image: add mainline kernel and azure tdx image target

bazel/mkosi/mkosi_image.bzl

@@ -16,6 +16,8 @@ def _mkosi_image_impl(ctx):
         args.add("--distribution", ctx.attr.distribution)
     if ctx.attr.architecture:
         args.add("--architecture", ctx.attr.architecture)
+    if ctx.attr.output:
+        args.add("--output", ctx.attr.output)
     args.add_all(ctx.attr.packages, before_each = "--package")
     for package_file in ctx.files.package_files:
         args.add("--package", config_rel(package_file.path))
@@ -122,6 +124,7 @@ mkosi_image = rule(
             doc = "main mkosi.conf file",
         ),
         "out_dir": attr.string(),
+        "output": attr.string(),
         "outs": attr.output_list(),
         "package_files": attr.label_list(allow_files = True),
         "package_manager_trees": attr.label_list(allow_files = True),

bazel/toolchains/linux_kernel.bzl

@@ -3,39 +3,76 @@
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_file")
 
 def kernel_rpms():
+    """kernel rpms"""
+
+    # LTS kernel
     http_file(
-        name = "kernel",
+        name = "kernel_lts",
         urls = [
             "https://cdn.confidential.cloud/constellation/cas/sha256/4430d2f8076081291d505ccb91bc84e3a763e113348e23775cc01df5a574d684",
             "https://cdn.confidential.cloud/constellation/kernel/6.1.68-100.constellation/kernel-6.1.68-100.constellation.fc38.x86_64.rpm",
         ],
-        downloaded_file_path = "kernel.rpm",
+        downloaded_file_path = "kernel-lts.rpm",
         sha256 = "4430d2f8076081291d505ccb91bc84e3a763e113348e23775cc01df5a574d684",
     )
     http_file(
-        name = "kernel_core",
+        name = "kernel_core_lts",
         urls = [
             "https://cdn.confidential.cloud/constellation/cas/sha256/e3f9a42c4c86d56cae98053d3fc099368cbcf6dfa8ed48848e24e2c82ae3b7cc",
             "https://cdn.confidential.cloud/constellation/kernel/6.1.68-100.constellation/kernel-core-6.1.68-100.constellation.fc38.x86_64.rpm",
         ],
-        downloaded_file_path = "kernel-core.rpm",
+        downloaded_file_path = "kernel-core-lts.rpm",
         sha256 = "e3f9a42c4c86d56cae98053d3fc099368cbcf6dfa8ed48848e24e2c82ae3b7cc",
     )
     http_file(
-        name = "kernel_modules",
+        name = "kernel_modules_lts",
         urls = [
             "https://cdn.confidential.cloud/constellation/cas/sha256/072fc8e1b1bb37e1cc40038f60e21a7be374d801f48589146660ffe7028f6b39",
             "https://cdn.confidential.cloud/constellation/kernel/6.1.68-100.constellation/kernel-modules-6.1.68-100.constellation.fc38.x86_64.rpm",
         ],
-        downloaded_file_path = "kernel-modules.rpm",
+        downloaded_file_path = "kernel-modules-lts.rpm",
         sha256 = "072fc8e1b1bb37e1cc40038f60e21a7be374d801f48589146660ffe7028f6b39",
     )
     http_file(
-        name = "kernel_modules_core",
+        name = "kernel_modules_core_lts",
         urls = [
             "https://cdn.confidential.cloud/constellation/cas/sha256/97d1e099b874d53b87fad2515c450b33d56770236211bf6a83a52e9e28361be1",
             "https://cdn.confidential.cloud/constellation/kernel/6.1.68-100.constellation/kernel-modules-core-6.1.68-100.constellation.fc38.x86_64.rpm",
         ],
-        downloaded_file_path = "kernel-modules-core.rpm",
+        downloaded_file_path = "kernel-modules-core-lts.rpm",
         sha256 = "97d1e099b874d53b87fad2515c450b33d56770236211bf6a83a52e9e28361be1",
     )
+
+    # mainline kernel
+    http_file(
+        name = "kernel_mainline",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/b42a4ee6c486832adbff101447a0f92b61905e43acabffc40e573ebf87799889",
+        ],
+        downloaded_file_path = "kernel-mainline.rpm",
+        sha256 = "b42a4ee6c486832adbff101447a0f92b61905e43acabffc40e573ebf87799889",
+    )
+    http_file(
+        name = "kernel_core_mainline",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/88f34a4add6d1c8d9c7cff499843d0d565aa798b1bf365c7b4a0e0c48adab2b4",
+        ],
+        downloaded_file_path = "kernel-core-mainline.rpm",
+        sha256 = "88f34a4add6d1c8d9c7cff499843d0d565aa798b1bf365c7b4a0e0c48adab2b4",
+    )
+    http_file(
+        name = "kernel_modules_mainline",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/4ba6599de2934315fb659b512659e5d96b2812f877e0c2d41625d899d8d440ad",
+        ],
+        downloaded_file_path = "kernel-modules-mainline.rpm",
+        sha256 = "4ba6599de2934315fb659b512659e5d96b2812f877e0c2d41625d899d8d440ad",
+    )
+    http_file(
+        name = "kernel_modules_core_mainline",
+        urls = [
+            "https://cdn.confidential.cloud/constellation/cas/sha256/3d01a6e11fb4110b6c7f2f63c113c7b7c7ea8f5a78d77c4ca355b3039bbcb282",
+        ],
+        downloaded_file_path = "kernel-modules-core-mainline.rpm",
+        sha256 = "3d01a6e11fb4110b6c7f2f63c113c7b7c7ea8f5a78d77c4ca355b3039bbcb282",
+    )

