kata.{kata-runtime,kata-agent,kata-image,genpolicy}: 3.7.0 -> 3.8.0

Signed-off-by: Paul Meyer <[email protected]>
edgelesssys · Aug 29, 2024 · 6d4a941 · 6d4a941
1 parent 7828345
commit 6d4a941
Show file tree

Hide file tree

Showing 7 changed files with 120 additions and 158 deletions.
diff --git a/...s/by-name/kata/kata-agent/0001-runtime-agent-mounts-Mount-configfs-into-the-contain.patch b/...s/by-name/kata/kata-agent/0001-runtime-agent-mounts-Mount-configfs-into-the-contain.patch
@@ -0,0 +1,58 @@
+From 6ac3bfc6df55ba3cc0fdd80860f85621f345cd90 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <[email protected]>
+Date: Thu, 25 Apr 2024 10:34:26 +0200
+Subject: [PATCH] runtime: agent: mounts: Mount configfs into the container
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+configfs is used to get a quote generated, and having this information
+available from inside the container (in case the container itself wants
+to attest something) is a must.
+
+It's important to note that this is not really needed by Confidential
+Containers, as the attestation-agent (which is running on the pod
+sandbox VM) has access to this and is able to get the quote generated on
+the guest without any kind of issue.  However, this is still reasonable
+to have exposed to the container, as it may and will help doing some
+simpler tests.
+
+Signed-off-by: Fabiano Fidêncio <[email protected]>
+---
+ src/agent/rustjail/src/mount.rs | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/agent/rustjail/src/mount.rs b/src/agent/rustjail/src/mount.rs
+index 14e3d9560..b5f857913 100644
+--- a/src/agent/rustjail/src/mount.rs
++++ b/src/agent/rustjail/src/mount.rs
+@@ -288,6 +288,26 @@ pub fn init_rootfs(
+         }
+     }
+
++    if let Some(annotations) = spec.annotations() {
++        annotations.iter().for_each(|(k, v)| {
++            if k == "io.katacontainers.pkg.oci.container_type" && v != "pod_sandbox" {
++                let err = mount(
++                    Some("configfs"),
++                    format!("{}/sys/kernel/config", rootfs).as_str(),
++                    Some("configfs"),
++                    MsFlags::MS_NODEV | MsFlags::MS_NOSUID | MsFlags::MS_NOEXEC | MsFlags::MS_RELATIME,
++                    None::<&str>,
++                );
++                match err {
++                    Ok(_) => (),
++                    Err(e) => {
++                        log_child!(cfd_log, "mount /sys/kernel/config configs error: {}", e.to_string());
++                    }
++                }
++            }
++        });
++    }
++
+     let olddir = unistd::getcwd()?;
+     unistd::chdir(rootfs)?;
+
+-- 
+2.45.2
+
diff --git a/packages/by-name/kata/kata-agent/package.nix b/packages/by-name/kata/kata-agent/package.nix
@@ -27,21 +27,24 @@ rustPlatform.buildRustPackage rec {
   cargoLock = {
     lockFile = "${src}/src/agent/Cargo.lock";
     outputHashes = {
-      "attester-0.1.0" = "sha256-sRkBoBtE1irZxo5y3Ined6wMUmwxXq9c+Trt99q7kRk=";
+      "attester-0.1.0" = "sha256-qQcQv4byjGTP5mUUt1xMSZnHA0m39QhPew/t/SKlleQ=";
       "loopdev-0.5.0" = "sha256-PD+iuZWPAFd3VUCgNB0ZrH/aCM2VMqJEyAv5/j1kqlA=";
       "sigstore-0.9.0" = "sha256-IeHuB5d5IU9YryeD47Qht0x806kJCoIOHsoEATRV+MY=";
     };
   };
 
   patches = [
     # Mount configfs into the workload container from the UVM.
-    (fetchpatch {
-      url = "https://github.com/kata-containers/kata-containers/commit/779152b91b20b22009d215887d06908c638d2efc.patch";
-      stripLen = 2;
-      hash = "sha256-gs1EgD+1Ol9rg0oo14WFQ3H7GCAU5EQrXSuQW+DtEWk=";
-    })
+    # Based on https://github.com/kata-containers/kata-containers/pull/9554,
+    # which wasn't accepted upstream.
+    #
+    # Rebase 3.8.0, changes squashed into patch:
+    #   - fix 'field `annotations` of struct `oci_spec::runtime::Spec` is private'
+    ./0001-runtime-agent-mounts-Mount-configfs-into-the-contain.patch
   ];
 
