diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index a494cb440..22940ee99 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -16,6 +16,7 @@ AGENT_VERSION=${AGENT_VERSION:-} RUST_VERSION="null" AGENT_BIN=${AGENT_BIN:-kata-agent} AGENT_INIT=${AGENT_INIT:-no} +MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""} OSBUILDER_VERSION="unknown" DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc} @@ -434,6 +435,7 @@ build_rootfs_distro() --env AGENT_INIT="${AGENT_INIT}" \ --env ARCH="${ARCH}" \ --env CI="${CI}" \ + --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \ --env KERNEL_MODULES_DIR="${KERNEL_MODULES_DIR}" \ --env LIBC="${LIBC}" \ --env EXTRA_PKGS="${EXTRA_PKGS}" \ diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index ec5dfafd6..02d93e7dd 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -7,6 +7,7 @@ OS_NAME=ubuntu OS_VERSION=${OS_VERSION:-focal} PACKAGES="chrony iptables dbus" [ "$AGENT_INIT" = no ] && PACKAGES+=" init" +[ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs" [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2" REPO_URL=http://ports.ubuntu.com diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 6464c8722..11589c88a 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -64,6 +64,7 @@ docker run \ --env SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER:-}" \ --env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" \ --env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" \ + --env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \ --rm \ -w ${script_dir} \ build-kata-deploy "${kata_deploy_create}" $@ diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 17ee523e6..6b42be119 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -270,6 +270,10 @@ get_kernel_frag_path() { fi if [[ "${conf_guest}" != "" ]];then + info "Enabling config for confidential guest trust storage protection" + local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)" + all_configs="${all_configs} ${cryptsetup_configs}" + info "Enabling config for '${conf_guest}' confidential guest protection" local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)" all_configs="${all_configs} ${conf_configs}" diff --git a/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf new file mode 100644 index 000000000..a3e04e9b1 --- /dev/null +++ b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf @@ -0,0 +1,21 @@ +CONFIG_MD=y +CONFIG_BLK_DEV_DM_BUILTIN=y +CONFIG_BLK_DEV_DM=y +CONFIG_DM_CRYPT=y +CONFIG_DM_VERITY=y +CONFIG_DM_INTEGRITY=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_ESSIV=y +CONFIG_CRYPTO_XTS=y +CONFIG_CRYPTO_HMAC=y diff --git a/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf new file mode 100644 index 000000000..5cd7070f3 --- /dev/null +++ b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf @@ -0,0 +1,3 @@ +# x86 cryptographic instructions to improve AES encryption and SHA256 hashing. +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_AES_NI_INTEL=y diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index e34885bbc..3b20426c0 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -107 +108