Merge pull request #98 from flyflypeng/support-guest-kernel-tailor

support tailoring and building linux kernel for kuasar security container

vmm/scripts/kernel/build-kernel/build-kernel.sh

@@ -0,0 +1,115 @@
+#!/bin/bash
+# Copyright 2023 The Kuasar Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kernel_merge_script="scripts/kconfig/merge_config.sh"
+kernel_merge_options=("-r" "-n")
+faild_merge_keyword="not in final .config"
+
+print_usage() {
+    echo "Usage: $0 [options]
+    --help, -h             print the usage
+    --arch                 specify the hardware architecture: aarch64/x86_64
+    --kernel-type          specify the target kernel type: micro/mini
+    --kernel-dir           specify the kernel source directory
+    --kernel-conf-dir      specify the kernel tailor conf directory"
+}
+
+merge_kernel_fragments() {
+    local tailor_conf_file="$1"
+
+    if [ ! -f "$tailor_conf_file" ]; then
+        echo "Tailor conf file does not exist: $tailor_conf_file"
+        return 1
+    fi
+
+    local kernel_fragments=$(sed "s#^#${kernel_conf_dir}/#" "${tailor_conf_file}" | tr '\n' ' ')
+    read -a kernel_fragments_arr <<<"${kernel_fragments}"
+    # need to change the pwd to kernel directory to do merge kernel fragments operation
+    cd ${kernel_dir}
+    local results=$(bash "${kernel_dir}/${kernel_merge_script}" "${kernel_merge_options[@]}" "${kernel_fragments_arr[@]}")
+
+    if [[ "${results}" == *"${faild_merge_keyword}"* ]]; then
+        echo "Error: failed to merge kernel fragments with ${tailor_conf_file} configuration."
+        echo "The kernel configs which are not present in the final .config file:  "
+        echo "${results}"
+        return 1
+    fi
+
+    echo "Merge kernel fragments with ${tailor_conf_file} successfully."
+    return 0
+}
+
+build_kernel() {
+    cd ${kernel_dir}
+    make -j $(nproc)
+    if [ $? -ne 0 ]; then
+        echo "Error: Failed to build kernel."
+        return 1
+    fi
+    echo "Build kernel successfully."
+    return 0
+}
+
+while [[ "$#" -gt 0 ]]; do
+    case $1 in
+    -h | --help)
+        print_usage
+        exit 0
+        ;;
+    --arch)
+        arch="$2"
+        shift
+        ;;
+    --kernel-type)
+        kernel_type="$2"
+        shift
+        ;;
+    --kernel-dir)
+        kernel_dir="$2"
+        shift
+        ;;
+    --kernel-conf-dir)
+        kernel_conf_dir="$2"
+        shift
+        ;;
+    *)
+        echo "Unknown parameter passed: $1"
+        print_usage
+        exit 1
+        ;;
+    esac
+    shift
+done
+
+if [ -z "$kernel_type" ] || [ -z "$arch" ] || [ -z "$kernel_dir" ] || [ -z "$kernel_conf_dir" ]; then
+    print_usage
+    exit 1
+fi
+
+echo "Arch: $arch"
+echo "Kernel Type: $kernel_type"
+echo "Kernel Dir: $kernel_dir"
+echo "Kernel Conf Dir: $kernel_conf_dir"
+
+# select the tailor conf file by vm type and cpu architecture
+tailor_conf_file="${kernel_conf_dir}/${kernel_type}-kernel-${arch}.list"
+
+cd ${kernel_conf_dir}
+merge_kernel_fragments $tailor_conf_file
+if [ $? -ne 0 ]; then
+    exit 1
+fi
+
+build_kernel

vmm/scripts/kernel/build-kernel/fragments/9p.conf

@@ -0,0 +1,5 @@
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+CONFIG_9P_FS_SECURITY=y
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y

