diff --git a/.github/cspell.json b/.github/cspell.json index 610fb13..ac90716 100644 --- a/.github/cspell.json +++ b/.github/cspell.json @@ -39,6 +39,7 @@ "kubevirt", "distro", "virt", - "containerized" + "containerized", + "vsock" ] } diff --git a/deployment/README.md b/deployment/README.md index 26dd625..d517d07 100644 --- a/deployment/README.md +++ b/deployment/README.md @@ -9,8 +9,8 @@ Before moving forward, please make sure you have a TD booted. The CCNP service i You can use [cvm image rewriter](../tools/cvm-image-rewriter/README.md) to prepare a TD enlightened guest image. **NOTE:** - - If your initial guest image already has a TDX kernel, it's required to run [plugin](../tools/cvm-image-rewriter/plugins/) 07 and 08 to set device access permission. - - If your initial guest image is a normal Ubuntu guest image, it's required to run [plugin](../tools/cvm-image-rewriter/plugins/) 06 to install TDX kernel and then 07, 08 to set device access permission. + - If your initial guest image already has a TDX kernel, it's required to run [plugin](../tools/cvm-image-rewriter/plugins/) 07, 08 and 09 to set device access permission. + - If your initial guest image is a normal Ubuntu guest image, it's required to run [plugin](../tools/cvm-image-rewriter/plugins/) 06 to install TDX kernel and then 07, 08, 09 to set device access permission. Start a TD using [qemu-test.sh](../tools/cvm-image-rewriter/qemu-test.sh) or [start-virt.sh](../tools/cvm-image-rewriter/start-virt.sh). diff --git a/tools/cvm-image-rewriter/README.md b/tools/cvm-image-rewriter/README.md index 8eacfda..2a151f6 100644 --- a/tools/cvm-image-rewriter/README.md +++ b/tools/cvm-image-rewriter/README.md @@ -49,6 +49,7 @@ There are following customization plugins in Plugins providing customization to | 06-install-tdx-guest-kernel | Install MVP TDX guest kernel | Y | | 07-device-permission | Fix the permission for device node | Y | | 08-ccnp-uds-directory-permission | Fix the permission for CCNP UDS directory | Y | +| 09-ccnp-vsock-port | Prepare a VM sockets port for CCNP | Y | | 60-initrd-update | Update the initrd image | N | | 97-sample | plugin customization example | N | | 98-ima-enable-simple | Enable IMA (Integrity Measurement Architecture) feature | N | @@ -142,15 +143,15 @@ For example: If the guest image is used for CCNP deployment, it's recommended to run the below plugin combination depending on which guest image type is used. Others are not required by CCNP and can be skipped. -| Base image | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 60 | 98 | -|---|---|---|---|---|---|---|---|---|---|---| -| Ubuntu base image | | | | | | Y| Y| Y| | | -| TD enlightened image | | | | | | | Y| Y| | | +| Base image | 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 60 | 98 | +|---|---|---|---|---|---|---|---|---|---|---|---| +| Ubuntu base image | | | | | | Y| Y| Y| Y| | | +| TD enlightened image | | | | | | | Y| Y| Y| | | **NOTE:** - All plugins need to be executed in numerical order. - TD enlightened image means the image already has a TDX kernel. If not, plugin 06 is required to install a TDX kernel. - - Plugin 7 and Plugin 8 need to be executed before deploying CCNP to provide device permissions for CCNP. + - Plugin 7, Plugin 8 and Plugin 9 need to be executed before deploying CCNP to provide device permissions for CCNP. - Plugin 60 requires copying or generating all files to the root directory first. When users customize plugins, please ensure that the plugin number with this requirement is placed before 60. - Plugin 98 needs to be executed after all other plugins have completed. The number of the user-customized plugin must be before 98. - Other plugins are optional for CCNP deployment. diff --git a/tools/cvm-image-rewriter/cloud-init/user-data.basic