image/base/BUILD.bazel

@@ -4,14 +4,26 @@ load("@rules_pkg//:pkg.bzl", "pkg_tar")
 load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image")
 
 copy_to_directory(
-    name = "rpms",
+    name = "rpms_lts",
     srcs = [
-        "@kernel//file",
+        "@kernel_core_lts//file",
-        "@kernel_core//file",
+        "@kernel_lts//file",
-        "@kernel_modules//file",
+        "@kernel_modules_core_lts//file",
-        "@kernel_modules_core//file",
+        "@kernel_modules_lts//file",
     ],
-    include_external_repositories = ["kernel*"],
+    include_external_repositories = ["kernel*lts"],
+    replace_prefixes = {"file": ""},
+)
+
+copy_to_directory(
+    name = "rpms_mainline",
+    srcs = [
+        "@kernel_core_mainline//file",
+        "@kernel_mainline//file",
+        "@kernel_modules_core_mainline//file",
+        "@kernel_modules_mainline//file",
+    ],
+    include_external_repositories = ["kernel*mainline"],
     replace_prefixes = {"file": ""},
 )
 
@@ -23,64 +35,75 @@ copy_to_directory(
         allow_symlink = True,
     )
     for name in [
-        "kernel",
+        "kernel_lts",
-        "kernel_core",
+        "kernel_core_lts",
-        "kernel_modules",
+        "kernel_modules_lts",
-        "kernel_modules_core",
+        "kernel_modules_core_lts",
+        "kernel_mainline",
+        "kernel_core_mainline",
+        "kernel_modules_mainline",
+        "kernel_modules_core_mainline",
     ]
 ]
 
-mkosi_image(
+[
-    name = "base",
+    mkosi_image(
-    srcs = [
+        name = "base_" + kernel_variant,
-        "mkosi.postinst",
+        srcs = [
-        "mkosi.prepare",
+            "mkosi.postinst",
-    ] + glob([
+            "mkosi.prepare",
-        "mkosi.skeleton/**",
+        ] + glob([
-    ]),
+            "mkosi.skeleton/**",
-    outs = [
+        ]),
-        "image",
+        outs = [
-        "image.tar",
+            kernel_variant,
-        "image-.rpm.lock",
+            kernel_variant + ".tar",
-        "image-packagemanifest",
+            kernel_variant + "-.rpm.lock",
-        "image-rpmdb.sqlite",
+            kernel_variant + "-packagemanifest",
-        "image-rpmdb.sqlite-shm",
+            kernel_variant + "-rpmdb.sqlite",
-        "image-rpmdb.sqlite-wal",
+            kernel_variant + "-rpmdb.sqlite-shm",
-    ],
+            kernel_variant + "-rpmdb.sqlite-wal",
-    extra_trees = [
+        ],
-        "//image:sysroot_tar",
+        extra_trees = [
-        "//image:cryptsetup_closure",
+            "//image:sysroot_tar",
-    ],
+            "//image:cryptsetup_closure",
-    local_mirror = ["@mkosi_rpms//:repo"],
+        ],
-    mkosi_conf = "mkosi.conf",
+        local_mirror = ["@mkosi_rpms//:repo"],
-    package_files = [
+        mkosi_conf = "mkosi.conf",
-        ":kernel",
+        output = kernel_variant,
-        ":kernel_core",
+        package_files = [
-        ":kernel_modules",
+            ":kernel_" + kernel_variant,
-        ":kernel_modules_core",
+            ":kernel_core_" + kernel_variant,
-    ],
+            ":kernel_modules_" + kernel_variant,
-    tags = [
+            ":kernel_modules_core_" + kernel_variant,
-        "manual",
+        ],
-        "no-cache",
+        tags = [
-    ],
+            "manual",
-    visibility = ["//visibility:public"],
+            "no-cache",
-)
+        ],
+        visibility = ["//visibility:public"],
+    )
+    for kernel_variant in [
+        "lts",
+        "mainline",
+    ]
+]
 
