sc2-sys · csegarragonz · Feb 25, 2025 · Feb 18, 2025 · Feb 18, 2025 · Feb 19, 2025
diff --git a/README.md b/README.md
@@ -19,14 +19,9 @@ https://github.com/confidential-containers) project.
 
 SC2 currently supports AMD SEV-SNP and Intel TDX as underlying TEE, and requires
 deployment on a bare-metal host. Before moving forward, make sure you have a
-correct installation. For SEV-SNP you may use [`snphost ok`](
-https://github.com/virtee/snphost.git).
-
-Lastly, make sure you are using the exact host kernel:
-
-| **SEV-SNP** | **TDX** |
-|---|---|
-| [6.8.0-rc5-next-20240221-snp-host-cc2568386](https://github.com/confidential-containers/linux/tree/amd-snp-host-202402240000) | [6.8.0-1004-intel](https://git.launchpad.net/~kobuk-team/ubuntu/+source/linux-intel/tree/?h=noble-main-next) |
+correct host installation. For SEV-SNP you may use [`snphost ok`](
+https://github.com/virtee/snphost.git). Also make sure you have the [right
+host kernel](./docs/host_kernel.md).
 
 ## Quick Start
 

diff --git a/bin/launch_svsm.sh b/bin/launch_svsm.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+SVSM_ROOT=/opt/sc2/svsm
+
+# C-bit pos may be obtained by running coconut-svsm/svsm/utils/cbit
+CBIT_POS=51
+
+IGVM=${SVSM_ROOT}/share/igvm/coconut-qemu.igvm
+KERNEL=${SVSM_ROOT}/share/sc2/vmlinuz-kata-containers-sc2
+INITRD=/opt/sc2/svsm/share/sc2/initrd-kata.img
+
+# Ensure terminal settings are restored on exit
+orig_stty=$(stty -g)
+trap "stty '$orig_stty'" EXIT
+
+# Remap Ctrl-C to Ctrl-] to allow the guest to handle Ctrl-C.
+stty intr ^]
+
+sudo ${SVSM_ROOT}/bin/qemu-system-x86_64 \
+    -cpu EPYC-v4 \
+    -machine q35,confidential-guest-support=sev0,memory-backend=ram1,igvm-cfg=igvm0,accel=kvm \
+    -object memory-backend-memfd,id=ram1,size=8G,share=true,prealloc=false,reserve=false \
+    -object sev-snp-guest,id=sev0,cbitpos=${CBIT_POS},reduced-phys-bits=1 \
+    -object igvm-cfg,id=igvm0,file=$IGVM \
+    -smp 8 \
+    -no-reboot \
+    -netdev user,id=vmnic -device e1000,netdev=vmnic,romfile= \
+    -kernel ${KERNEL} \
+    -initrd ${INITRD} \
+    -append "console=ttyS0 loglevel=8 earlyprintk=serial rdinit=/bin/sh" \
+    -monitor none \
+    -nographic \
+    -serial stdio \
+    -serial pty
diff --git a/docker/base.dockerfile b/docker/base.dockerfile
@@ -10,10 +10,15 @@ RUN apt update \
     && apt upgrade -y \
     && apt install -y \
         clang \
+        cmake \
         curl \
+        g++ \
+        gcc \
         git \
+        gopls \
         libclang-dev \
         libdevmapper-dev \
+        make \
         wget
 
 # Clone the dotfiles repo

diff --git a/docker/coconut/ovmf.dockerfile b/docker/coconut/ovmf.dockerfile
diff --git a/docker/coconut/qemu.dockerfile b/docker/coconut/qemu.dockerfile
diff --git a/docker/coconut/svsm.dockerfile b/docker/coconut/svsm.dockerfile
diff --git a/docker/containerd.dockerfile b/docker/containerd.dockerfile
@@ -8,9 +8,7 @@ FROM ghcr.io/sc2-sys/base:0.10.0
 RUN apt update \
     && apt upgrade -y \
     && apt install -y \
-        libbtrfs-dev \
-        gopls \
-        make
+        libbtrfs-dev
 
 # Clone and build containerd
 ARG CODE_DIR=/go/src/github.com/sc2-sys/containerd

diff --git a/docker/kata.dockerfile b/docker/kata.dockerfile
@@ -6,10 +6,7 @@ FROM ghcr.io/sc2-sys/base:0.10.0
 
 # Install APT dependencies
 RUN apt install -y \
-        gcc \
-        gopls \
         libseccomp-dev \
-        make \
         musl-tools \
         wget
 

diff --git a/docker/nydus.dockerfile b/docker/nydus.dockerfile
@@ -4,13 +4,6 @@ FROM ghcr.io/sc2-sys/base:0.10.0
 # Nydus daemon set-up
 # ---------------------------
 
-# Install APT dependencies
-RUN apt-get update \
-    && apt-get install -y \
-        cmake \
-        gopls \
-        make
-
 # Build the daemon and other tools like nydusify
 ARG CODE_DIR=/go/src/github.com/sc2-sys/nydus
 RUN mkdir -p ${CODE_DIR} \

diff --git a/docker/nydus_snapshotter.dockerfile b/docker/nydus_snapshotter.dockerfile
@@ -7,8 +7,6 @@ FROM ghcr.io/sc2-sys/base:0.10.0
 # Install APT dependencies
 RUN apt-get update \
     && apt-get install -y \
-        gopls \
-        make \
         protobuf-compiler
 
