edgelesssys
diff --git a/‎nodeinstaller/internal/kataconfig/configuration-qemu-tdx.toml‎
Lines changed: 2 additions & 2 deletions b/‎nodeinstaller/internal/kataconfig/configuration-qemu-tdx.toml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/by-name/kata/release-tarball/package.nix‎
Lines changed: 1 addition & 1 deletion b/‎packages/by-name/kata/release-tarball/package.nix‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/by-name/kata/runtime/0004-genpolicy-allow-image_guest_pull.patch‎
Lines changed: 1 addition & 1 deletion b/‎packages/by-name/kata/runtime/0004-genpolicy-allow-image_guest_pull.patch‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/by-name/kata/runtime/0005-runtime-agent-mounts-Mount-configfs-into-the-contain.patch‎
Lines changed: 1 addition & 1 deletion b/‎packages/by-name/kata/runtime/0005-runtime-agent-mounts-Mount-configfs-into-the-contain.patch‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/by-name/kata/runtime/0006-genpolicy-support-mount-propagation-and-ro-mounts.patch‎
Lines changed: 2 additions & 2 deletions b/‎packages/by-name/kata/runtime/0006-genpolicy-support-mount-propagation-and-ro-mounts.patch‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/by-name/kata/runtime/0009-genpolicy-support-ephemeral-volume-source.patch‎
Lines changed: 5 additions & 5 deletions b/‎packages/by-name/kata/runtime/0009-genpolicy-support-ephemeral-volume-source.patch‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎packages/by-name/kata/runtime/0010-genpolicy-allow-RO-and-RW-for-sysfs-with-privileged-.patch‎
Lines changed: 3 additions & 3 deletions b/‎packages/by-name/kata/runtime/0010-genpolicy-allow-RO-and-RW-for-sysfs-with-privileged-.patch‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎packages/by-name/kata/runtime/0011-genpolicy-don-t-allow-mount-storage-for-declared-VOL.patch‎
Lines changed: 9 additions & 9 deletions b/‎packages/by-name/kata/runtime/0011-genpolicy-don-t-allow-mount-storage-for-declared-VOL.patch‎
Lines changed: 9 additions & 9 deletions
diff --git a/‎packages/by-name/kata/runtime/0012-agent-use-custom-implementation-for-image-pulling.patch‎
Lines changed: 1 addition & 1 deletion b/‎packages/by-name/kata/runtime/0012-agent-use-custom-implementation-for-image-pulling.patch‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/by-name/kata/runtime/0013-agent-use-separate-unix-socket-for-image-pulling.patch‎
Lines changed: 1 addition & 1 deletion b/‎packages/by-name/kata/runtime/0013-agent-use-separate-unix-socket-for-image-pulling.patch‎
Lines changed: 1 addition & 1 deletion
@@ -66,11 +66,11 @@ valid_hypervisor_paths = ["PLACEHOLDER_FOR_DISTRO_QEMU_WITH_TDX_SUPPORT"]
 # may stop the virtual machine from booting.
 # To see the list of default parameters, enable hypervisor debug, create a
 # container and look for 'default-kernel-parameters' log entries.
-kernel_params = "cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1 rootfs_verity.scheme=dm-verity rootfs_verity.hash=9039a1ddadc85236751679de6d4bb224259cab18ab72141bbb788afc16bb4aec"
+kernel_params = "cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1 rootfs_verity.scheme=dm-verity rootfs_verity.hash=47ff03ed804abbe55399b73b220f21e1ac87e27b6e0cd8b8a9f16ea472d1b7f4"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "/opt/kata/share/ovmf/OVMF.fd"
+firmware = "/opt/kata/share/ovmf/OVMF.inteltdx.fd"
 
 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
 
@@ -12,7 +12,7 @@ let
 in
 fetchzip {
   url = "https://github.com/kata-containers/kata-containers/releases/download/${version}/kata-static-${version}-amd64.tar.zst";
-  hash = "sha256-IDQxIyfQspZY12qRIg1kUvfJr7+/pMXAqNkqU9tVfgo=";
+  hash = "sha256-esYl9anGN4KJ3qsxzpvGhfZTFPxJK8tnOyxmv6TGPmg=";
   stripRoot = false;
   nativeBuildInputs = [ zstd ];
 
 
@@ -250,7 +250,7 @@ index abee6de92049bd9dfbdd3437218c6790a247c14d..c014d9e4248174cc3d55f7e28ab1ed87
  # ExecProcessRequest.process.Capabilities
  allow_exec_caps(i_caps) if {
 diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
-index 7fb078b34043ed6c6cc04c6e4bd8596fa2d46419..c640694c22404b8501f843dfc3dcfb2ee7bd5c6d 100644
+index 776ae3b9bce31e87d7073a7aadeeb2f172593993..a53a4bb9abae414fb5eb47e179aca7ad9f6f7b8f 100644
 --- a/src/tools/genpolicy/src/yaml.rs
 +++ b/src/tools/genpolicy/src/yaml.rs
@@ -321,6 +321,17 @@ pub fn get_container_mounts_and_storages(
 
