edgelesssys
diff --git a/‎nodeinstaller/internal/kataconfig/configuration-qemu-tdx.toml‎
Lines changed: 1 addition & 1 deletion b/‎nodeinstaller/internal/kataconfig/configuration-qemu-tdx.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/by-name/kata/agent/package.nix‎
Lines changed: 0 additions & 1 deletion b/‎packages/by-name/kata/agent/package.nix‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎packages/by-name/kata/release-tarball/package.nix‎
Lines changed: 1 addition & 1 deletion b/‎packages/by-name/kata/release-tarball/package.nix‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/by-name/kata/runtime/0002-genpolicy-read-bundle-id-from-rootfs.patch‎
Lines changed: 1 addition & 1 deletion b/‎packages/by-name/kata/runtime/0002-genpolicy-read-bundle-id-from-rootfs.patch‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/by-name/kata/runtime/0003-genpolicy-rules-remove-check-for-OCI-version.patch‎
Lines changed: 1 addition & 1 deletion b/‎packages/by-name/kata/runtime/0003-genpolicy-rules-remove-check-for-OCI-version.patch‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/by-name/kata/runtime/0004-genpolicy-allow-image_guest_pull.patch‎
Lines changed: 8 additions & 8 deletions b/‎packages/by-name/kata/runtime/0004-genpolicy-allow-image_guest_pull.patch‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎packages/by-name/kata/runtime/0005-runtime-agent-mounts-Mount-configfs-into-the-contain.patch‎
Lines changed: 2 additions & 2 deletions b/‎packages/by-name/kata/runtime/0005-runtime-agent-mounts-Mount-configfs-into-the-contain.patch‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/by-name/kata/runtime/0006-genpolicy-support-mount-propagation-and-ro-mounts.patch‎
Lines changed: 2 additions & 2 deletions b/‎packages/by-name/kata/runtime/0006-genpolicy-support-mount-propagation-and-ro-mounts.patch‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/by-name/kata/runtime/0008-genpolicy-do-not-log-policy-annotation-in-debug.patch‎
Lines changed: 2 additions & 2 deletions b/‎packages/by-name/kata/runtime/0008-genpolicy-do-not-log-policy-annotation-in-debug.patch‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/by-name/kata/runtime/0009-genpolicy-allow-non-watchable-ConfigMaps.patch‎
Lines changed: 0 additions & 35 deletions b/‎packages/by-name/kata/runtime/0009-genpolicy-allow-non-watchable-ConfigMaps.patch‎
Lines changed: 0 additions & 35 deletions
@@ -67,7 +67,7 @@ valid_hypervisor_paths = ["PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT"]
 # may stop the virtual machine from booting.
 # To see the list of default parameters, enable hypervisor debug, create a
 # container and look for 'default-kernel-parameters' log entries.
-kernel_params = "cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1 rootfs_verity.scheme=dm-verity rootfs_verity.hash=a8f1861d4825ef847c0d657d9c50713ffdd134932740d048ad55e92cc5b605f9"
+kernel_params = "cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1 rootfs_verity.scheme=dm-verity rootfs_verity.hash=79cfffd61dabc19d336b31d15212db9b67637596c89325b6bdaa6195d0525ae3"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
 
@@ -26,7 +26,6 @@ rustPlatform.buildRustPackage rec {
     lockFile = "${src}/src/agent/Cargo.lock";
     outputHashes = {
       "cgroups-rs-0.3.5" = "sha256-BKD1ZPK5LqB/n2xD/oODArVKjbH+MQOeYn/UYbBHzn0=";
-      "cdi-0.1.0" = "sha256-1F1kqZy/9MokzIwX6k1DbmgYWtbUrMUVDtSkV3aTJqc=";
       "s390_pv_core-0.11.0" = "sha256-P275gUoF4JtaKvKPvzhCsBuo882kKCYebtNpCDEmTP0=";
     };
   };
 
@@ -12,7 +12,7 @@ let
 in
 fetchzip {
   url = "https://github.com/kata-containers/kata-containers/releases/download/${version}/kata-static-${version}-amd64.tar.zst";
-  hash = "sha256-ktGksilc21qWi3ktg21RZ9I2g4/uOvTk39wRDfRy9pk=";
+  hash = "sha256-Hq9s43W+U52lSiWydoxqg0GLuDvFPgMxs2jFbqzELuk=";
   stripRoot = false;
   nativeBuildInputs = [ zstd ];
 
