Update the tools/cvm-image-rewriter

.github/cspell.json

@@ -39,6 +39,7 @@
         "kubevirt",
         "distro",
         "virt",
-        "containerized"
+        "containerized",
+        "vsock"
     ]
 }

deployment/README.md

@@ -9,8 +9,8 @@ Before moving forward, please make sure you have a TD booted. The CCNP service i
 You can use [cvm image rewriter](../tools/cvm-image-rewriter/README.md) to prepare a TD enlightened guest image.
 
 **NOTE:**
- - If your initial guest image already has a TDX kernel, it's required to run [plugin](../tools/cvm-image-rewriter/plugins/) 07 and 08 to set device access permission.
- - If your initial guest image is a normal Ubuntu guest image, it's required to run [plugin](../tools/cvm-image-rewriter/plugins/) 06 to install TDX kernel and then 07, 08 to set device access permission.
+ - If your initial guest image already has a TDX kernel, it's required to run [plugin](../tools/cvm-image-rewriter/plugins/) 07, 08 and 09 to set device access permission.
+ - If your initial guest image is a normal Ubuntu guest image, it's required to run [plugin](../tools/cvm-image-rewriter/plugins/) 06 to install TDX kernel and then 07, 08, 09 to set device access permission.
 
 Start a TD using [qemu-test.sh](../tools/cvm-image-rewriter/qemu-test.sh) or [start-virt.sh](../tools/cvm-image-rewriter/start-virt.sh).
 

tools/cvm-image-rewriter/README.md

@@ -49,6 +49,7 @@ There are following customization plugins in Plugins providing customization to
 | 06-install-tdx-guest-kernel | Install MVP TDX guest kernel | Y |
 | 07-device-permission | Fix the permission for device node | Y |
 | 08-ccnp-uds-directory-permission | Fix the permission for CCNP UDS directory | Y |
+| 09-ccnp-vsock-port | Prepare a VM sockets port for CCNP | Y |
 | 60-initrd-update | Update the initrd image | N |
 | 97-sample | plugin customization example | N |
 | 98-ima-enable-simple | Enable IMA (Integrity Measurement Architecture) feature | N |
@@ -142,15 +143,15 @@ For example:
 
 If the guest image is used for CCNP deployment, it's recommended to run the below plugin combination depending on which guest image type is used.
 Others are not required by CCNP and can be skipped.
-|  Base image | 01  | 02  | 03  | 04  | 05 | 06 | 07 | 08 | 60 | 98 |
-|---|---|---|---|---|---|---|---|---|---|---|
-|  Ubuntu base image | | | | | | Y| Y| Y| | |
-| TD enlightened image | | | | | | | Y| Y| | |
+|  Base image | 01  | 02  | 03  | 04  | 05 | 06 | 07 | 08 | 09 | 60 | 98 |
+|---|---|---|---|---|---|---|---|---|---|---|---|
+|  Ubuntu base image | | | | | | Y| Y| Y| Y| | |
+| TD enlightened image | | | | | | | Y| Y| Y| | |
 
 **NOTE:**
   - All plugins need to be executed in numerical order.
   - TD enlightened image means the image already has a TDX kernel. If not, plugin 06 is required to install a TDX kernel.
-  - Plugin 7 and Plugin 8 need to be executed before deploying CCNP to provide device permissions for CCNP.
+  - Plugin 7, Plugin 8 and Plugin 9 need to be executed before deploying CCNP to provide device permissions for CCNP.
   - Plugin 60 requires copying or generating all files to the root directory first. When users customize plugins, please ensure that the plugin number with this requirement is placed before 60.
   - Plugin 98 needs to be executed after all other plugins have completed. The number of the user-customized plugin must be before 98.
   - Other plugins are optional for CCNP deployment. 

tools/cvm-image-rewriter/cloud-init/user-data.basic

@@ -14,7 +14,8 @@ power_state:
   condition: True
 
 runcmd:
-  - sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/g' /etc/ssh/sshd_config
+  - sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/g' /etc/ssh/sshd_config
+  - sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/g' /etc/ssh/sshd_config
   - sed -i 's/console=tty1 console=ttyS0/console=hvc0/g' /etc/default/grub.d/50-cloudimg-settings.cfg
   # copy stuff into initrd
   - update-initramfs -u -k all

tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/README.md

@@ -4,7 +4,7 @@ This plugin is used to install a TDX guest kernel from a given local repository.
 
 # Prerequisite
 
-Prepare the local repository and confirm that there are Debian packages related to the TDX kernel in the `/jammy/amd64/` directory of this repository. It is recommended to place this local repository in the `pre-stage/artifacts/` directory.
+Prepare the local repository and confirm that there are Debian packages related to the TDX kernel in this repository. It is recommended to place this local repository in the `pre-stage/artifacts/` directory.
 ```
 mkdir -p ./pre-stage/artifacts
 mv <your guest repo> ./pre-stage/artifacts/

tools/cvm-image-rewriter/plugins/06-install-tdx-guest-kernel/pre-stage/host_run.sh

@@ -22,7 +22,7 @@ if [[ ! -d "$CVM_TDX_GUEST_REPO" ]]; then
 fi
 
 # Check if it is a valid TDX repo
-if ! compgen -G "$CVM_TDX_GUEST_REPO/jammy/amd64/linux-image-*mvp*.deb"; then
+if ! compgen -G "$CVM_TDX_GUEST_REPO/linux-image-*intel-opt*.deb"; then
     warn "SKIP: $CVM_TDX_GUEST_REPO is invalid."
     exit 0
 fi
@@ -38,10 +38,10 @@ mkdir -p "${CURR_DIR}/../cloud-init/x-shellscript/"
 cat > "${CURR_DIR}/../cloud-init/x-shellscript/07-install-tdx-guest-kernel.sh" << EOL
 #!/bin/bash
 
-PACKAGE_DIR=""$ARTIFACTS_GUEST"/$(basename "$CVM_TDX_GUEST_REPO")/jammy/"
+PACKAGE_DIR=""$ARTIFACTS_GUEST"/$(basename "$CVM_TDX_GUEST_REPO")/"
 pushd \$PACKAGE_DIR || exit 0
-apt install ./amd64/linux-image-unsigned-*.deb ./amd64/linux-modules-*.deb \
-        ./amd64/linux-headers-*.deb ./all/linux-headers-*.deb --allow-downgrades -y
+apt install ./linux-image-unsigned-*.deb ./linux-modules-*.deb \
+        ./linux-headers-*.deb ./linux-intel-opt-headers-*.deb --allow-downgrades -y
 popd || exit 0
 EOL
 

tools/cvm-image-rewriter/plugins/09-ccnp-vsock-port/README.md

@@ -0,0 +1,3 @@
+# CCNP vsock port
+
+This plugin is used to prepare a VM sockets port for CCNP. It is typically not required for users to customize unless additional VM sockets ports are needed.

tools/cvm-image-rewriter/plugins/09-ccnp-vsock-port/files/etc/tdx-attest.conf

@@ -0,0 +1 @@
+port=4050