Add RHEL support to snp.sh#2
Conversation
LakshmiSaiHarika
changed the title
LakshmiSaiHarika
changed the title
|
The PR should group like changes together for a required feature. Separate further more distinct parts into separate commit messages. PR Title: Add RHEL support to snp.sh Squash the existing two commits. The previous debug changes you made do not need to be part of the tree. |
LakshmiSaiHarika
force-pushed
the
rhel-snp
branch
2 times, most recently
from
4c515b3 to
d95cd76
Compare
LakshmiSaiHarika
changed the title
LakshmiSaiHarika
force-pushed
the
rhel-snp
branch
2 times, most recently
from
89eba48 to
05bf82b
Compare
1. Changed AMDSEV URL and AMDSEV branch for AMDSEV build with RHEL fixes
2. rhel_install_dependencies for rhel library package manager dependencies for AMDSEV branch.
requires subscription manager credential for installing RedHat
libraries
3. set_grub_default_snp() using grubby tool for RHEL
4. Modified save_binary_paths() due to the differences in the location of guest kernel file path for ubuntu and rhel and differences in the boot menu for initial ram disk images(initd.img-<kernel-version> for ubuntu and initramfs-<kernel-version> for rhel)
Signed-off-by: Harika <lnittala@amd.com>
LakshmiSaiHarika
force-pushed
the
rhel-snp
branch
from
05bf82b to
77a5748
Compare
larrydewey
left a comment
larrydewey
left a comment
There was a problem hiding this comment.
Some minor changes to apply. I would also recommend going to check the code at https://www.shellcheck.net/ to make sure we are addressing linting and possible exploit coverage.
| ;; | ||
| rhel) | ||
| # Can't Initialize CLOUD_INIT_IMAGE_URL for redhat due to redhat subscription requirement | ||
| echo "Download Red Hat Enterprise Linux 9.2 KVM Guest Image from RedHat Login" |
There was a problem hiding this comment.
Change this from static 9.2 to the version in question being installed.
| install_common_dependencies(){ | ||
| # pip issue on 20.04 - some openssl bug | ||
| #sudo rm -f "/usr/lib/python3/dist-packages/OpenSSL/crypto.py" | ||
| pip install sev-snp-measure |
There was a problem hiding this comment.
Do we need to worry about Ubuntu using pip3 vs pip?
| pip install sev-snp-measure | ||
|
|
||
| # Rust is required to build snpguest | ||
| curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -sSf | sh -s -- -y |
There was a problem hiding this comment.
We should not assume that the program is installed. Let's make sure we check before we call it.
| sudo dnf install -y git | ||
| sudo dnf install -y make automake gcc gcc-c++ kernel-devel |
There was a problem hiding this comment.
| sudo dnf install -y git | |
| sudo dnf install -y make automake gcc gcc-c++ kernel-devel | |
| sudo dnf install -y git make automake gcc gcc-c++ kernel-devel |
| sudo dnf install -y ninja-build | ||
| sudo dnf install -y pkg-config | ||
| sudo dnf install -y glib2-devel | ||
| sudo dnf install -y pixman-devel | ||
| sudo dnf install -y libslirp-devel | ||
|
|
||
| # ovmf dependencies | ||
| sudo dnf install -y uuid-devel | ||
| sudo dnf install -y iasl |
There was a problem hiding this comment.
| sudo dnf install -y ninja-build | |
| sudo dnf install -y pkg-config | |
| sudo dnf install -y glib2-devel | |
| sudo dnf install -y pixman-devel | |
| sudo dnf install -y libslirp-devel | |
| # ovmf dependencies | |
| sudo dnf install -y uuid-devel | |
| sudo dnf install -y iasl | |
| sudo dnf install -y ninja-build pkg-config glib2-devel pixman-devel libslirp-devel | |
| # ovmf dependencies | |
| sudo dnf install -y uuid-devel iasl |
| sudo apt install -y ninja-build pkg-config | ||
| sudo apt install -y libglib2.0-dev | ||
| sudo apt install -y libpixman-1-dev | ||
| sudo apt install -y libslirp-dev |
There was a problem hiding this comment.
| sudo apt install -y ninja-build pkg-config | |
| sudo apt install -y libglib2.0-dev | |
| sudo apt install -y libpixman-1-dev | |
| sudo apt install -y libslirp-dev | |
| sudo apt install -y ninja-build pkg-config libglib2.0-dev libpixman-1-dev libslirp-dev |
| # as I was not sure if I can test this branch as I already installed snp kernel package from snp-latest branch | ||
| if ! $UPM; then | ||
| SETUP_WORKING_DIR="${SETUP_WORKING_DIR}/non-upm" | ||
| SETUP_WORKING_DIR="${SETUP_WORKING_DIR}/sev-snp-devel" |
There was a problem hiding this comment.