+  patchFlags = [ "-p3" ];
+
   nativeBuildInputs = [
     cmake
     pkg-config

diff --git a/...by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch b/...by-name/kata/kata-runtime/0001-govmm-Directly-pass-the-firwmare-using-bios-with-SNP.patch
@@ -1,4 +1,4 @@
-From 5f8dbb3390fc47b7330b1bf6419466261a0541c1 Mon Sep 17 00:00:00 2001
+From c7462075ed2bca6a56da5f246dbaddf128073eba Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Fri, 5 Jul 2024 08:43:13 +0000
 Subject: [PATCH 1/3] govmm: Directly pass the firwmare using -bios with SNP
@@ -9,7 +9,7 @@ Subject: [PATCH 1/3] govmm: Directly pass the firwmare using -bios with SNP
  1 file changed, 1 insertion(+), 3 deletions(-)
 
 diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go
-index 6d71e28f9..4cc2239ec 100644
+index 47322c803..6b2b6b02d 100644
 --- a/src/runtime/pkg/govmm/qemu/qemu.go
 +++ b/src/runtime/pkg/govmm/qemu/qemu.go
 @@ -395,9 +395,7 @@ func (object Object) QemuParams(config *Config) []string {

diff --git a/...by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch b/...by-name/kata/kata-runtime/0002-emulate-CPU-model-that-most-closely-matches-the-host.patch
@@ -1,4 +1,4 @@
-From f6bb9ca2c01ba9ed474c60faa8e29b033e8ca763 Mon Sep 17 00:00:00 2001
+From 1b310a680a6f8920d353db2baa0e112c4f24d4d7 Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:35:54 +0000
 Subject: [PATCH 2/3] emulate CPU model that most closely matches the host

diff --git a/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch b/packages/by-name/kata/kata-runtime/0003-runtime-agent-verify-the-agent-policy-hash.patch
@@ -1,7 +1,7 @@
-From 9a0c4195f2051d2e49218a48700f6d2952ddd3f6 Mon Sep 17 00:00:00 2001
+From 90ac78311def7100de26d543d862c56561526f7f Mon Sep 17 00:00:00 2001
 From: Tom Dohrmann <[email protected]>
 Date: Mon, 8 Jul 2024 07:51:20 +0000
-Subject: [PATCH] runtime: agent: verify the agent policy hash
+Subject: [PATCH 3/3] runtime: agent: verify the agent policy hash
 
 For TEE Guests that support the inclusion of immutable Host owned
 data in their configuration (SNP HostData and TDX MRCONFIGID):
@@ -25,7 +25,7 @@ Signed-off-by: Tom Dohrmann <[email protected]>
  src/agent/src/sev.rs                          |  19 ++
  src/agent/src/tdx.rs                          | 194 ++++++++++++++++++
  src/runtime/pkg/govmm/qemu/qemu.go            |  25 ++-
- src/runtime/virtcontainers/hypervisor.go      |   4 +
+ src/runtime/virtcontainers/hypervisor.go      |  10 +-
  src/runtime/virtcontainers/qemu.go            |   2 +-
  src/runtime/virtcontainers/qemu_amd64.go      |  39 +++-
  src/runtime/virtcontainers/qemu_amd64_test.go | 116 ++++++++++-
@@ -37,15 +37,15 @@ Signed-off-by: Tom Dohrmann <[email protected]>
  src/runtime/virtcontainers/qemu_s390x.go      |   2 +-
  src/runtime/virtcontainers/qemu_s390x_test.go |  51 ++++-
  src/runtime/virtcontainers/sandbox.go         |   1 +
- 19 files changed, 678 insertions(+), 38 deletions(-)
+ 19 files changed, 681 insertions(+), 41 deletions(-)
  create mode 100644 src/agent/src/sev.rs
  create mode 100644 src/agent/src/tdx.rs
 
 diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock
-index a69195f92..04f51559d 100644
+index 7afdf286a..f7a96e0b7 100644
 --- a/src/agent/Cargo.lock
 +++ b/src/agent/Cargo.lock
-@@ -541,6 +541,12 @@ version = "0.6.3"
+@@ -542,6 +542,12 @@ version = "0.6.3"
  source = "registry+https://github.com/rust-lang/crates.io-index"
  checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb"
 