 ARG CODE_DIR=/go/src/github.com/sc2-sys/nydus-snapshotter

diff --git a/docker/ovmf.dockerfile b/docker/ovmf.dockerfile
@@ -1,37 +1,30 @@
-FROM ubuntu:22.04
+FROM ghcr.io/sc2-sys/base:0.10.0
 
 RUN apt update \
     && apt upgrade -y \
     && apt install -y \
-        g++ \
-        gcc \
-        git \
+        dosfstools \
+        grub2-common \
+        grub-efi \
         iasl \
-        make \
+        mtools \
         nasm \
-        python3 \
-        python-is-python3 \
-        uuid-dev \
-        vim
+        uuid-dev
 
-ARG OVMF_PATCH
-COPY ${OVMF_PATCH} /tmp/ovmf_profile.patch
-ARG TARGET
-RUN mkdir -p /usr/src/edk2 \
+ARG OVMF_VERSION
+ARG CODE_DIR=/git/sc2-sys/edk2
+RUN mkdir -p ${CODE_DIR} \
     && git clone \
-        -b edk2-stable202302 \
-        --single-branch --depth 1 \
+        --branch ${OVMF_VERSION} \
+        --depth 1 \
         https://github.com/tianocore/edk2.git \
-        /usr/src/edk2 \
-    && cd /usr/src/edk2 \
+        ${CODE_DIR} \
+    && cd ${CODE_DIR} \
     && git submodule update --init \
-    && make -C BaseTools/ \
-    && touch OvmfPkg/AmdSev/Grub/grub.efi \
-    && git apply /tmp/ovmf_profile.patch \
-    && cd OvmfPkg \
-    && ./build.sh \
-        -b ${TARGET} \
-        -D DEBUG_ON_SERIAL_PORT \
-        -p OvmfPkg/AmdSev/AmdSevX64.dsc
-
-WORKDIR /usr/src/edk2
+    && export PYTHON3_ENABLE=TRUE \
+    && export PYTHON_COMMAND=python3 \
+    && make -j $(nproc) -C BaseTools/ \
+    && . ./edksetup.sh --reconfig \
+    && build -a X64 -b RELEASE -t GCC5 -p OvmfPkg/OvmfPkgX64.dsc \
+    && touch  OvmfPkg/AmdSev/Grub/grub.efi \
+    && build -a X64 -b RELEASE -t GCC5 -p OvmfPkg/AmdSev/AmdSevX64.dsc
diff --git a/docker/qemu.dockerfile b/docker/qemu.dockerfile
@@ -47,7 +47,6 @@ RUN mkdir -p /usr/src \
         --disable-guest-agent-msi \
         --disable-libiscsi \
         --disable-libudev \
-        --disable-linux-user \
         --disable-live-block-migration \
         --disable-lzo \
         --disable-opengl \

diff --git a/docker/svsm.dockerfile b/docker/svsm.dockerfile
@@ -0,0 +1,22 @@
+FROM ghcr.io/sc2-sys/base:0.10.0
+
+RUN apt update \
+    && apt upgrade -y \
+    && apt install -y \
+        autoconf \
+        autoconf-archive \
+        libclang-dev \
+        libssl-dev \
+        pkg-config
+
+ARG OVMF_FILE
+COPY ./${OVMF_FILE} /bin/ovmf-svsm.fd
+
+ARG CODE_DIR=/git/coconut-svsm/svsm
+RUN mkdir -p ${CODE_DIR} \
+    && git clone https://github.com/coconut-svsm/svsm ${CODE_DIR} \
+    && cd ${CODE_DIR} \
+    && git submodule update --init \
+    && rustup target add x86_64-unknown-none \
+    && cargo install bindgen-cli \
+    && FW_FILE=/bin/ovmf-svsm.fd ./build --release configs/qemu-target.json
diff --git a/docker/svsm_kernel.dockerfile b/docker/svsm_kernel.dockerfile
@@ -0,0 +1,31 @@
+FROM ghcr.io/sc2-sys/base:0.10.0
+
+RUN apt update \
+    && apt upgrade -y \
+    && apt install -y \
+        bc \
+        bison \
+        cpio \
+        flex \
+        kmod \
+        libelf-dev \
+        libssl-dev \
+        xz-utils \
+        zstd
+
+# Clone kernel source tree
+ARG CODE_DIR=/git/coconut-svsm/linux
+RUN mkdir -p ${CODE_DIR} \
+    && git clone \
+        --branch svsm \
+        --depth=1 https://github.com/coconut-svsm/linux \
+        ${CODE_DIR}
+
+# Copy generated config file. The filename and path are hardcoded in ./tasks/svsm.py
+COPY ./svsm_kernel_config ${CODE_DIR}/.config
+
+ARG MODULES_OUTDIR
+RUN cd ${CODE_DIR} \
+    && make olddefconfig \
+    && make -j $(nproc) \
+    && make modules_install INSTALL_MOD_PATH=${MODULES_OUTDIR}