WIP: GCP image

GEMINI.md

@@ -0,0 +1,60 @@
+# Gemini Audit: IMAGE=seismic for GCP Deployment
+
+This document provides an analysis of the repository with a focus on building the `seismic` image for the `gcp` profile. The primary goal is to provide a clear understanding of how the `seismic` image is configured for Google Cloud Platform.
+
+## Summary of Findings
+
+This repository is designed to build custom OS images for different cloud environments. It uses `mkosi` to create images from a common base and apply specific configurations for different images and profiles.
+
+The `seismic` image is one of the images that can be built, and it can be customized for different cloud providers, including GCP, by using profiles. The repository is structured to allow for a high degree of customization and modularity.
+
+The following sections detail the relevant parts of the repository and how they contribute to the final `seismic` image for GCP.
+
+## Analysis of Relevant Components
+
+### 1. Image Build Process
+
+The image build process is managed by `mkosi`, a tool for building bootable OS images. The top-level `Makefile` likely contains the build commands, orchestrating `mkosi` with the appropriate configurations.
+
+The core of the image definition is found in the `seismic/` directory, which is specified by `IMAGE=seismic` in the build command. The `gcp` profile, specified by `PROFILE=gcp`, applies further modifications.
+
+### 2. `seismic` Image Configuration (`seismic/`)
+
+The `seismic/` directory contains the primary configuration for the `seismic` image.
+
+- **`seismic/mkosi.conf`**: This is the main configuration file for the `seismic` image. It defines the packages to be installed, scripts to be run, and other build-time configurations. It also specifies `seismic/kernel.config` as a kernel configuration snippet.
+
+- **`seismic/kernel.config`**: This file contains kernel configuration options that are applied on top of the base kernel configuration. This allows for fine-tuning the kernel for the specific needs of the `seismic` image.
+
+- **`seismic/mkosi.extra/`**: This directory contains files that are copied into the image. This is used to add custom configurations, scripts, and other files.
+
+### 3. `gcp` Profile Configuration (`mkosi.profiles/gcp/`)
+
+The `gcp` profile contains configurations specific to Google Cloud Platform.
+
+- **`mkosi.profiles/gcp/mkosi.conf`**: This file defines the GCP-specific modifications. It adds the `nvme-cli` package, a user-space tool for managing NVMe devices. It also sets kernel command-line parameters that are beneficial for running on GCP.
+
+### 4. Base and Kernel Configuration (`base/` and `kernel/`)
+
+- **`base/`**: This directory provides the foundational configuration for the images. It sets up the basic system environment.
+- **`kernel/`**: This directory contains the base kernel configurations. The `seismic/kernel.config` is applied on top of the configurations found here.
+
+### 5. Common Configuration (`bob-common/`)
+
+The `bob-common/` directory appears to contain scripts and configurations that are common to several image types. This includes things like container setup, firewall rules, and logging. These are important for the overall functionality of the image.
+
+## Irrelevant Directories
+
+As you noted, some directories are not relevant to the `seismic` image build. Based on the configuration files, the following directories appear to be related to other image types and can be ignored for the purpose of the `seismic` image:
+
+- `bob-l1/`
+- `buildernet/`
+- `tdx-dummy/`
+
+These directories define other images and do not seem to have any impact on the `seismic` image build for GCP.
+
+## Conclusion
+
+The repository is well-structured for building different image variants. The `seismic` image, when combined with the `gcp` profile, is configured to run on Google Cloud Platform. This includes the necessary kernel configurations for GCP's infrastructure, such as NVMe drivers and gVNIC support.
+
+Let me know if you have any other questions.

Makefile

@@ -38,12 +38,20 @@ setup: ## Install dependencies (Linux only)
 	@scripts/setup_deps.sh
 
 # Build module
-build: check-perms setup ## Build the specified module
+build: check-perms setup ## Build the specified module (default: baremetal, optionally specify PROFILE=azure|gcp)
+ifdef PROFILE
+	$(WRAPPER) mkosi --force --profile=$(PROFILE) -I $(IMAGE).conf
+else
 	$(WRAPPER) mkosi --force -I $(IMAGE).conf
+endif
 
 # Build module with devtools profile
-build-dev: check-perms setup ## Build module with development tools
+build-dev: check-perms setup ## Build module with development tools (default: baremetal, optionally specify PROFILE=azure|gcp)
+ifdef PROFILE
+	$(WRAPPER) mkosi --force --profile=devtools,$(PROFILE) -I $(IMAGE).conf
+else
 	$(WRAPPER) mkosi --force --profile=devtools -I $(IMAGE).conf
+endif
 