 
@@ -14,7 +14,7 @@ NOTE: fixes https://github.com/kata-containers/kata-containers/issues/10065
  1 file changed, 8 insertions(+), 21 deletions(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 57fcd52f55a44adb9693838fa5aafe5e4fc6a6b9..1a7c1ad763fc0b77933789f00cf37b6d5df31ea9 100644
+index 07e0712e1cd71ed8cf17784c74caa7e78a1e4c10..c9205e2c84aba16ef5d0d332639e2f224c4a5fd8 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
@@ -662,9 +662,6 @@ allow_linux_sysctl(p_linux, i_linux) if {
 
@@ -9,7 +9,7 @@ Signed-off-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
  1 file changed, 3 deletions(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 1a7c1ad763fc0b77933789f00cf37b6d5df31ea9..11f2adfc741eb10062593cf18413954e96eb0ca3 100644
+index c9205e2c84aba16ef5d0d332639e2f224c4a5fd8..068d77d1dd20079a25604b9ffc94c0be0f138e82 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
@@ -90,9 +90,6 @@ CreateContainerRequest := {"ops": ops, "allowed": true} if {
 
@@ -126,7 +126,7 @@ index 74686abf43436d9c5c5117d061f1faed79783f74..e927668e85b61c1d242c1052bf50d7a5
 -    }
 -}
 diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go
-index fef95c47376b1b2c05304d3f9750e3f84cc93b4a..59ccaf3c86663f12bf2323cc3ddd12573b3e1d98 100644
+index 6fbf71646169348b104aa313deac32339fddaf6f..a81fcb347620f61646edf09aee3bfeaeee9f7965 100644
 --- a/src/runtime/virtcontainers/kata_agent.go
 +++ b/src/runtime/virtcontainers/kata_agent.go
@@ -1694,7 +1694,7 @@ func getContainerTypeforCRI(c *Container) (string, string) {
@@ -170,10 +170,10 @@ index fef95c47376b1b2c05304d3f9750e3f84cc93b4a..59ccaf3c86663f12bf2323cc3ddd1257
  			return nil, err
  		}
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 11f2adfc741eb10062593cf18413954e96eb0ca3..5e14dfa91570341675e0140900ee5c15fcbf48fb 100644
+index 068d77d1dd20079a25604b9ffc94c0be0f138e82..2dac4d81f651d422b4267eb94d65417e1fcbf325 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
-@@ -1031,10 +1031,9 @@ allow_storages(p_storages, i_storages, bundle_id, sandbox_id) if {
+@@ -1041,10 +1041,9 @@ allow_storages(p_storages, i_storages, bundle_id, sandbox_id) if {
 
      p_count := count(p_storages)
      i_count := count(i_storages)
@@ -186,7 +186,7 @@ index 11f2adfc741eb10062593cf18413954e96eb0ca3..5e14dfa91570341675e0140900ee5c15
 
      every i_storage in i_storages {
          allow_storage(p_storages, i_storage, bundle_id, sandbox_id)
-@@ -1060,15 +1059,6 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id) if {
+@@ -1070,15 +1069,6 @@ allow_storage(p_storages, i_storage, bundle_id, sandbox_id) if {
 
      print("allow_storage: true")
  }
@@ -202,7 +202,7 @@ index 11f2adfc741eb10062593cf18413954e96eb0ca3..5e14dfa91570341675e0140900ee5c15
 
  allow_storage_source(p_storage, i_storage, bundle_id) if {
      print("allow_storage_source 1: start")
-@@ -1098,6 +1088,23 @@ allow_storage_source(p_storage, i_storage, bundle_id) if {
+@@ -1108,6 +1098,23 @@ allow_storage_source(p_storage, i_storage, bundle_id) if {
 
      print("allow_storage_source 3: true")
  }
@@ -226,7 +226,7 @@ index 11f2adfc741eb10062593cf18413954e96eb0ca3..5e14dfa91570341675e0140900ee5c15
 
  allow_storage_options(p_storage, i_storage) if {
      print("allow_storage_options 1: start")
-@@ -1151,6 +1158,22 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id) if {
+@@ -1161,6 +1168,22 @@ allow_mount_point(p_storage, i_storage, bundle_id, sandbox_id) if {
 
      print("allow_mount_point 3: true")
  }
@@ -250,10 +250,10 @@ index 11f2adfc741eb10062593cf18413954e96eb0ca3..5e14dfa91570341675e0140900ee5c15
  # ExecProcessRequest.process.Capabilities
  allow_exec_caps(i_caps) if {
 diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
-index 7836a1c64da3af531f886eb37af8e1ee60f54d80..acef1aa34160a144e1a95e7bad5a3f6a6641b5cd 100644
+index 885d8b81962d1e29e823b1b4094d46f8791cfc05..a78c30a79addca66764f020f540efbf1f18fd8cf 100644
 --- a/src/tools/genpolicy/src/yaml.rs
 +++ b/src/tools/genpolicy/src/yaml.rs
-@@ -317,6 +317,17 @@ pub fn get_container_mounts_and_storages(
+@@ -318,6 +318,17 @@ pub fn get_container_mounts_and_storages(
              mount_and_storage::get_image_mount_and_storage(settings, policy_mounts, volume.0);
          }
      }
 