Small Question
Is this AMDSEV/sev-snp-devel branch actively used now?
Asking this as I need to make changes in the sev-snp-devel branch for RedHat and Fedora environment.
Till now I focused on snp-latest branch
There was a problem hiding this comment.
Yes. We need to determine how to handle sev-snp-devel. Do not change the non-upm identifier text. We can discuss this with Mike.
| echo "Enter RedHat subscription Manager credentials" | ||
| read -p "Username: " RHEL_SUBS_MGR_USER | ||
| read -sp "Password: " RHEL_SUBS_MGR_PASS | ||
| } |
There was a problem hiding this comment.
Can we add a check to see if the subscription manager status is already active and only prompt if not active? Can you check out this example and test it out?
https://access.redhat.com/discussions/2217891
Also, only prompt for values if not already exported in the variables.
| cat > "${SETUP_WORKING_DIR}/source-bins" <<EOF | ||
| QEMU_BIN="${SETUP_WORKING_DIR}/AMDSEV/qemu/build/qemu-system-x86_64" | ||
| OVMF_BIN="${SETUP_WORKING_DIR}/AMDSEV/ovmf/Build/AmdSev/DEBUG_GCC5/FV/OVMF.fd" | ||
| OVMF_BIN="${SETUP_WORKING_DIR}/AMDSEV/ovmf/Build/OvmfX64/DEBUG_GCC5/FV/OVMF.fd" |
There was a problem hiding this comment.
Why was this changed? If you use the standard OVMF package, it does not have support for direct boot.
There was a problem hiding this comment.
I changed it as I could not get AmdSev package in ovmf folder.
I was using the package I got after AMDSEV build step from the snp-latest branch.
| # dracut built initrd. This dependency is removed for now due to this reason. For now, | ||
| # initrd is installed with the kernel debian package on the guest, and then scp-ed back to | ||
| # the host for direct-boot use. | ||
| sudo apt install -y pkg-config libkmod-dev |
There was a problem hiding this comment.
Why is this uncommented now?
There was a problem hiding this comment.
Sorry.. didn't notice this change earlier
I will modify
| sudo dnf install -y make automake gcc gcc-c++ kernel-devel | ||
|
|
||
| # Enable RedHat Repository for qemu dependencies | ||
| sudo subscription-manager register --username ${RHEL_SUBS_MGR_USER} --password ${RHEL_SUBS_MGR_PASS} --force |
There was a problem hiding this comment.
Why register twice? Same comment as before.
| source "${HOME}/.cargo/env" 2>/dev/null | ||
|
|
||
| echo "true" > "${dependencies_installed_file}" | ||
| install_dependencies(){ |
There was a problem hiding this comment.
Move the other install_dependencies methods up here. The goal being to keep the ubuntu method closely tied to the code on the original. That way we can see the changes as opposed to seeing a giant delete block on the original and new code on the PR. Keep like code grouped together.
| # For UBUNTU, it is /boot/initrd.img-<kernel-version> | ||
| # For RHEL, fedora it is /initramfs-<kernel-version>.img | ||
| # For standardizing, I want to try creating inital ramdisk image manually (apart from intrd which comes from kernel package installaion) using commands like dracut, | ||
| # but I wanted to confirm before I try |
There was a problem hiding this comment.
We need to discuss this. The above should be left alone as default value.
| SNPGUEST_BRANCH="tags/v0.2.2" | ||
| NASM_SOURCE_TAR_URL="https://www.nasm.us/pub/nasm/releasebuilds/2.16.01/nasm-2.16.01.tar.gz" | ||
| CLOUD_INIT_IMAGE_URL="https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" | ||
| # CLOUD_INIT_IMAGE_URL initialized under set_cloud_init_url_based_on_linux_distribution() |
There was a problem hiding this comment.