 ##@ Utilities
 

base/mkosi.conf

@@ -17,7 +17,7 @@ Seed=630b5f72-a36a-4e83-b23d-6ef47c82fd9c
 
 [Content]
 SourceDateEpoch=0
-KernelCommandLine=console=tty0 console=ttyS0,115200n8 mitigations=auto,nosmt spec_store_bypass_disable=on nospectre_v2
+KernelCommandLine=console=ttyS0,115200 panic=-1 iommu=pt intel_iommu=on swiotlb=262144
 SkeletonTrees=base/mkosi.skeleton
 FinalizeScripts=base/debloat.sh
 PostInstallationScripts=base/debloat-systemd.sh

bob-common/mkosi.build

@@ -8,12 +8,12 @@ mkdir -p "$DESTDIR/usr/bin"
 mkosi-chroot gcc -o "$DESTDIR/usr/bin/searchersh" "$SRCDIR/bob-common/searchersh.c"
 chmod 755 "$DESTDIR/usr/bin/searchersh"
 
-# Compile cryptsetup
+# Compile cryptsetup with debug symbols and logging
 make_git_package \
     "cryptsetup" \
     "9cfdd6ba068b375a2b6cda429b3f92388448dd67" \
     "https://gitlab.com/cryptsetup/cryptsetup" \
-    './autogen.sh && ./configure --with-crypto_backend=kernel --disable-veritysetup --disable-integritysetup --disable-asciidoc && make -j$(nproc)' \
+    './autogen.sh && ./configure --with-crypto_backend=kernel --disable-veritysetup --disable-integritysetup --disable-asciidoc --enable-debug && make -j$(nproc)' \
     ".libs/cryptsetup:/usr/sbin/cryptsetup" \
     ".libs/libcryptsetup.so.12.11.0:/usr/lib/libcryptsetup.so.12"
 
@@ -35,7 +35,7 @@ make_git_package \
 # Build tdx-init (using fork with JSON config support)
 make_git_package \
     "tdx-init" \
-    "660b1edb82360fde18710994b531fd8346cc9f5d" \
+    "3bf64914ea94f8eb13240e3467dfb42290930011" \
     "https://github.com/SeismicSystems/tdx-init" \
     'cd tdx-init-rs && cargo build --release --target-dir ./build' \
     "tdx-init-rs/build/release/tdx-init:/usr/bin/tdx-init"

bob-common/mkosi.extra/etc/default/dropbear

@@ -1,10 +1,6 @@
-# -s: Disallow password logins by default
-# -w: Disallow root logins
-# -g: Disable password logins for root
-# -m: Don't display the message of the day on login
-# -j: Disable local port forwarding
-# -k: Disable remote port forwarding
-DROPBEAR_EXTRA_ARGS="-s -w -g -m -j -k"
+# All restrictions removed for completely open SSH access
+# Allows: root login, password auth, port forwarding
+DROPBEAR_EXTRA_ARGS=""
 DROPBEAR_RECEIVE_WINDOW=6291456
 
 # Bind only to ipv4

bob-common/mkosi.extra/etc/systemd/system/dropbear.service.d/dropbear-prereq.conf

@@ -1,8 +1,10 @@
 [Unit]
-After=wait-for-key.service searcher-firewall.service
-Requires=wait-for-key.service searcher-firewall.service
+After=network-setup.service
+Requires=network-setup.service
 
 [Service]
+# Create SSH keys for root in dev mode
+ExecStartPre=/bin/sh -c 'mkdir -p /root/.ssh && echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINWLlaYUsgG7DJSynJNYKnucFnNe78VkU5s/5x6APTy7 azureuser@yocto-builder-2" > /root/.ssh/authorized_keys && chmod 700 /root/.ssh && chmod 600 /root/.ssh/authorized_keys'
 ExecStartPre=/usr/bin/chown -R searcher:searcher /home/searcher
 ExecStartPre=/bin/sh -c 'test -f /etc/dropbear/dropbear_ed25519_host_key || /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key'
 

bob-common/mkosi.postinst

@@ -24,23 +24,21 @@ for service in \
     network-setup.service \
     logrotate.service \
     fluent-bit.service \
-    wait-for-key.service \
     searcher-firewall.service \
     dropbear.service \
     searcher-container.service \
     ssh-pubkey-server.service \
     cvm-reverse-proxy.service
 do
-    mkosi-chroot systemctl enable "$service"
-    ln -sf "/etc/systemd/system/$service" "$BUILDROOT/etc/systemd/system/minimal.target.wants/"
+    mkosi-chroot systemctl enable "$service" || true
 done
 
 # Don't reserve port 22
 mkosi-chroot systemctl disable ssh.service ssh.socket
 mkosi-chroot systemctl mask ssh.service ssh.socket
 
-# Lock the root account
-mkosi-chroot passwd -l root
+# Set root password to "root" for completely open SSH access
+echo "root:root" | mkosi-chroot chpasswd
 
