-
Notifications
You must be signed in to change notification settings - Fork 44
/
setup-tdx-common
124 lines (110 loc) · 4.38 KB
/
setup-tdx-common
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# This file is part of Canonical's TDX repository which includes tools
# to setup and configure a confidential computing environment
# based on Intel TDX technology.
# See the LICENSE file in the repository for the license text.
# Copyright 2024 Canonical Ltd.
# SPDX-License-Identifier: GPL-3.0-only
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 3,
# as published by the Free Software Foundation.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranties
# of MERCHANTABILITY, SATISFACTORY QUALITY, or FITNESS FOR A PARTICULAR PURPOSE.
# See the GNU General Public License for more details.
# If not set, detect Ubuntu code name and version
if [[ -z "${UBUNTU_CODENAME}" ]] || [[ -z "${UBUNTU_VERSION}" ]]; then
UBUNTU_CODENAME=$(lsb_release -cs)
UBUNTU_VERSION=$(lsb_release -rs)
fi
# Pinning the packages of specific PPA
#
# unattended-upgrade:
# unattended-upgrade will temporarily set APT pinning for the archives
# it will ignore the pinning configuration for PPAs that are not listed
# in the Allowed-Origins list
# we have to add the PPA into this list to prevent unattended from
# setting its pinning priority to -32768
# we also need to tell unattended-upgrade to allow the downgrade
# in case the packages in the PPA have older versions than the ones
# from Ubuntu archive
add_kobuk_ppa() {
ppa_id=$1
distro_id=LP-PPA-kobuk-team-${ppa_id}
add-apt-repository -y ppa:kobuk-team/${ppa_id}
cat <<EOF | tee /etc/apt/preferences.d/kobuk-team-${ppa_id}-pin-4000
Package: *
Pin: release o=${distro_id}
Pin-Priority: 4000
EOF
cat <<EOF | tee /etc/apt/apt.conf.d/99unattended-upgrades-kobuk-${ppa_id}
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${UBUNTU_CODENAME}";
};
Unattended-Upgrade::Allow-downgrade "true";
EOF
}
# Add all kobuk given PPAs
add_kobuk_ppas() {
for ppa in "$@"; do
add_kobuk_ppa "$ppa"
done
}
# get the current kernel version from the kernel flavour/type
# we are using
# the input will be the kernel meta package name of type : linux-image-<flavour|type>
# examples : linux-image-intel, linux-image-generic, linux-image-aws, ...
get_kernel_version() {
local kernel_flavour=$1
local kernel_version
kernel_version=$(apt show ${kernel_flavour} 2>&1 | gawk 'match($0, /Depends:.* linux-image-([^, ]+)/, a) {print a[1]}')
echo $kernel_version
}
# grub: switch to kernel version
grub_switch_kernel() {
KERNELVER=$1
MID=$(awk '/Advanced options for Ubuntu/{print $(NF-1)}' /boot/grub/grub.cfg | cut -d\' -f2)
KID=$(awk "/with Linux $KERNELVER/"'{print $(NF-1)}' /boot/grub/grub.cfg | cut -d\' -f2 | head -n1)
cat > /etc/default/grub.d/99-tdx-kernel.cfg <<EOF
GRUB_DEFAULT=saved
GRUB_SAVEDEFAULT=true
EOF
grub-editenv /boot/grub/grubenv set saved_entry="${MID}>${KID}"
update-grub
}
# select the kernel release for next boot
# NB : this function will read/write the global variable KERNEL_RELEASE
# if KERNEL_RELEASE is specified, we use it
# if not, select the latest generic kernel available on the system and update the KERNEL_RELEASE var
grub_set_kernel() {
if [ -z "${KERNEL_RELEASE}" ]; then
KERNEL_RELEASE=$(find /boot/vmlinuz-*-generic 2>&1 | \
/usr/lib/grub/grub-sort-version -r 2>&1 | \
gawk 'match($0 , /^\/boot\/vmlinuz-(.*)/, a) {print a[1];exit}')
fi
if [ -z "${KERNEL_RELEASE}" ]; then
echo "ERROR : unable to determine kernel release"
exit 1
fi
grub_switch_kernel "${KERNEL_RELEASE}"
}
# Enable non-root user to run TDs
# Try to detect the normal user when the script is run with sudo
# If the script is run as root, just skip this step
#
# This script modifies the configuration file /etc/libvirt/qemu.conf:
# user = <user>
# group = <group>
# dynamic_ownership = 0
enable_normal_user_libvirt() {
if [[ -z "${SUDO_USER}" ]]; then
return
fi
LIBVIRT_USER=${SUDO_USER}
LIBVIRT_GROUP=$(id -g ${SUDO_USER})
echo "Enable non-root user ${LIBVIRT_USER} to run TDs"
sed -E -i "s/\#user[ ]*=[ ]*\".+\"/user = \"${LIBVIRT_USER}\"/g" /etc/libvirt/qemu.conf
sed -E -i "s/\#group[ ]*=[ ]*\".+\"/group = \"${LIBVIRT_GROUP}\"/g" /etc/libvirt/qemu.conf
sed -E -i "s/\#dynamic_ownership[ ]*=[ ]*.+/dynamic_ownership = 0/g" /etc/libvirt/qemu.conf
# restart libvirtd
systemctl restart libvirtd || true
}