These variables should live here. Create different variables for different distros.
| # as I was not sure if I can test this branch as I already installed snp kernel package from snp-latest branch | ||
| if ! $UPM; then | ||
| SETUP_WORKING_DIR="${SETUP_WORKING_DIR}/non-upm" | ||
| SETUP_WORKING_DIR="${SETUP_WORKING_DIR}/sev-snp-devel" |
There was a problem hiding this comment.
Yes. We need to determine how to handle sev-snp-devel. Do not change the non-upm identifier text. We can discuss this with Mike.
| sudo dnf install -y rsync | ||
| sudo dnf install -y ncurses-devel | ||
|
|
||
| # libssl-dev is openssl-devel in RHEL |
There was a problem hiding this comment.
Why are you calling this out here? I don't see it being installed.
There was a problem hiding this comment.
I added rsync and ncurses-devel here as I faced dependencies issue in the amd_sev_snp_build_step.
| sudo dnf install -y ncurses-devel | ||
|
|
||
| # libssl-dev is openssl-devel in RHEL | ||
| # rpm-build -- Scripts and executable programs used to build packages |
There was a problem hiding this comment.
Comment:
# RPM package building dependencies
There was a problem hiding this comment.
Is this a kernel dependency?
There was a problem hiding this comment.
Yes, this is a kernel dependency
| # Get Host CPU Architecture info( like: x86_64. x86.. so on) | ||
| # My Assumption: Guest CPU has same cpu architecture as host architecture | ||
| # Reason: Guest using CPU type "host" may increase the VM performance | ||
| local host_arch=$(arch) |
There was a problem hiding this comment.
You shouldn't need to do this. A regex to determine the only compiled file should work here.
|
|
||
| # Copy and rename guest snp kernel from bzImage to vmlinuz | ||
| local bzImage_file=$(realpath ${SETUP_WORKING_DIR}/AMDSEV/linux/guest/arch/$host_arch/boot/bzImage) | ||
| cp -v $bzImage_file ${SETUP_WORKING_DIR}/AMDSEV/linux/guest/vmlinuz-$guest_kernel_version |
There was a problem hiding this comment.
If you're doing the cp, might as well do it for all OSes and then you can share more code here.
|
Divided this big PR into multiple PR's for better code readability. Addressed this PR feature in PR #28 |
Added MSR 0xC0010010 check to validate if guest SEV, SEV-ES and SNP are enabled by reading SEV, SEV-ES and SNP bits from MSR 0xC0010010 instruction set Bit #0 corresponds to the SEV bit status Bit amd#1 corresponds to SEV-ES bit status Bit amd#2 corresponds to SNP bit status Signed-off-by: Harika Nittala <lnittala@amd.com>
Added MSR 0xC0010010 check to validate if guest SEV, SEV-ES and SNP are enabled by reading SEV, SEV-ES and SNP bits from MSR 0xC0010010 instruction set Bit #0 corresponds to the SEV bit status Bit amd#1 corresponds to SEV-ES bit status Bit amd#2 corresponds to SNP bit status Signed-off-by: Harika Nittala <lnittala@amd.com>
Added MSR 0xC0010010 check to validate if guest SEV, SEV-ES and SNP are enabled by reading SEV, SEV-ES and SNP bits from MSR 0xC0010010 instruction set Bit #0 corresponds to the SEV bit status Bit amd#1 corresponds to SEV-ES bit status Bit amd#2 corresponds to SNP bit status Signed-off-by: Harika Nittala <lnittala@amd.com>
Added MSR 0xC0010010 check to validate if guest SEV, SEV-ES and SNP are enabled by reading SEV, SEV-ES and SNP bits from MSR 0xC0010010 instruction set Bit #0 corresponds to the SEV bit status Bit amd#1 corresponds to SEV-ES bit status Bit amd#2 corresponds to SNP bit status Signed-off-by: Harika Nittala <lnittala@amd.com>
3 participants
Changed AMDSEV URL and AMDSEV branch for AMDSEV build with RHEL fixes
rhel_install_dependencies for rhel library package manager dependencies for AMDSEV branch.
requires subscription manager credential for installing RedHat libraries
set_grub_default_snp() using grubby tool for RHEL.
Changing the default kernel in Red Hat Enterprise Linux 8 & 9
https://access.redhat.com/solutions/4326431
Modified save_binary_paths() due to the
>differences in the location of guest kernel file path for ubuntu and rhel
>differences in the boot menu for initial ram disk images(initd.img- for ubuntu and initramfs- for rhel)