tools: update build tool to support latest ubuntu 24.04

Signed-off-by: Xiaocheng Dong <[email protected]>
cc-api · May 9, 2024 · 964dc6b · 964dc6b
1 parent 1de3c51
commit 964dc6b
Show file tree

Hide file tree

Showing 13 changed files with 153 additions and 1,890 deletions.
diff --git a/tools/build/README.md b/tools/build/README.md
@@ -4,32 +4,42 @@ This tool is used to build or rebuild the packages with some customized patches
 It also provides some additional patches for CCNP container measurement.
 
 ## Prerequisite
-[Intel TDX 1.0 technology preview](https://ubuntu.com/blog/intel-tdx-1-0-preview-on-ubuntu-23-10) 
-is available on Ubuntu 23.10, and [this Github repository](https://github.com/canonical/tdx) 
-provides guidance and straightforward instructions on how to get started.
+Intel TDX 1.0 technology preview is available, and [this Github repository](https://github.com/canonical/tdx/tree/noble-24.04) 
+provides guidance and straightforward instructions on how to get started for Ubuntu 24.04.
 Please follow the instructions to create a guest image and set up the TDX environment.
 
-Some additional patches are provided in [kernel/patches](kernel/patches) directory for CCNP container measurement,
-here is the information about the patches:
+Ubuntu 24.04 is targeted as the default base for this build tool, and the default kernel version is
+v6.8.0, some additional patches are provided in [kernel/patches](kernel/patches) directory for
+CCNP container measurement, here is the information about the patches:
 
 | Patch Number | Comments |
 | ------------ | -------- |
+| 0000         | Extend TDX RTMR |
 | 0001 ~ 0007  | Extend TDX RTMR for IMA measurement |
 | 0008 ~ 0009  | Add new IMA template [ima-cgpath](https://patchwork.kernel.org/project/linux-integrity/patch/[email protected]/) |
-| 0010 ~ 0016  | Support [ConfigFS TSM](https://lwn.net/Articles/945578/) |
 
 ## Build
-Install the build dependencies and build the packages. It is recommend to run the tool on the TDX host prepared following [Configuration](../../README.md/#configuration).
+Install the build dependencies and build the packages. It is recommend to run the tool on the TDX
+host prepared following [Configuration](../../README.md/#configuration).
 
 ```Shell
 sudo ./build.sh
 ```
 
-*Note: this build script is based on Ubuntu 23.10 TDX early preview kernel, please make sure this kernel has been installed.*
+Same as TDX early preview kernel, the packages are based on the Ubuntu generic kernel by default,
+the intel kernel can be selected by using the environment variable TDX_SETUP_INTEL_KERNEL.
+
+```Shell
+sudo TDX_SETUP_INTEL_KERNEL=1 ./build.sh
+```
+
+*Note: this build script is based on Ubuntu 24.04 TDX early preview kernel, please make sure this kernel has been installed.*
 
