Add NixOS image for bare-metal Kata

This switches the image used in our bare-metal Kata uses (e.g. non-AKS and non-peerpods) to a NixOS image that we build in-tree as a MicroVM image (e.g. separated kernel, initrd, cmdline and rootfs).
edgelesssys · Nov 20, 2024 · 279a67b · 279a67b
1 parent 6ded3e8
commit 279a67b
Show file tree

Hide file tree

Showing 18 changed files with 383 additions and 1,094 deletions.
diff --git a/nodeinstaller/internal/constants/constants.go b/nodeinstaller/internal/constants/constants.go
@@ -64,37 +64,36 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer
 		config.Hypervisor["qemu"]["path"] = filepath.Join(baseDir, "tdx", "bin", "qemu-system-x86_64")
 		config.Hypervisor["qemu"]["firmware"] = filepath.Join(baseDir, "tdx", "share", "OVMF.fd")
 		config.Hypervisor["qemu"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img")
-		config.Hypervisor["qemu"]["kernel"] = filepath.Join(baseDir, "share", "kata-kernel")
 		config.Hypervisor["qemu"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "tdx", "bin", "qemu-system-x86_64")}
 		config.Hypervisor["qemu"]["block_device_aio"] = "threads"
 		config.Hypervisor["qemu"]["shared_fs"] = "none"
-		kernelParams := qemuExtraKernelParams
+		config.Hypervisor["qemu"]["initrd"] = filepath.Join(baseDir, "share", "kata-initrd.zst")
+		config.Hypervisor["qemu"]["kernel"] = filepath.Join(baseDir, "share", "kata-kernel")
+		// Replace the kernel params entirely (and don't append) since that's
+		// also what we do when calculating the launch measurement.
+		config.Hypervisor["qemu"]["kernel_params"] = qemuExtraKernelParams
 		if debug {
 			config.Hypervisor["qemu"]["enable_debug"] = true
 		}
-		// Replace the kernel params entirely (and don't append) since that's
-		// also what we do when calculating the launch measurement.
-		config.Hypervisor["qemu"]["kernel_params"] = kernelParams
 	case platforms.K3sQEMUSNP:
 		if err := toml.Unmarshal([]byte(kataBareMetalQEMUSNPBaseConfig), &config); err != nil {
 			return nil, fmt.Errorf("failed to unmarshal kata runtime configuration: %w", err)
 		}
 		config.Hypervisor["qemu"]["path"] = filepath.Join(baseDir, "snp", "bin", "qemu-system-x86_64")
 		config.Hypervisor["qemu"]["firmware"] = filepath.Join(baseDir, "snp", "share", "OVMF.fd")
 		config.Hypervisor["qemu"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img")
-		config.Hypervisor["qemu"]["kernel"] = filepath.Join(baseDir, "share", "kata-kernel")
-		delete(config.Hypervisor["qemu"], "initrd")
 		config.Hypervisor["qemu"]["block_device_aio"] = "threads"
 		config.Hypervisor["qemu"]["shared_fs"] = "none"
 		config.Hypervisor["qemu"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "snp", "bin", "qemu-system-x86_64")}
 		config.Hypervisor["qemu"]["rootfs_type"] = "erofs"
-		kernelParams := qemuExtraKernelParams
+		config.Hypervisor["qemu"]["initrd"] = filepath.Join(baseDir, "share", "kata-initrd.zst")
+		config.Hypervisor["qemu"]["kernel"] = filepath.Join(baseDir, "share", "kata-kernel")
+		// Replace the kernel params entirely (and don't append) since that's
+		// also what we do when calculating the launch measurement.
+		config.Hypervisor["qemu"]["kernel_params"] = qemuExtraKernelParams
 		if debug {
 			config.Hypervisor["qemu"]["enable_debug"] = true
 		}
-		// Replace the kernel params entirely (and don't append) since that's
-		// also what we do when calculating the launch measurement.
-		config.Hypervisor["qemu"]["kernel_params"] = kernelParams
 	default:
 		return nil, fmt.Errorf("unsupported platform: %s", platform)
 	}

diff --git a/packages/by-name/OVMF-TDX/package.nix b/packages/by-name/OVMF-TDX/package.nix
@@ -7,7 +7,7 @@
   acpica-tools,
 }:
 
-edk2.mkDerivation "OvmfPkg/IntelTdx/IntelTdxX64.dsc" rec {
+edk2.mkDerivation "OvmfPkg/IntelTdx/IntelTdxX64.dsc" {
   name = "OVMF-TDX";
 
   nativeBuildInputs = [

diff --git a/packages/by-name/image-podvm/package.nix b/packages/by-name/image-podvm/package.nix
@@ -15,5 +15,6 @@ buildVerityUKI (mkNixosConfig {
     debug.enable = withDebug;
     gpu.enable = withGPU;
     azure.enable = withCSP == "azure";
+    peerpods.enable = true;
   };
 })
diff --git a/packages/by-name/kata/contrast-node-installer-image/package.nix b/packages/by-name/kata/contrast-node-installer-image/package.nix
@@ -17,7 +17,7 @@
   OVMF-SNP,
   OVMF-TDX,
 
-  debugRuntime ? false,
+  debugRuntime ? true,
 }:
 
 let
@@ -47,6 +47,10 @@ let
               url = "file:///opt/edgeless/share/kata-kernel";
               path = "/opt/edgeless/@@runtimeName@@/share/kata-kernel";
             }
+            {
+              url = "file:///opt/edgeless/share/kata-initrd.zst";
+              path = "/opt/edgeless/@@runtimeName@@/share/kata-initrd.zst";
+            }
             {
               url = "file:///opt/edgeless/snp/bin/qemu-system-x86_64";
               path = "/opt/edgeless/@@runtimeName@@/snp/bin/qemu-system-x86_64";
@@ -106,7 +110,7 @@ let
             }
           ];
           inherit debugRuntime;
-          qemuExtraKernelParams = kata.snp-launch-digest.dmVerityArgs;
+          qemuExtraKernelParams = kata.kata-image.cmdline;
         };
         destination = "/config/contrast-node-install.json";
       }
@@ -116,13 +120,17 @@ let
   kata-container-img = ociLayerTar {
     files = [
       {
-        source = kata.kata-image;
+        source = "${kata.kata-image}/${kata.kata-image.imageFile}";
         destination = "/opt/edgeless/share/kata-containers.img";
       }
       {
-        source = "${kata.kata-kernel-uvm}/bzImage";
+        source = "${kata.kata-image}/bzImage";
         destination = "/opt/edgeless/share/kata-kernel";
       }
+      {
+        source = "${kata.kata-image}/initrd.zst";
+        destination = "/opt/edgeless/share/kata-initrd.zst";
+      }
     ];
   };
 

diff --git a/packages/by-name/kata/kata-image/buildimage.sh b/packages/by-name/kata/kata-image/buildimage.sh