@@ -119,7 +119,7 @@ index a69195f92..04f51559d 100644
  [[package]]
  name = "iovec"
  version = "0.1.4"
-@@ -2812,6 +2851,8 @@ dependencies = [
+@@ -2813,6 +2852,8 @@ dependencies = [
   "serde",
   "serde_json",
   "serial_test",
@@ -128,15 +128,15 @@ index a69195f92..04f51559d 100644
   "slog",
   "slog-scope",
   "slog-stdlog",
-@@ -2829,6 +2870,7 @@ dependencies = [
+@@ -2830,6 +2871,7 @@ dependencies = [
   "tracing-subscriber",
   "ttrpc",
   "url",
 + "vmm-sys-util",
   "vsock-exporter",
   "which",
  ]
-@@ -3743,6 +3785,12 @@ dependencies = [
+@@ -3737,6 +3779,12 @@ dependencies = [
   "tokio-stream",
  ]
 
@@ -149,7 +149,7 @@ index a69195f92..04f51559d 100644
  [[package]]
  name = "ordered-stream"
  version = "0.2.0"
-@@ -5167,6 +5215,15 @@ dependencies = [
+@@ -5173,6 +5221,15 @@ dependencies = [
   "syn 1.0.109",
  ]
 
@@ -165,7 +165,7 @@ index a69195f92..04f51559d 100644
  [[package]]
  name = "serde-enum-str"
  version = "0.4.0"
-@@ -5186,6 +5243,15 @@ version = "0.2.2"
+@@ -5192,6 +5249,15 @@ version = "0.2.2"
  source = "registry+https://github.com/rust-lang/crates.io-index"
  checksum = "794e44574226fc701e3be5c651feb7939038fc67fb73f6f4dd5c4ba90fd3be70"
 
@@ -181,7 +181,7 @@ index a69195f92..04f51559d 100644
  [[package]]
  name = "serde_derive"
  version = "1.0.204"
-@@ -5289,6 +5355,28 @@ dependencies = [
+@@ -5295,6 +5361,28 @@ dependencies = [
   "syn 1.0.109",
  ]
 
@@ -210,7 +210,7 @@ index a69195f92..04f51559d 100644
  [[package]]
  name = "sha1"
  version = "0.10.6"
-@@ -6356,6 +6444,16 @@ version = "0.9.4"
+@@ -6362,6 +6450,16 @@ version = "0.9.4"
  source = "registry+https://github.com/rust-lang/crates.io-index"
  checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
 
@@ -228,10 +228,10 @@ index a69195f92..04f51559d 100644
  name = "vsock"
  version = "0.2.6"
 diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml
-index 2df8ce15f..f137d6b1b 100644
+index b545449b8..4b9a0ed48 100644
 --- a/src/agent/Cargo.toml
 +++ b/src/agent/Cargo.toml
-@@ -84,6 +84,11 @@ regorus = { version = "0.1.4", default-features = false, features = [
+@@ -85,6 +85,11 @@ regorus = { version = "0.1.4", default-features = false, features = [
      "regex",
  ], optional = true }
 
@@ -243,7 +243,7 @@ index 2df8ce15f..f137d6b1b 100644
  [dev-dependencies]
  tempfile = "3.1.0"
  test-utils = { path = "../libs/test-utils" }
-@@ -102,7 +107,7 @@ lto = true
+@@ -103,7 +108,7 @@ lto = true
  default-pull = ["guest-pull"]
  seccomp = ["rustjail/seccomp"]
  standard-oci-runtime = ["rustjail/standard-oci-runtime"]
@@ -253,10 +253,10 @@ index 2df8ce15f..f137d6b1b 100644
 
  [[bin]]
 diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs
-index ccde79e98..6b4ad3e06 100644
+index 6d1327d76..25746ffda 100644
 --- a/src/agent/src/main.rs
 +++ b/src/agent/src/main.rs
-@@ -87,6 +87,10 @@ mod tracer;
+@@ -86,6 +86,10 @@ mod tracer;
 