@@ -23,7 +23,7 @@ Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
  1 file changed, 20 insertions(+)
 
 diff --git a/src/agent/rustjail/src/mount.rs b/src/agent/rustjail/src/mount.rs
-index 27c363bf6ad4e6031ecd012fa388a83c8504e2bb..b38a2a35a3284900615b23c1896bff98f712c11a 100644
+index e0271e53b62a1fe8b063facf8f70a80bd1f71182..6d39c981a9352739a454161e2b2ff0291d7babc4 100644
 --- a/src/agent/rustjail/src/mount.rs
 +++ b/src/agent/rustjail/src/mount.rs
@@ -294,6 +294,26 @@ pub fn init_rootfs(
 
@@ -23,10 +23,10 @@ index c014d9e4248174cc3d55f7e28ab1ed8709d2acf1..aed30f2bbedf6b8bf8bf2732def6d7ca
      is_null(i_linux.IntelRdt)
      is_null(i_linux.Resources.BlockIO)
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index 04d0ef196a5da3ab56091e94ff6d845a35b29f03..d89d7a961ade93a532b2bdbebdde4d075cf3075b 100644
+index b73470cc0ecfbba96d8a1910bc05aed00c93d2f3..efa1126bf1a39d88bfe9d412b0c62e68dd86b21b 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
-@@ -185,13 +185,19 @@ fn get_empty_dir_mount_and_storage(
+@@ -202,13 +202,19 @@ fn get_empty_dir_mount_and_storage(
          _ => "rw",
      };
 
 
@@ -15,13 +15,13 @@ Signed-off-by: Markus Rudy <mr@edgeless.systems>
  3 files changed, 21 insertions(+), 2 deletions(-)
 
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index d89d7a961ade93a532b2bdbebdde4d075cf3075b..03c39eba6b2c417df06f8eb4c1d5b8bd134c4f8b 100644
+index efa1126bf1a39d88bfe9d412b0c62e68dd86b21b..5f7127351670b850113a362b601f5dfbb4462cff 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
-@@ -126,7 +126,7 @@ pub fn get_mount_and_storage(
-         }
- 
-         get_empty_dir_mount_and_storage(settings, p_mounts, storages, yaml_mount, volume.unwrap());
+@@ -134,7 +134,7 @@ pub fn get_mount_and_storage(
+             volume.unwrap(),
+             pod_security_context,
+         );
 -    } else if yaml_volume.persistentVolumeClaim.is_some() || yaml_volume.azureFile.is_some() {
 +    } else if yaml_volume.persistentVolumeClaim.is_some() || yaml_volume.azureFile.is_some() || yaml_volume.ephemeral.is_some() {
          get_shared_bind_mount(yaml_mount, p_mounts, "rprivate", "rw");
 
@@ -35,10 +35,10 @@ index aed30f2bbedf6b8bf8bf2732def6d7ca62d66d07..30cbd65f54ee0a5ba6f6f4d2c1a09a01
  mount_source_allows(p_mount, i_mount, bundle_id, sandbox_id) if {
      regex1 := p_mount.source
 diff --git a/src/tools/genpolicy/src/policy.rs b/src/tools/genpolicy/src/policy.rs
-index 7380687554cf9fce492a543a8183cd620c97ad64..f7372000d445667689180d6f71c8e2e9378e36db 100644
+index 957fd85d66ee70b629275fee83045d0bb7f74d25..f1f74e56bb25b83e339d06ee5123b5d4518b762b 100644
 --- a/src/tools/genpolicy/src/policy.rs
 +++ b/src/tools/genpolicy/src/policy.rs
-@@ -654,6 +654,9 @@ impl AgentPolicy {
+@@ -657,6 +657,9 @@ impl AgentPolicy {
          );
 
          let is_privileged = yaml_container.is_privileged();
@@ -48,7 +48,7 @@ index 7380687554cf9fce492a543a8183cd620c97ad64..f7372000d445667689180d6f71c8e2e9
          let process = self.get_container_process(
              resource,
              yaml_container,
-@@ -663,7 +666,7 @@ impl AgentPolicy {
+@@ -666,7 +669,7 @@ impl AgentPolicy {
              is_privileged,
          );
 
