[WIP] rebase of feature/secret-hiding onto main

.buildkite/common.py

@@ -33,6 +33,7 @@
 DEFAULT_PLATFORMS = [
     ("al2", "linux_5.10"),
     ("al2023", "linux_6.1"),
+    ("al2023", "secret_hiding"),
 ]
 
 
@@ -120,10 +121,12 @@ def run_all_tests(changed_files):
     """
 
     # run the whole test suite if either of:
-    # - any file changed that is not documentation nor GitHub action config file
+    # - any file changed that is not documentation nor GitHub action config file, nor secret hiding patch series
     # - no files changed
     return not changed_files or any(
-        x.suffix != ".md" and not (x.parts[0] == ".github" and x.suffix == ".yml")
+        x.suffix != ".md"
+        and not (x.parts[0] == ".github" and x.suffix == ".yml")
+        and x.parts[1] != "hiding_ci"
         for x in changed_files
     )
 

.buildkite/pipeline_pr.py

@@ -70,6 +70,17 @@
     for step in kani_grp["steps"]:
         step["label"] = "🔍 Kani"
 
+if not changed_files or (
+    any(parent.name == "hiding_ci" for x in changed_files for parent in x.parents)
+):
+    pipeline.build_group_per_arch(
+        "🕵️ Build Secret Hiding Kernel",
+        pipeline.devtool_test(
+            pytest_opts="-m secret_hiding integration_tests/build/test_hiding_kernel.py",
+        ),
+        depends_on_build=False,
+    )
+
 if run_all_tests(changed_files):
     pipeline.build_group(
         "📦 Build",

Cargo.toml

@@ -30,6 +30,7 @@ tests_outside_test_module = "warn"
 assertions_on_result_states = "warn"
 error_impl_error = "warn"
 or_fun_call = "warn"
+needless-update = "allow"
 
 [profile.dev]
 panic = "abort"