@@ -23,10 +23,10 @@ Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
  1 file changed, 20 insertions(+)
 
 diff --git a/src/agent/rustjail/src/mount.rs b/src/agent/rustjail/src/mount.rs
-index 3472bff40a6719e69b46fd80ffa81c1258d056d1..6f9468044ac50243c6e2c096c79417c3e3423074 100644
+index 27c363bf6ad4e6031ecd012fa388a83c8504e2bb..b38a2a35a3284900615b23c1896bff98f712c11a 100644
 --- a/src/agent/rustjail/src/mount.rs
 +++ b/src/agent/rustjail/src/mount.rs
-@@ -293,6 +293,26 @@ pub fn init_rootfs(
+@@ -294,6 +294,26 @@ pub fn init_rootfs(
          }
      }
 
 
@@ -9,7 +9,7 @@ Subject: [PATCH] genpolicy: support mount propagation and ro-mounts
  2 files changed, 9 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
-index 5e14dfa91570341675e0140900ee5c15fcbf48fb..a1a6b5e141fb541062251931150db6d2389c6ce2 100644
+index 2dac4d81f651d422b4267eb94d65417e1fcbf325..3ce3eab6e8c774de4b7de08aae9711c6314b6f1f 100644
 --- a/src/tools/genpolicy/rules.rego
 +++ b/src/tools/genpolicy/rules.rego
@@ -130,7 +130,8 @@ allow_create_container_input if {
@@ -23,7 +23,7 @@ index 5e14dfa91570341675e0140900ee5c15fcbf48fb..a1a6b5e141fb541062251931150db6d2
      is_null(i_linux.IntelRdt)
      is_null(i_linux.Resources.BlockIO)
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index bb93261f762dd291437a7b3a0872ae214a6e116c..a33128814eb1d99adb68a862befacd0bf0d7f5cd 100644
+index c3098f0e2459d55677a54d71f192584f4b4bba57..6d27fb39494a4b1b0ff5f8f7abb5e128a647b4dd 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
@@ -185,13 +185,19 @@ fn get_empty_dir_mount_and_storage(
 
@@ -8,7 +8,7 @@ Subject: [PATCH] genpolicy: do not log policy annotation in 'debug'
  1 file changed, 37 insertions(+), 1 deletion(-)
 
 diff --git a/src/tools/genpolicy/src/obj_meta.rs b/src/tools/genpolicy/src/obj_meta.rs
-index 81e68b115ebdf1cd6851be2e63239c0ab4fad7d5..95f631cbe1afe5349e74b9eb5361c88316cf9467 100644
+index 655a0915de7f102fa5798031f1e301b30b5befc4..4a7db4d5d69a6f26c749a9b11c8e3f2a5c428102 100644
 --- a/src/tools/genpolicy/src/obj_meta.rs
 +++ b/src/tools/genpolicy/src/obj_meta.rs
@@ -8,9 +8,10 @@
@@ -23,7 +23,7 @@ index 81e68b115ebdf1cd6851be2e63239c0ab4fad7d5..95f631cbe1afe5349e74b9eb5361c883
  pub struct ObjectMeta {
      #[serde(skip_serializing_if = "Option::is_none")]
      pub name: Option<String>,
-@@ -47,3 +48,38 @@ impl ObjectMeta {
+@@ -36,3 +37,38 @@ impl ObjectMeta {
          self.namespace.as_ref().cloned()
      }
  }
Original file line number	Diff line number	Diff line change
`@@ -23,10 +23,10 @@ Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>`
`23`	`23`	`1 file changed, 20 insertions(+)`
`24`	`24`
`25`	`25`	`diff --git a/src/agent/rustjail/src/mount.rs b/src/agent/rustjail/src/mount.rs`
`26`		`-index 3472bff40a6719e69b46fd80ffa81c1258d056d1..6f9468044ac50243c6e2c096c79417c3e3423074 100644`
	`26`	`+index 27c363bf6ad4e6031ecd012fa388a83c8504e2bb..b38a2a35a3284900615b23c1896bff98f712c11a 100644`
`27`	`27`	`--- a/src/agent/rustjail/src/mount.rs`
`28`	`28`	`+++ b/src/agent/rustjail/src/mount.rs`
`29`		`-@@ -293,6 +293,26 @@ pub fn init_rootfs(`
	`29`	`+@@ -294,6 +294,26 @@ pub fn init_rootfs(`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`