 pkg_tar(
     name = "rpmdb",
     srcs = [
-        "image-.rpm.lock",
+        "lts-.rpm.lock",
-        "image-packagemanifest",
+        "lts-packagemanifest",
-        "image-rpmdb.sqlite",
+        "lts-rpmdb.sqlite",
-        "image-rpmdb.sqlite-shm",
+        "lts-rpmdb.sqlite-shm",
-        "image-rpmdb.sqlite-wal",
+        "lts-rpmdb.sqlite-wal",
     ],
     remap_paths = {
-        "/image-.rpm.lock": "/var/lib/rpm/.rpm.lock",
+        "/lts-.rpm.lock": "/var/lib/rpm/.rpm.lock",
-        "/image-packagemanifest": "/usr/share/constellation/packagemanifest",
+        "/lts-packagemanifest": "/usr/share/constellation/packagemanifest",
-        "/image-rpmdb.sqlite": "/var/lib/rpm/rpmdb.sqlite",
+        "/lts-rpmdb.sqlite": "/var/lib/rpm/rpmdb.sqlite",
-        "/image-rpmdb.sqlite-shm": "/var/lib/rpm/rpmdb.sqlite-shm",
+        "/lts-rpmdb.sqlite-shm": "/var/lib/rpm/rpmdb.sqlite-shm",
-        "/image-rpmdb.sqlite-wal": "/var/lib/rpm/image-rpmdb.sqlite-wal",
+        "/lts-rpmdb.sqlite-wal": "/var/lib/rpm/image-rpmdb.sqlite-wal",
     },
     tags = ["manual"],
     visibility = ["//visibility:public"],

image/system/BUILD.bazel

@@ -1,6 +1,6 @@
 load("//bazel/mkosi:mkosi_image.bzl", "mkosi_image")
 load("//bazel/osimage:upload_os_images.bzl", "upload_os_images")
-load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation_packages", "images_for_csp", "images_for_csp_and_stream", "images_for_stream", "kernel_command_line", "kernel_command_line_dict")
+load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "base_image", "constellation_packages", "images_for_csp", "images_for_csp_and_stream", "images_for_stream", "kernel_command_line", "kernel_command_line_dict")
 
 [
     mkosi_image(
@@ -16,7 +16,11 @@ load(":variants.bzl", "CSPS", "STREAMS", "VARIANTS", "autologin", "constellation
             stream,
         ),
         base_trees = [
-            "//image/base:image.tar",
+            base_image(
+                variant["csp"],
+                variant["attestation_variant"],
+                stream,
+            ),
         ],
         extra_trees = constellation_packages(stream),
         initrds = [

image/system/variants.bzl

@@ -13,6 +13,10 @@ VARIANTS = [
         "attestation_variant": "azure-sev-snp",
         "csp": "azure",
     },
+    {
+        "attestation_variant": "azure-tdx",
+        "csp": "azure",
+    },
     {
         "attestation_variant": "gcp-sev-es",
         "csp": "gcp",
@@ -105,6 +109,12 @@ attestation_variant_settings = {
             "constel.attestation-variant": "azure-sev-snp",
         },
     },
+    "azure-tdx": {
+        "base_image": "//image/base:mainline",
+        "kernel_command_line_dict": {
+            "constel.attestation-variant": "azure-tdx",
+        },
+    },
     "gcp-sev-es": {
         "kernel_command_line_dict": {
             "constel.attestation-variant": "gcp-sev-es",
@@ -201,6 +211,12 @@ def kernel_command_line_dict(csp, attestation_variant, stream):
         commandline_dict = commandline_dict | settings.get("kernel_command_line_dict", {})
     return commandline_dict
 
+def base_image(csp, attestation_variant, stream):
+    for settings in from_settings(csp, attestation_variant, stream):
+        if "base_image" in settings:
+            return settings["base_image"]
+    return "//image/base:lts"
+
 def append_cmdline(current, append):
     """Append a string to an existing commandline, separating them with a space.