resources/hiding_ci/build_and_install_kernel.sh

@@ -0,0 +1,240 @@
+#!/bin/bash
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# fail if we encounter an error, uninitialized variable or a pipe breaks
+set -eu -o pipefail
+
+check_root() {
+  # We need sudo privileges to install the kernel
+  if [ "$(id -u)" -ne 0 ]; then
+    echo "To install, this script must be run as root or with sudo privileges"
+    exit 1
+  fi
+}
+
+check_userspace() {
+  # Currently this script only works on Ubuntu and AL2023
+  if grep -qi 'ubuntu' /etc/os-release; then
+    USERSPACE="UBUNTU"
+    return 0
+  fi
+
+  if grep -qi 'al2023' /etc/os-release; then
+    USERSPACE="AL2023"
+    return 0
+  fi
+
+  echo "This script currently only works on Ubuntu and Amazon Linux 2023."
+  exit 1
+}
+
+install_build_deps() {
+  case $USERSPACE in
+    "UBUNTU")
+	    apt-get update && apt-get install -y make bsdmainutils flex yacc bison bc xz-utils libelf-dev elfutils libssl-dev
+	    ;;
+    "AL2023")
+	    yum -y groupinstall "Development Tools"
+	    yum -y install make openssl-devel dkms
+	    ;;
+  esac
+}
+
+tidy_up() {
+  # Some cleanup after we are done
+  echo "Cleaning up.."
+  cd $START_DIR
+  rm -rf $TMP_BUILD_DIR
+}
+
+confirm() {
+  if [[ "$*" == *"--no-install"* ]]; then
+    echo "Not installing new kernel."
+
+    if [[ "$*" == *"--tidy"* ]]; then
+      tidy_up
+    fi
+
+    exit 0
+  fi
+
+  if [[ "$*" == *"--install"* ]]; then
+    return 0
+  fi
+
+  while true; do
+    read -p "Do you want to install the new kernel? (y/n) " yn
+    case $yn in
+    [Yy]*) return 0 ;;
+    [Nn]*)
+      echo "Exiting..."
+      exit 1
+      ;;
+    *) echo "Please answer yes or no." ;;
+    esac
+  done
+}
+
+apply_patch_file() {
+  echo "Applying patch:" $(basename $1)
+
+  git apply $1
+}
+
+apply_patch_or_series() {
+  case "$1" in
+  *.patch) apply_patch_file $1 ;;
+  *) echo "Skipping non-patch file" $1 ;;
+  esac
+}
+
+apply_all_patches() {
+  if [ ! -d "$1" ]; then
+    echo "Not a directory: $1"
+    return
+  fi
+
+  echo "Applying all patches in $1"
+
+  for f in $1/*; do
+    if [ -d $f ]; then
+      apply_all_patches $f
+    else
+      apply_patch_or_series $f
+    fi
+  done
+}
+
+check_new_config() {
+  if [[ -e "/boot/config-$KERNEL_VERSION" ]]; then
+    return 0;
+  fi
+
+  echo "Storing new config in /boot/config-$KERNEL_VERSION"
+  cp .config /boot/config-$KERNEL_VERSION
+}
+
+check_override_presence() {
+  while IFS= read -r line; do
+    if ! grep -Fq "$line" .config; then
+      echo "Missing config: $line"
+      exit 1
+    fi
+  done <"$KERNEL_CONFIG_OVERRIDES"
+
+  echo "All overrides correctly applied.."
+}
+
+ubuntu_update_boot() {
+  echo "Update initramfs"
+  update-initramfs -c -k $KERNEL_VERSION
+  echo "Updating GRUB..."
+  update-grub
+}
+
+al2023_update_boot() {
+  echo "Installing ENA driver for AL2023"
+  $START_DIR/install_ena.sh $KERNEL_VERSION $START_DIR/dkms.conf
+
+  # Just ensure we are back in the build dir
+  cd $TMP_BUILD_DIR
+
+  echo "Creating the new ram disk"
+  dracut --kver $KERNEL_VERSION -f -v
+
+  # This varies from x86 and ARM so capture what was generated
+  # We add the || true here due to the fact that we have pipefail enabled
+  # this causes a non 0 exit when ls cant find vmlinux or vmlinux
+  VM_LINUX_LOCATION=$(ls /boot/vmlinu{x,z}-$KERNEL_VERSION 2>/dev/null | head -n1 || true)
+
+  echo "Updating GRUB..."
+  grubby --grub2 --add-kernel $VM_LINUX_LOCATION \
+    --title="Secret Hiding" \
+    --initrd=/boot/initramfs-$KERNEL_VERSION.img --copy-default
+  grubby --set-default $VM_LINUX_LOCATION
+}
+
+update_boot_config() {
+  case "$USERSPACE" in
+  UBUNTU) ubuntu_update_boot ;;
+  AL2023) al2023_update_boot ;;
+  *)
+    echo "Unknown userspace"
+    exit 1
+    ;;
+  esac
+}
+
+check_userspace
+install_build_deps
+
+KERNEL_URL=$(cat kernel_url)
+KERNEL_COMMIT_HASH=$(cat kernel_commit_hash)
+KERNEL_PATCHES_DIR=$(pwd)/linux_patches
+KERNEL_CONFIG_OVERRIDES=$(pwd)/kernel_config_overrides
+
+TMP_BUILD_DIR=$(mktemp -d -t kernel-build-XXXX)
+
+START_DIR=$(pwd)
+
+cd $TMP_BUILD_DIR
+
+echo "Cloning kernel repository into" $TMP_BUILD_DIR
+
+# We checkout the repository that way to make it as
+# small and fast as possible
+git init
+git remote add origin $KERNEL_URL
+git fetch --depth 1 origin $KERNEL_COMMIT_HASH
+git checkout FETCH_HEAD
+
+# Apply our patches on top
+apply_all_patches $KERNEL_PATCHES_DIR
+
+echo "Making kernel config ready for build"
+# We use olddefconfig to automatically pull in the
+# config from the AMI and update to the newest
+# defaults
+make olddefconfig
+
+# Disable the ubuntu keys
+scripts/config --disable SYSTEM_TRUSTED_KEYS
+scripts/config --disable SYSTEM_REVOCATION_KEYS
+
+# Apply our config overrides on top of the config
+scripts/kconfig/merge_config.sh -m .config $KERNEL_CONFIG_OVERRIDES
+
+check_override_presence
+
+# We run this again to default options now changed by
+# the disabling of the ubuntu keys
+make olddefconfig
+
+echo "Building kernel this may take a while"
+make -s -j $(nproc)
+echo "Building kernel modules"
+make modules -s -j $(nproc)
+echo "Kernel build complete!"
+
+KERNEL_VERSION=$(KERNELVERSION=$(make -s kernelversion) ./scripts/setlocalversion)
+
+echo "New kernel version:" $KERNEL_VERSION
+
+# Make sure a user really wants to install this kernel
+confirm "$@"
+
+check_root
+
+echo "Installing kernel modules..."
+make INSTALL_MOD_STRIP=1 modules_install
+echo "Installing kernel..."
+make INSTALL_MOD_STRIP=1 install
+
+update_boot_config
+
+check_new_config
+
+echo "Kernel built and installed successfully!"
+
+tidy_up