b/tools/cvm-image-rewriter/cloud-init/user-data.basic index 1cf86ea..3d03dcc 100644 --- a/tools/cvm-image-rewriter/cloud-init/user-data.basic +++ b/tools/cvm-image-rewriter/cloud-init/user-data.basic @@ -14,7 +14,8 @@ power_state: condition: True runcmd: - - sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config + - sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/g' /etc/ssh/sshd_config + - sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/g' /etc/ssh/sshd_config - sed -i 's/console=tty1 console=ttyS0/console=hvc0/g' /etc/default/grub.d/50-cloudimg-settings.cfg # copy stuff into initrd - update-initramfs -u -k all diff --git a/tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/README.md b/tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/README.md index 99cc848..bbb84d6 100644 --- a/tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/README.md +++ b/tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/README.md @@ -4,7 +4,7 @@ This plugin is used to install a TDX guest kernel from a given local repository. # Prerequisite -Prepare the local repository and confirm that there are Debian packages related to the TDX kernel in the `/jammy/amd64/` directory of this repository. It is recommended to place this local repository in the `pre-stage/artifacts/` directory. +Prepare the local repository and confirm that there are Debian packages related to the TDX kernel in this repository. It is recommended to place this local repository in the `pre-stage/artifacts/` directory. ``` mkdir -p ./pre-stage/artifacts mv ./pre-stage/artifacts/ diff --git a/tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/pre-stage/host_run.sh b/tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/pre-stage/host_run.sh index 847bfd1..f34dda3 100755 --- a/tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/pre-stage/host_run.sh +++ b/tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/pre-stage/host_run.sh @@ -22,7 +22,7 @@ if [[ ! -d "$CVM_TDX_GUEST_REPO" ]]; then fi # Check if it is a valid TDX repo -if ! compgen -G "$CVM_TDX_GUEST_REPO/jammy/amd64/linux-image-*mvp*.deb"; then +if ! compgen -G "$CVM_TDX_GUEST_REPO/linux-image-*intel-opt*.deb"; then warn "SKIP: $CVM_TDX_GUEST_REPO is invalid." exit 0 fi @@ -38,10 +38,10 @@ mkdir -p "${CURR_DIR}/../cloud-init/x-shellscript/" cat > "${CURR_DIR}/../cloud-init/x-shellscript/07-install-tdx-guest-kernel.sh" << EOL #!/bin/bash -PACKAGE_DIR=""$ARTIFACTS_GUEST"/$(basename "$CVM_TDX_GUEST_REPO")/jammy/" +PACKAGE_DIR=""$ARTIFACTS_GUEST"/$(basename "$CVM_TDX_GUEST_REPO")/" pushd \$PACKAGE_DIR || exit 0 -apt install ./amd64/linux-image-unsigned-*.deb ./amd64/linux-modules-*.deb \ - ./amd64/linux-headers-*.deb ./all/linux-headers-*.deb --allow-downgrades -y +apt install ./linux-image-unsigned-*.deb ./linux-modules-*.deb \ + ./linux-headers-*.deb ./linux-intel-opt-headers-*.deb --allow-downgrades -y popd || exit 0 EOL diff --git a/tools/cvm-image-rewriter/plugins/09-ccnp-vsock-port/README.md b/tools/cvm-image-rewriter/plugins/09-ccnp-vsock-port/README.md new file mode 100644 index 0000000..5e8a1b1 --- /dev/null +++ b/tools/cvm-image-rewriter/plugins/09-ccnp-vsock-port/README.md @@ -0,0 +1,3 @@ +# CCNP vsock port + +This plugin is used to prepare a VM sockets port for CCNP. It is typically not required for users to customize unless additional VM sockets ports are needed. \ No newline at end of file diff --git a/tools/cvm-image-rewriter/plugins/09-ccnp-vsock-port/files/etc/tdx-attest.conf b/tools/cvm-image-rewriter/plugins/09-ccnp-vsock-port/files/etc/tdx-attest.conf new file mode 100644 index 0000000..d7c6361 --- /dev/null +++ b/tools/cvm-image-rewriter/plugins/09-ccnp-vsock-port/files/etc/tdx-attest.conf @@ -0,0 +1 @@ +port=4050 \ No newline at end of file