  #[cfg(feature = "agent-policy")]
  mod policy;
@@ -268,7 +268,7 @@ index ccde79e98..6b4ad3e06 100644
  cfg_if! {
      if #[cfg(target_arch = "s390x")] {
 diff --git a/src/agent/src/policy.rs b/src/agent/src/policy.rs
-index d709515ff..ee4f1f324 100644
+index 241611585..c01f756b7 100644
 --- a/src/agent/src/policy.rs
 +++ b/src/agent/src/policy.rs
 @@ -3,12 +3,15 @@
@@ -288,16 +288,16 @@ index d709515ff..ee4f1f324 100644
  use crate::AGENT_POLICY;
 
  static POLICY_LOG_FILE: &str = "/tmp/policy.txt";
-@@ -131,6 +134,7 @@ impl AgentPolicy {
+@@ -137,6 +140,7 @@ impl AgentPolicy {
 
      /// Replace the Policy in regorus.
      pub async fn set_policy(&mut self, policy: &str) -> Result<()> {
 +        verify_policy_digest(policy)?;
          self.engine = Self::new_engine();
          self.engine
              .add_policy("agent_policy".to_string(), policy.to_string())?;
-@@ -161,3 +165,43 @@ impl AgentPolicy {
-         }
+@@ -184,3 +188,43 @@ impl AgentPolicy {
+         Ok(())
      }
  }
 +
@@ -566,7 +566,7 @@ index 000000000..1531e72a8
 +    Ok(mrconfigid)
 +}
 diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go
-index 4cc2239ec..f5ff0fc95 100644
+index 6b2b6b02d..bcb6cd2ad 100644
 --- a/src/runtime/pkg/govmm/qemu/qemu.go
 +++ b/src/runtime/pkg/govmm/qemu/qemu.go
 @@ -320,6 +320,11 @@ type Object struct {
@@ -625,20 +625,40 @@ index 4cc2239ec..f5ff0fc95 100644
 
  	return tdxObject.String()
 diff --git a/src/runtime/virtcontainers/hypervisor.go b/src/runtime/virtcontainers/hypervisor.go
-index cc3743310..0c24183a3 100644
+index 853ad4d5b..c47029e1d 100644
 --- a/src/runtime/virtcontainers/hypervisor.go
 +++ b/src/runtime/virtcontainers/hypervisor.go
-@@ -684,6 +684,10 @@ type HypervisorConfig struct {
+@@ -559,7 +559,7 @@ type HypervisorConfig struct {
+ 	// NumVCPUs specifies default number of vCPUs for the VM.
+ 	NumVCPUsF float32
 
- 	// QgsPort defines Intel Quote Generation Service port exposed from the host
- 	QgsPort uint32
+-	//DefaultMaxVCPUs specifies the maximum number of vCPUs for the VM.
++	// DefaultMaxVCPUs specifies the maximum number of vCPUs for the VM.
+ 	DefaultMaxVCPUs uint32
+
+ 	// DefaultMem specifies default memory size in MiB for the VM.
+@@ -687,6 +687,10 @@ type HypervisorConfig struct {
+
+ 	// Initdata defines the initdata passed into guest when CreateVM
+ 	Initdata string
 +
 +	// Policy text, for sandboxes created using a valid io.katacontainers.config.agent.policy
 +	// annotation
 +	AgentPolicy string
  }
 
  // vcpu mapping from vcpu number to thread number
+@@ -1048,8 +1052,8 @@ type guestProtection uint8
+ const (
+ 	noneProtection guestProtection = iota
+
+-	//Intel Trust Domain Extensions
+-	//https://software.intel.com/content/www/us/en/develop/articles/intel-trust-domain-extensions.html
++	// Intel Trust Domain Extensions
++	// https://software.intel.com/content/www/us/en/develop/articles/intel-trust-domain-extensions.html
+ 	// Exclude from lint checking for it won't be used on arm64 code
+ 	tdxProtection
+
 diff --git a/src/runtime/virtcontainers/qemu.go b/src/runtime/virtcontainers/qemu.go
 index 7a189bb91..509f74a3c 100644
 --- a/src/runtime/virtcontainers/qemu.go
@@ -1267,5 +1287,5 @@ index b58daccaa..af35af12e 100644
  	spec := s.GetPatchedOCISpec()
  	if spec != nil && spec.Process.SelinuxLabel != "" {
 -- 
-2.45.1
+2.45.2