resources/hiding_ci/dkms.conf

@@ -0,0 +1,10 @@
+PACKAGE_NAME="ena"
+PACKAGE_VERSION="1.0.0"
+CLEAN="make -C kernel/linux/ena clean"
+MAKE="make -C kernel/linux/ena/ BUILD_KERNEL=${kernelver}"
+BUILT_MODULE_NAME[0]="ena"
+BUILT_MODULE_LOCATION="kernel/linux/ena"
+DEST_MODULE_LOCATION[0]="/updates"
+DEST_MODULE_NAME[0]="ena"
+REMAKE_INITRD="yes"
+AUTOINSTALL="yes"

resources/hiding_ci/install_ena.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# # SPDX-License-Identifier: Apache-2.0
+
+# fail if we encounter an error, uninitialized variable or a pipe breaks
+set -eu -o pipefail
+
+AMZN_DRIVER_VERSION="2.13.3"
+KERNEL_VERSION=$1
+DKMS_CONF_LOCATION=$2
+START_DIR=$(pwd)
+
+cd /tmp/
+
+git clone --depth=1 https://github.com/amzn/amzn-drivers.git
+mv amzn-drivers /usr/src/amzn-drivers-${AMZN_DRIVER_VERSION}
+
+cp $DKMS_CONF_LOCATION /usr/src/amzn-drivers-${AMZN_DRIVER_VERSION}
+
+dkms add -m amzn-drivers -v ${AMZN_DRIVER_VERSION}
+dkms build -k ${KERNEL_VERSION} -m amzn-drivers -v ${AMZN_DRIVER_VERSION}
+dkms install -k ${KERNEL_VERSION} -m amzn-drivers -v ${AMZN_DRIVER_VERSION}
+
+cd $START_DIR

resources/hiding_ci/kernel_commit_hash

@@ -0,0 +1 @@
+beafd7ecf2255e8b62a42dc04f54843033db3d24

resources/hiding_ci/kernel_config_overrides

@@ -0,0 +1,17 @@
+CONFIG_EXPERT=y
+CONFIG_CRYPTO_HW=y
+CONFIG_CRYPTO_DEV_CCP=y
+CONFIG_CRYPTO_DEV_CCP_DD=y
+CONFIG_CRYPTO_DEV_SP_PSP=y
+CONFIG_KVM=y
+CONFIG_KVM_SW_PROTECTED_VM=y
+CONFIG_KVM_AMD=y
+CONFIG_KVM_INTEL=y
+CONFIG_KVM_AMD_SEV=y
+CONFIG_KVM_PRIVATE_MEM=y
+CONFIG_KVM_GENERIC_MMU_NOTIFIER=y
+CONFIG_KVM_GENERIC_HARDWARE_ENABLING=y
+CONFIG_KVM_GENERIC_MEMORY_ATTRIBUTES=y
+CONFIG_KVM_GENERIC_PRIVATE_MEM=y
+CONFIG_DEBUG_INFO=y
+CONFIG_KVM_XEN=n

resources/hiding_ci/kernel_url

@@ -0,0 +1 @@
+git://git.kernel.org/pub/scm/virt/kvm/kvm.git