 ## Install
 
-All the packages are built in `output` directory, please follow [cvm-image-rewriter plugin](../cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/README.md) or install them by `apt`/`dpkg`
+All the packages are built in `output` directory, please follow
+[cvm-image-rewriter plugin](../cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/README.md)
+or install them by `apt`/`dpkg`
 
 ```Shell
 sudo apt install -y ./output/*.deb

diff --git a/tools/build/build.sh b/tools/build/build.sh
@@ -2,7 +2,11 @@
 
 set -e
 
-BASE_KERNEL_VERSION="6.5.0-1003-intel-opt"
+CCNP_VERSION_SUFFIX="+ccnp1"
+BASE_KERNEL_VERSION="6.8.0-31-generic"
+if [ -n "${TDX_SETUP_INTEL_KERNEL}" ]; then
+  BASE_KERNEL_VERSION="6.8.0-1001-intel"
+fi
 
 CUR_DIR=$(dirname "$(readlink -f "$0")")
 KERNEL_DIR=${CUR_DIR}/kernel
@@ -18,7 +22,9 @@ patch_kernel() {
 
 build_ubuntu_kernel() {
     # Add apt repository source
-    add-apt-repository -s -y ppa:kobuk-team/tdx-release
+    add-apt-repository -s -y ppa:kobuk-team/tdx
+    sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources \
+        /etc/apt/sources.list.d/kobuk-team-ubuntu-tdx-noble.sources
     # Install the build dependencies
     DEBIAN_FRONTEND=noninteractive apt update && apt install -y devscripts && \
     apt build-dep -y linux-image-unsigned-"${BASE_KERNEL_VERSION}"
@@ -31,12 +37,22 @@ build_ubuntu_kernel() {
     pushd linux-*/
     patch_kernel
     # Add new configs in the patch
-    sed -i "/CONFIG_TDX_GUEST_DRIVER *note.*/ r ${KERNEL_DIR}/ubuntu/annotations" \
-        debian.intel-opt/config/annotations
+    sed -i "/CONFIG_TDX_GUEST_DRIVER/ r ${KERNEL_DIR}/ubuntu/annotations" \
+        debian.master/config/annotations
     # Change kernel version in changelog
-    sed -i "0 r ${KERNEL_DIR}/ubuntu/changelog" debian/changelog debian.intel-opt/changelog
+    if [ -f "debian.intel/changelog" ]; then
+        CHANGELOG="debian.intel/changelog"
+    else
+        CHANGELOG="debian.master/changelog"
+    fi
+    LATEST_VERSION=$(sed -n '1 s/linux.*(\(.*\)) noble.*$/\1/p' ${CHANGELOG})
+    CCNP_VERSION=${LATEST_VERSION}${CCNP_VERSION_SUFFIX}
+    sed "s/CCNP_VERSION/${CCNP_VERSION}/" \
+        "${KERNEL_DIR}/ubuntu/changelog" > "${KERNEL_DIR}/ubuntu/changelog.tmp"
+    sed -i "0 r ${KERNEL_DIR}/ubuntu/changelog.tmp" debian/changelog ${CHANGELOG}
+    rm "${KERNEL_DIR}/ubuntu/changelog.tmp"
 
-    debuild -uc -us -b
+    dpkg-buildpackage -us -uc -ui -b
     popd
 
     mv ./*.deb "${OUT_DIR}"/

diff --git a/tools/build/kernel/patches/0000-x86-tdx-Add-tdx_mcall_rtmr_extend-interface.patch b/tools/build/kernel/patches/0000-x86-tdx-Add-tdx_mcall_rtmr_extend-interface.patch
@@ -0,0 +1,106 @@
+From f10cb93761498859e90bf8c4a71ce3ccb9e160a6 Mon Sep 17 00:00:00 2001
+From: Kuppuswamy Sathyanarayanan <[email protected]>
+Date: Tue, 23 Jan 2024 00:03:11 +0000
+Subject: [PATCH] x86/tdx: Add tdx_mcall_rtmr_extend() interface
+
+TDX Guest exposes 1 MRTD and 3 RTMR registers to record the build and
+boot measurements of the VM. It is similar to PCR registers in TPM
+space. This measurement data will be used to implement security
+features like attestation, trusted boot, etc.
+
+To facilitate RTMR register update, the TDX Module provides support for
+TDG.MR.RTMR.EXTEND TDCALL  which can be used to securely extend the
+RTMR registers.
+
+Add helper function to update RTMR registers. It will be used by the
