|
1 | 1 | set -e |
2 | | -git clone -b master --single-branch --depth 1 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble linux |
| 2 | + |
| 3 | +# Clone Ubuntu HWE 6.17 (has RTMR extend built-in) |
| 4 | +git clone -b hwe-6.17-next --single-branch --depth 1 \ |
| 5 | + https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble linux |
| 6 | + |
3 | 7 | cd linux |
4 | 8 | cp ../tdx/config .config |
5 | 9 |
|
6 | 10 | apt install -y libelf-dev zstd flex bison libssl-dev bc |
7 | 11 |
|
8 | | -# virt coco,for enable tdx and sev |
| 12 | +# virt coco,for enable tdx |
| 13 | +./scripts/config --enable CONFIG_VIRT_DRIVERS # important to enable: parent menu that gates all confidential computing drivers |
9 | 14 | ./scripts/config --enable CONFIG_EFI_SECRET |
10 | 15 | ./scripts/config --enable CONFIG_INTEL_TDX_GUEST |
11 | | -./scripts/config --enable CONFIG_SEV_GUEST |
12 | 16 | ./scripts/config --enable CONFIG_TDX_GUEST_DRIVER |
13 | 17 | #enable dmcrypt for encrypt disk |
14 | 18 | ./scripts/config --enable CONFIG_DM_CRYPT |
15 | | - |
16 | 19 | #enable ramfs and initrd for all in ram |
17 | 20 | ./scripts/config --enable CONFIG_BLK_DEV_INITRD |
18 | 21 | ./scripts/config --enable CONFIG_BLK_DEV_RAM |
| 22 | +# VSOCK modules |
| 23 | +./scripts/config --enable CONFIG_VSOCKETS # required for communication with QGS (quote generation) |
| 24 | +./scripts/config --enable CONFIG_VIRTIO_VSOCKETS |
| 25 | +./scripts/config --enable CONFIG_VIRTIO_VSOCKETS_COMMON |
| 26 | +./scripts/config --enable CONFIG_VSOCKETS_LOOPBACK |
| 27 | +# Netfilter / nftables (IPv4 only, for ufw with iptables-nft backend) |
| 28 | +./scripts/config --enable CONFIG_NETFILTER |
| 29 | +./scripts/config --enable CONFIG_NETFILTER_ADVANCED |
| 30 | +./scripts/config --enable CONFIG_NETFILTER_XTABLES |
| 31 | +./scripts/config --enable CONFIG_NF_CONNTRACK |
| 32 | +./scripts/config --enable CONFIG_NF_TABLES |
| 33 | +./scripts/config --enable CONFIG_NFT_COMPAT |
| 34 | +./scripts/config --enable CONFIG_NFT_CT |
| 35 | +./scripts/config --enable CONFIG_NFT_LOG |
| 36 | +./scripts/config --enable CONFIG_NFT_LIMIT |
| 37 | +./scripts/config --enable CONFIG_NFT_NAT |
| 38 | +./scripts/config --enable CONFIG_NFT_MASQ |
| 39 | +./scripts/config --enable CONFIG_NFT_REDIR |
| 40 | +./scripts/config --enable CONFIG_NFT_REJECT |
| 41 | +./scripts/config --enable CONFIG_NFT_FIB |
| 42 | +# IPv4 nftables |
| 43 | +./scripts/config --enable CONFIG_NF_TABLES_IPV4 |
| 44 | +./scripts/config --enable CONFIG_NFT_REJECT_IPV4 |
| 45 | +./scripts/config --enable CONFIG_NFT_FIB_IPV4 |
| 46 | +./scripts/config --enable CONFIG_NFT_DUP_IPV4 |
| 47 | +./scripts/config --enable CONFIG_NF_NAT |
| 48 | +./scripts/config --enable CONFIG_IP_NF_IPTABLES |
| 49 | +./scripts/config --enable CONFIG_IP_NF_TARGET_REJECT |
| 50 | +./scripts/config --enable CONFIG_IP_NF_TARGET_MASQUERADE |
19 | 51 |
|
20 | 52 | yes "" | make olddefconfig |
21 | | -make -j$(nproc) bzImage |
22 | | - |
| 53 | +make -j$(nproc) bzImage |
0 commit comments