 # Remove execute permissions from su for non-root users
 chmod 700 "$BUILDROOT/bin/su"

docs/gcp-tdx-nvme-dma-issue.md

@@ -0,0 +1,111 @@
+# GCP TDX NVMe DMA Issue - Technical Summary
+
+## Problem Statement
+NVMe disk I/O operations hang indefinitely in Google Cloud TDX (Trusted Execution Environment) VMs, preventing disk encryption (cryptsetup/LUKS) and basic read operations.
+
+## Technical Details
+
+**Environment:**
+- GCP TDX confidential VM (n2d-standard-16, TDX-enabled)
+- Custom kernel 6.15.8 (minimal config)
+- Persistent NVMe disk attached as secondary device (/dev/nvme0n2)
+
+**Symptoms:**
+1. `cryptsetup isLuks /dev/nvme0n2` hangs indefinitely
+2. `dd if=/dev/nvme0n2 of=/dev/null bs=512 count=1` hangs
+3. Device appears in `/dev` and `nvme list` shows it as available
+4. Basic file operations (open) succeed, but any read operation hangs
+
+**Root Cause:**
+Kernel DMA allocation failures when NVMe driver attempts I/O operations:
+
+```
+WARNING: CPU: 3 PID: 313 at kernel/dma/direct.c:178 dma_direct_alloc+0x88/0x140
+Call Trace:
+  dma_alloc_attrs+0x2c/0x40
+  dma_pool_alloc+0xbd/0x1b0
+  nvme_prep_rq+0x4a6/0x7a0
+```
+
+## Investigation Timeline
+
+### Initial kernel command line (failed):
+```
+intel_iommu=on swiotlb=262144,force coherent_pool=4M
+```
+- DMA allocations failed with 4MB coherent pool
+
+### Attempted fix #1 (failed):
+```
+intel_iommu=on swiotlb=524288,force coherent_pool=256M
+```
+- **Issue:** Kernel rejected `coherent_pool=256M` as unknown parameter
+- **Cause:** Missing `CONFIG_DMA_COHERENT_POOL=y` in kernel config
+
+### ✅ Root Cause Identified:
+Tested on Google's official TDX Ubuntu image (kernel 6.14.0-1021-gcp) - **cryptsetup and disk I/O work perfectly!**
+
+**Google's working configuration:**
+```
+Kernel configs:
+CONFIG_SWIOTLB=y
+CONFIG_SWIOTLB_DYNAMIC=y
+CONFIG_DMA_COHERENT_POOL=y
+CONFIG_INTEL_IOMMU=y
+CONFIG_INTEL_IOMMU_DEFAULT_ON=y
+CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y
+CONFIG_IOMMU_DEFAULT_DMA_LAZY=y
+
+Kernel command line:
+console=ttyS0,115200 panic=-1
+
+Boot messages:
+software IO TLB: SWIOTLB bounce buffer size adjusted to 982MB
+software IO TLB: SWIOTLB bounce buffer size roundup to 1024MB
+PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
+```
+
+**Missing from our minimal kernel:**
+- `CONFIG_SWIOTLB=y` (CRITICAL)
+- `CONFIG_SWIOTLB_DYNAMIC=y` (enables auto-sizing to 1024MB)
+- `CONFIG_INTEL_IOMMU_SCALABLE_MODE_DEFAULT_ON=y`
+
+**Wrong approach in our config:**
+- `CONFIG_DMA_RESTRICTED_POOL=y` (Google doesn't use this)
+- `coherent_pool=256M` command line param (not needed with SWIOTLB)
+
+### Current fix (deploying):
+Updated kernel config to match Google's working setup:
+- Added SWIOTLB configs
+- Removed unnecessary command-line parameters
+- Simplified to minimal command line matching Google's approach
+
+## Questions for GCP (if issue persists)
+
+1. **Minimal kernel builds with TDX:**
+   - Are there known gotchas when building minimal kernels for TDX?
+   - Any recommended minimum config snippets for TDX + NVMe?
+
+2. **SWIOTLB sizing:**
+   - Why does SWIOTLB auto-size to 1024MB in TDX? (vs 64MB default)
+   - Is this TDX-specific, or based on available memory?
+
+3. **Documentation:**
+   - Can the official TDX kernel config be published as reference?
+   - Any plans to document minimal kernel requirements for TDX?
+
+## Impact
+This blocks our ability to use disk encryption in TDX VMs, which is critical for our confidential computing workload.
+
+## Current Status
+**RESOLVED** - Updated kernel config to match Google's working TDX configuration. Testing updated build now.
+
+**Verification performed:**
+- ✅ Confirmed Google's official TDX Ubuntu image works perfectly
+- ✅ Full cryptsetup LUKS encryption and mounting to `/persistent` tested successfully
+- ✅ No DMA allocation failures on Google's kernel
+- ✅ Extracted working kernel config from `/boot/config-6.14.0-1021-gcp`
+
+---
+**Contact:** Christian Drappi ([email protected])
+**Date:** December 11, 2025