+TDX guest driver in enabling RTMR support.
+
+Signed-off-by: Kuppuswamy Sathyanarayanan <[email protected]>
+---
+ arch/x86/coco/tdx/tdx.c           | 36 +++++++++++++++++++++++++++++++
+ arch/x86/include/asm/shared/tdx.h |  1 +
+ arch/x86/include/asm/tdx.h        |  2 ++
+ 3 files changed, 39 insertions(+)
+
+diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c
+index c1cb90369915..e88868631e18 100644
+--- a/arch/x86/coco/tdx/tdx.c
++++ b/arch/x86/coco/tdx/tdx.c
+@@ -35,6 +35,7 @@
+ /* TDX Module call error codes */
+ #define TDCALL_RETURN_CODE(a)	((a) >> 32)
+ #define TDCALL_INVALID_OPERAND	0xc0000100
++#define TDCALL_OPERAND_BUSY	0x80000200
+
+ #define TDREPORT_SUBTYPE_0	0
+
+@@ -107,6 +108,41 @@ int tdx_mcall_get_report0(u8 *reportdata, u8 *tdreport)
+ }
+ EXPORT_SYMBOL_GPL(tdx_mcall_get_report0);
+
++/**
++ * tdx_mcall_rtmr_extend() - Wrapper to extend RTMR registers using
++ *			     TDG.MR.RTMR.EXTEND TDCALL.
++ * @index: Index of RTMR register to be extended.
++ * @data: Address of the input buffer with RTMR register extend data.
++ *
++ * Refer to section titled "TDG.MR.RTMR.EXTEND leaf" in the TDX Module
++ * v1.0 specification for more information on TDG.MR.RTMR.EXTEND TDCALL.
++ * It is used in the TDX guest driver module to allow user extend the
++ * RTMR registers (index > 1).
++ *
++ * Return 0 on success, -EINVAL for invalid operands, -EBUSY for busy
++ * operation or -EIO on other TDCALL failures.
++ */
++int tdx_mcall_rtmr_extend(u8 index, u8 *data)
++{
++	struct tdx_module_args args = {
++		.rcx = virt_to_phys(data),
++		.rdx = index,
++	};
++	u64 ret;
++
++	ret = __tdcall(TDG_MR_RTMR_EXTEND, &args);
++	if (ret) {
++		if (TDCALL_RETURN_CODE(ret) == TDCALL_INVALID_OPERAND)
++			return -EINVAL;
++		if (TDCALL_RETURN_CODE(ret) == TDCALL_OPERAND_BUSY)
++			return -EBUSY;
++		return -EIO;
++	}
++
++	return 0;
++}
++EXPORT_SYMBOL_GPL(tdx_mcall_rtmr_extend);
++
+ /**
+  * tdx_hcall_get_quote() - Wrapper to request TD Quote using GetQuote
+  *                         hypercall.
+diff --git a/arch/x86/include/asm/shared/tdx.h b/arch/x86/include/asm/shared/tdx.h
+index fdfd41511b02..4ed1fa11df81 100644
+--- a/arch/x86/include/asm/shared/tdx.h
++++ b/arch/x86/include/asm/shared/tdx.h
+@@ -12,6 +12,7 @@
+
+ /* TDX module Call Leaf IDs */
+ #define TDG_VP_VMCALL			0
++#define TDG_MR_RTMR_EXTEND		2
+ #define TDG_VP_INFO			1
+ #define TDG_VP_VEINFO_GET		3
+ #define TDG_MR_REPORT			4
+diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h
+index eba178996d84..9ff74b4b69b9 100644
+--- a/arch/x86/include/asm/tdx.h
++++ b/arch/x86/include/asm/tdx.h
+@@ -64,6 +64,8 @@ bool tdx_early_handle_ve(struct pt_regs *regs);
+
+ int tdx_mcall_get_report0(u8 *reportdata, u8 *tdreport);
+
++int tdx_mcall_rtmr_extend(u8 index, u8 *data);
++
+ u64 tdx_hcall_get_quote(u8 *buf, size_t size);
+
+ #else
+-- 
+2.34.1
+
diff --git a/tools/build/kernel/patches/0006-x86-tdx-rtmr-extend-TDX-RTMR-interface-for-kernel-IM.patch b/tools/build/kernel/patches/0006-x86-tdx-rtmr-extend-TDX-RTMR-interface-for-kernel-IM.patch
@@ -116,7 +116,7 @@ index 000000000000..3ed78ad754dd
 +    memcpy(data, digests[DEFAULT_SHA384_IDX].digest, sizeof(digests[DEFAULT_SHA384_IDX].digest));
 +
 +    /* Extend RTMR registers using "TDG.MR.RTMR.EXTEND" TDCALL */
-+    rc = tdx_mcall_extend_rtmr(data, (u8)rtmr_idx);
++    rc = tdx_mcall_rtmr_extend(data, (u8)rtmr_idx);
 +    kfree(data);
 +
 +    return rc;