vmm/scripts/kernel/build-kernel/fragments/aarch64.conf

@@ -0,0 +1,149 @@
+#
+# IRQ subsystem
+#
+# end of IRQ subsystem
+
+#
+# Timers subsystem
+#
+CONFIG_ARCH_HAS_TICK_BROADCAST=y
+# end of Timers subsystem
+
+#
+# RCU Subsystem
+#
+CONFIG_TASKS_RCU_GENERIC=y
+# end of RCU Subsystem
+
+CONFIG_HAVE_FUTEX_CMPXCHG=y
+# end of General setup
+
+CONFIG_ARM64=y
+CONFIG_ARM64_PAGE_SHIFT=12
+CONFIG_ARM64_CONT_PTE_SHIFT=4
+CONFIG_ARM64_CONT_PMD_SHIFT=4
+
+CONFIG_ARCH_MMAP_RND_BITS_MIN=18
+CONFIG_ARCH_MMAP_RND_BITS_MAX=33
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=11
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+
+
+#
+# ARM errata workarounds via the alternatives framework
+#
+CONFIG_ARM64_WORKAROUND_CLEAN_CACHE=y
+CONFIG_ARM64_ERRATUM_826319=y
+CONFIG_ARM64_ERRATUM_827319=y
+CONFIG_ARM64_ERRATUM_824069=y
+CONFIG_ARM64_ERRATUM_819472=y
+CONFIG_ARM64_ERRATUM_832075=y
+CONFIG_ARM64_ERRATUM_843419=y
+CONFIG_ARM64_ERRATUM_1024718=y
+CONFIG_ARM64_WORKAROUND_SPECULATIVE_AT=y
+CONFIG_ARM64_ERRATUM_1165522=y
+CONFIG_ARM64_ERRATUM_1319367=y
+CONFIG_ARM64_ERRATUM_1530923=y
+CONFIG_ARM64_WORKAROUND_REPEAT_TLBI=y
+CONFIG_ARM64_ERRATUM_1286807=y
+CONFIG_ARM64_ERRATUM_1463225=y
+CONFIG_ARM64_ERRATUM_1542419=y
+CONFIG_ARM64_ERRATUM_1508412=y
+CONFIG_CAVIUM_ERRATUM_22375=y
+CONFIG_CAVIUM_ERRATUM_23154=y
+CONFIG_CAVIUM_ERRATUM_27456=y
+CONFIG_CAVIUM_ERRATUM_30115=y
+CONFIG_CAVIUM_TX2_ERRATUM_219=y
+CONFIG_HISILICON_ERRATUM_161600802=y
+CONFIG_HISILICON_ERRATUM_1980005=y
+CONFIG_HISILICON_ERRATUM_HIP08_RU_PREFETCH=y
+
+CONFIG_ARM64_4K_PAGES=y
+CONFIG_ARM64_VA_BITS_48=y
+CONFIG_ARM64_VA_BITS=48
+CONFIG_ARM64_PA_BITS_48=y
+CONFIG_ARM64_PA_BITS=48
+
+CONFIG_CPU_LITTLE_ENDIAN=y
+CONFIG_RODATA_FULL_DEFAULT_ENABLED=y
+
+
+CONFIG_ARCH_LLC_128_LINE_SIZE=y
+
+CONFIG_FORCE_MAX_ZONEORDER=11
+CONFIG_UNMAP_KERNEL_AT_EL0=y
+
+#
+# ARMv8.1 architectural features
+#
+CONFIG_ARM64_HW_AFDBM=y
+CONFIG_ARM64_PAN=y
+CONFIG_AS_HAS_LSE_ATOMICS=y
+CONFIG_ARM64_VHE=y
+# end of ARMv8.1 architectural features
+
+#
+# ARMv8.2 architectural features
+#
+CONFIG_ARM64_RAS_EXTN=y
+CONFIG_ARM64_CNP=y
+# end of ARMv8.2 architectural features
+
+#
+# ARMv8.3 architectural features
+#
+CONFIG_ARM64_PTR_AUTH=y
+CONFIG_CC_HAS_BRANCH_PROT_PAC_RET=y
+CONFIG_CC_HAS_SIGN_RETURN_ADDRESS=y
+CONFIG_AS_HAS_PAC=y
+CONFIG_AS_HAS_CFI_NEGATE_RA_STATE=y
+# end of ARMv8.3 architectural features
+
+#
+# ARMv8.4 architectural features
+#
+CONFIG_ARM64_AMU_EXTN=y
+CONFIG_AS_HAS_ARMV8_4=y
+CONFIG_ARM64_TLB_RANGE=y
+# end of ARMv8.4 architectural features
+
+#
+# ARMv8.5 architectural features
+#
+CONFIG_ARM64_BTI=y
+CONFIG_CC_HAS_BRANCH_PROT_PAC_RET_BTI=y
+CONFIG_ARM64_E0PD=y
+CONFIG_ARM64_AS_HAS_MTE=y
+CONFIG_ARM64_MTE=y
+# end of ARMv8.5 architectural features
+
+#
+# ARMv8.6 architectural features
+#
+CONFIG_ARM64_TWED=y
+# end of ARMv8.6 architectural features
+
+#
+# ARMv8.7 architectural features
+#
+CONFIG_ARM64_EPAN=y
+# end of ARMv8.7 architectural features
+
+CONFIG_ARM64_SVE=y
+# end of Kernel Features
+
+CONFIG_ARM64_TAGGED_ADDR_ABI=y
+
+# Firmware
+CONFIG_ARM_SDE_INTERFACE=y
+
+#
+# General architecture-dependent options
+#
+CONFIG_ARCH_HAS_RELR=y
+# end of General architecture-dependent options
+
+CONFIG_OF_KOBJ=y
+CONFIG_OF_ADDRESS=y
+CONFIG_OF_NET=y
+CONFIG_DMA_OF=y

vmm/scripts/kernel/build-kernel/fragments/acpi.conf

@@ -0,0 +1,13 @@
+CONFIG_ACPI=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+CONFIG_ACPI_HOTPLUG_CPU=y
+CONFIG_ACPI_TABLE_UPGRADE=y
+CONFIG_ACPI_CONTAINER=y
+CONFIG_ACPI_PCI_SLOT=y
+CONFIG_ACPI_HOTPLUG_MEMORY=y
+CONFIG_ACPI_CONFIGFS=y
+CONFIG_ACPI_APEI=y
+CONFIG_ACPI_APEI_GHES=y
+CONFIG_ACPI_APEI_PCIEAER=y