x86-tdx-rtmr-extend-TDX-RTMR-interface-for-kernel-IM.patch rename to tools/build/kernel/patches/0006-x86-tdx-rtmr-extend-TDX-RTMR-interface-for-kernel-IM.patch diff --git a/tools/build/kernel/0007-fix-fix-compile-warnings.patch b/tools/build/kernel/patches/0007-fix-fix-compile-warnings.patch similarity index 100% rename from tools/build/kernel/0007-fix-fix-compile-warnings.patch rename to tools/build/kernel/patches/0007-fix-fix-compile-warnings.patch diff --git a/tools/build/kernel/0008-ima-created-new-ima-template-ima-dep-cgn-for-OCI-con.patch b/tools/build/kernel/patches/0008-ima-created-new-ima-template-ima-dep-cgn-for-OCI-con.patch similarity index 100% rename from tools/build/kernel/0008-ima-created-new-ima-template-ima-dep-cgn-for-OCI-con.patch rename to tools/build/kernel/patches/0008-ima-created-new-ima-template-ima-dep-cgn-for-OCI-con.patch diff --git a/tools/build/kernel/0009-ima-created-new-ima-template-ima-cgpath-for-Kubernat.patch b/tools/build/kernel/patches/0009-ima-created-new-ima-template-ima-cgpath-for-Kubernat.patch similarity index 100% rename from tools/build/kernel/0009-ima-created-new-ima-template-ima-cgpath-for-Kubernat.patch rename to tools/build/kernel/patches/0009-ima-created-new-ima-template-ima-cgpath-for-Kubernat.patch diff --git a/tools/build/kernel/0010-virt-sevguest-Fix-passing-a-stack-buffer-as-a-scatte.patch b/tools/build/kernel/patches/0010-virt-sevguest-Fix-passing-a-stack-buffer-as-a-scatte.patch similarity index 100% rename from tools/build/kernel/0010-virt-sevguest-Fix-passing-a-stack-buffer-as-a-scatte.patch rename to tools/build/kernel/patches/0010-virt-sevguest-Fix-passing-a-stack-buffer-as-a-scatte.patch diff --git a/tools/build/kernel/0011-virt-coco-Add-a-coco-Makefile-and-coco-Kconfig.patch b/tools/build/kernel/patches/0011-virt-coco-Add-a-coco-Makefile-and-coco-Kconfig.patch similarity index 100% rename from tools/build/kernel/0011-virt-coco-Add-a-coco-Makefile-and-coco-Kconfig.patch rename to tools/build/kernel/patches/0011-virt-coco-Add-a-coco-Makefile-and-coco-Kconfig.patch diff --git a/tools/build/kernel/0012-configfs-tsm-Introduce-a-shared-ABI-for-attestation-.patch b/tools/build/kernel/patches/0012-configfs-tsm-Introduce-a-shared-ABI-for-attestation-.patch similarity index 100% rename from tools/build/kernel/0012-configfs-tsm-Introduce-a-shared-ABI-for-attestation-.patch rename to tools/build/kernel/patches/0012-configfs-tsm-Introduce-a-shared-ABI-for-attestation-.patch diff --git a/tools/build/kernel/0013-virt-sevguest-Prep-for-kernel-internal-get_ext_repor.patch b/tools/build/kernel/patches/0013-virt-sevguest-Prep-for-kernel-internal-get_ext_repor.patch similarity index 100% rename from tools/build/kernel/0013-virt-sevguest-Prep-for-kernel-internal-get_ext_repor.patch rename to tools/build/kernel/patches/0013-virt-sevguest-Prep-for-kernel-internal-get_ext_repor.patch diff --git a/tools/build/kernel/0014-mm-slab-Add-__free-support-for-kvfree.patch b/tools/build/kernel/patches/0014-mm-slab-Add-__free-support-for-kvfree.patch similarity index 100% rename from tools/build/kernel/0014-mm-slab-Add-__free-support-for-kvfree.patch rename to tools/build/kernel/patches/0014-mm-slab-Add-__free-support-for-kvfree.patch diff --git a/tools/build/kernel/0015-virt-sevguest-Add-TSM_REPORTS-support-for-SNP_GET_EX.patch b/tools/build/kernel/patches/0015-virt-sevguest-Add-TSM_REPORTS-support-for-SNP_GET_EX.patch similarity index 100% rename from tools/build/kernel/0015-virt-sevguest-Add-TSM_REPORTS-support-for-SNP_GET_EX.patch rename to tools/build/kernel/patches/0015-virt-sevguest-Add-TSM_REPORTS-support-for-SNP_GET_EX.patch diff --git a/tools/build/kernel/0016-virt-tdx-guest-Add-Quote-generation-support-using-TS.patch b/tools/build/kernel/patches/0016-virt-tdx-guest-Add-Quote-generation-support-using-TS.patch similarity index 100% rename from tools/build/kernel/0016-virt-tdx-guest-Add-Quote-generation-support-using-TS.patch rename to tools/build/kernel/patches/0016-virt-tdx-guest-Add-Quote-generation-support-using-TS.patch diff --git a/tools/build/kernel/ubuntu/annotations b/tools/build/kernel/ubuntu/annotations new file mode 100644 index 0000000..4bdabb1 --- /dev/null +++ b/tools/build/kernel/ubuntu/annotations @@ -0,0 +1,9 @@ + +CONFIG_TSM_REPORTS policy<{'amd64': 'm'}> +CONFIG_TSM_REPORTS note<'Required for ConfigFS TSM support'> + +CONFIG_IMA_CGPATH_TEMPLATE policy<{'amd64': 'n'}> +CONFIG_IMA_CGPATH_TEMPLATE note<'CGPATH for CCNP container measurement'> + +CONFIG_IMA_DEP_CGN_TEMPLATE policy<{'amd64': 'n'}> +CONFIG_IMA_DEP_CGN_TEMPLATE note<'CGN for CCNP container measurement'> diff --git a/tools/build/kernel/ubuntu/changelog b/tools/build/kernel/ubuntu/changelog new file mode 100644 index 0000000..ec4cc7c --- /dev/null +++ b/tools/build/kernel/ubuntu/changelog @@ -0,0 +1,8 @@ +linux-intel-opt (6.5.0-1003.3.ccnp.1) mantic; urgency=medium + + * [CCNP] Add CCNP kernel patches + + - [Config] intel-opt: Enable IMA CGPath options + - [Config] intel-opt: Enable ConfigFS TSM options + + -- Xiaocheng Dong Thu, 26 Mar 2024 15:26:10 +0800