 
@@ -35,10 +35,10 @@ index 76ad6bed30c81e131ed637ed1f4e87cf03813d12..88171e1c40f271be9468c6c8b9b87c87
      },
      "device_annotations": {
 diff --git a/src/tools/genpolicy/src/mount_and_storage.rs b/src/tools/genpolicy/src/mount_and_storage.rs
-index 03c39eba6b2c417df06f8eb4c1d5b8bd134c4f8b..acbaef81826caef4aad9ee21d99712c83d6b651a 100644
+index 5f7127351670b850113a362b601f5dfbb4462cff..3186617e07b59e498c5baec763da253fedbe00aa 100644
 --- a/src/tools/genpolicy/src/mount_and_storage.rs
 +++ b/src/tools/genpolicy/src/mount_and_storage.rs
-@@ -370,46 +370,3 @@ fn get_downward_api_mount(yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec<poli
+@@ -387,46 +387,3 @@ fn get_downward_api_mount(yaml_mount: &pod::VolumeMount, p_mounts: &mut Vec<poli
          });
      }
  }
@@ -86,7 +86,7 @@ index 03c39eba6b2c417df06f8eb4c1d5b8bd134c4f8b..acbaef81826caef4aad9ee21d99712c8
 -    });
 -}
 diff --git a/src/tools/genpolicy/src/settings.rs b/src/tools/genpolicy/src/settings.rs
-index d839812b5b0f1b4a4419d8b884ff890d101c31a1..14c09aaefebf0a8594aa2b904cab6bfae39f2a9e 100644
+index 65e1b82857282618cfb0719ef3fe9bd87760d333..21a02a483499a68513a6b86db042631d37c4d9db 100644
 --- a/src/tools/genpolicy/src/settings.rs
 +++ b/src/tools/genpolicy/src/settings.rs
@@ -34,7 +34,6 @@ pub struct Volumes {
@@ -98,28 +98,28 @@ index d839812b5b0f1b4a4419d8b884ff890d101c31a1..14c09aaefebf0a8594aa2b904cab6bfa
 
  /// EmptyDir volume settings loaded from genpolicy-settings.json.
 diff --git a/src/tools/genpolicy/src/yaml.rs b/src/tools/genpolicy/src/yaml.rs
-index c640694c22404b8501f843dfc3dcfb2ee7bd5c6d..25b67abec217316e22b337f5dfcae88f3b345034 100644
+index a53a4bb9abae414fb5eb47e179aca7ad9f6f7b8f..55ac5afdf809297213414394e15183d63b45c8f4 100644
 --- a/src/tools/genpolicy/src/yaml.rs
 +++ b/src/tools/genpolicy/src/yaml.rs
-@@ -28,6 +28,7 @@ use crate::volume;
+@@ -27,6 +27,7 @@ use crate::utils::Config;
  use async_trait::async_trait;
  use core::fmt::Debug;
  use kata_types::annotations::KATA_ANNO_CFG_HYPERVISOR_INIT_DATA;
 +use std::collections::BTreeSet;
  use log::debug;
  use protocols::agent;
  use serde::{Deserialize, Serialize};
-@@ -294,6 +295,7 @@ pub fn get_container_mounts_and_storages(
+@@ -293,6 +294,7 @@ pub fn get_container_mounts_and_storages(
      settings: &settings::Settings,
-     volumes_option: &Option<Vec<volume::Volume>>,
+     podSpec: &pod::PodSpec,
  ) {
 +    let mut mountPaths = BTreeSet::new();
-     if let Some(volumes) = volumes_option {
+     if let Some(volumes) = &podSpec.volumes {
          if let Some(volume_mounts) = &container.volumeMounts {
              for volume in volumes {
@@ -306,19 +308,19 @@ pub fn get_container_mounts_and_storages(
-                             volume,
                              volume_mount,
+                             &podSpec.securityContext,
                          );
 +                        mountPaths.insert(volume_mount.mountPath.clone());
                      }
 
@@ -9,7 +9,7 @@ Signed-off-by: Charlotte Hartmann Paludo <git@charlotteharludo.com>
  1 file changed, 22 insertions(+), 8 deletions(-)
 
 diff --git a/src/agent/src/confidential_data_hub/mod.rs b/src/agent/src/confidential_data_hub/mod.rs
-index 85b47c682d3bb18b5ce77d6715e8819c200499c6..c27294b5f9dae13fb2e0a02d3a6d979a6b660439 100644
+index 24879f81e9996d3646fc93d7f09d3ddfff42434b..943e24e2407c6db183944c98429f082a7999ce7a 100644
 --- a/src/agent/src/confidential_data_hub/mod.rs
 +++ b/src/agent/src/confidential_data_hub/mod.rs
@@ -8,7 +8,7 @@
 
@@ -9,7 +9,7 @@ Signed-off-by: Charlotte Hartmann Paludo <git@charlotteharludo.com>
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/src/agent/src/confidential_data_hub/mod.rs b/src/agent/src/confidential_data_hub/mod.rs
-index c27294b5f9dae13fb2e0a02d3a6d979a6b660439..6a486fe183fb51670ab39cb67f5bae039640d5d6 100644
+index 943e24e2407c6db183944c98429f082a7999ce7a..64db843a5953e7176420274bc65b99974534e407 100644
 --- a/src/agent/src/confidential_data_hub/mod.rs
 +++ b/src/agent/src/confidential_data_hub/mod.rs
@@ -191,7 +191,9 @@ pub async fn pull_image(image: &str, bundle_path: PathBuf) -> Result<String> {