From 31c0ad207653c15998a3ef41316528231ec44312 Mon Sep 17 00:00:00 2001 From: Arron Wang Date: Wed, 4 May 2022 16:35:49 +0800 Subject: [PATCH 1/6] packaging: Add cryptsetup support in Guest kernel and rootfs Add required kernel config for dm-crypt/dm-integrity/dm-verity and related crypto config. Add userspace command line tools for disk encryption support and ext4 file system utilities. Fixes: #6674 Signed-off-by: Arron Wang --- tools/osbuilder/rootfs-builder/rootfs.sh | 2 ++ .../osbuilder/rootfs-builder/ubuntu/config.sh | 1 + .../kata-deploy-binaries-in-docker.sh | 1 + tools/packaging/kernel/build-kernel.sh | 4 ++++ .../confidential_containers/cryptsetup.conf | 21 +++++++++++++++++++ .../configs/fragments/x86_64/crypto.conf | 3 +++ tools/packaging/kernel/kata_config_version | 2 +- 7 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf create mode 100644 tools/packaging/kernel/configs/fragments/x86_64/crypto.conf diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index a494cb440..22940ee99 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -16,6 +16,7 @@ AGENT_VERSION=${AGENT_VERSION:-} RUST_VERSION="null" AGENT_BIN=${AGENT_BIN:-kata-agent} AGENT_INIT=${AGENT_INIT:-no} +MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""} OSBUILDER_VERSION="unknown" DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc} @@ -434,6 +435,7 @@ build_rootfs_distro() --env AGENT_INIT="${AGENT_INIT}" \ --env ARCH="${ARCH}" \ --env CI="${CI}" \ + --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \ --env KERNEL_MODULES_DIR="${KERNEL_MODULES_DIR}" \ --env LIBC="${LIBC}" \ --env EXTRA_PKGS="${EXTRA_PKGS}" \ diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index ec5dfafd6..02d93e7dd 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -7,6 +7,7 @@ OS_NAME=ubuntu OS_VERSION=${OS_VERSION:-focal} PACKAGES="chrony iptables dbus" [ "$AGENT_INIT" = no ] && PACKAGES+=" init" +[ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs" [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2" REPO_URL=http://ports.ubuntu.com diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh index 6464c8722..11589c88a 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh @@ -64,6 +64,7 @@ docker run \ --env SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER:-}" \ --env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" \ --env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" \ + --env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \ --rm \ -w ${script_dir} \ build-kata-deploy "${kata_deploy_create}" $@ diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 17ee523e6..6b42be119 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -270,6 +270,10 @@ get_kernel_frag_path() { fi if [[ "${conf_guest}" != "" ]];then + info "Enabling config for confidential guest trust storage protection" + local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)" + all_configs="${all_configs} ${cryptsetup_configs}" + info "Enabling config for '${conf_guest}' confidential guest protection" local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)" all_configs="${all_configs} ${conf_configs}" diff --git a/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf new file mode 100644 index 000000000..a3e04e9b1 --- /dev/null +++ b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf @@ -0,0 +1,21 @@ +CONFIG_MD=y +CONFIG_BLK_DEV_DM_BUILTIN=y +CONFIG_BLK_DEV_DM=y +CONFIG_DM_CRYPT=y +CONFIG_DM_VERITY=y +CONFIG_DM_INTEGRITY=y +CONFIG_CRYPTO_AEAD=y +CONFIG_CRYPTO_AEAD2=y +CONFIG_CRYPTO_AKCIPHER2=y +CONFIG_CRYPTO_KPP2=y +CONFIG_CRYPTO_MANAGER=y +CONFIG_CRYPTO_MANAGER2=y +CONFIG_CRYPTO_USER=y +CONFIG_CRYPTO_NULL=y +CONFIG_CRYPTO_NULL2=y +CONFIG_CRYPTO_CRYPTD=y +CONFIG_CRYPTO_AUTHENC=y +CONFIG_CRYPTO_CBC=y +CONFIG_CRYPTO_ESSIV=y +CONFIG_CRYPTO_XTS=y +CONFIG_CRYPTO_HMAC=y diff --git a/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf new file mode 100644 index 000000000..5cd7070f3 --- /dev/null +++ b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf @@ -0,0 +1,3 @@ +# x86 cryptographic instructions to improve AES encryption and SHA256 hashing. +CONFIG_CRYPTO_SHA256_SSSE3=y +CONFIG_CRYPTO_AES_NI_INTEL=y diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index e34885bbc..3b20426c0 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -107 +108 From 5cb02a80670e6f19da4da937f5f26f8f54051ff0 Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Tue, 23 Aug 2022 17:21:07 +0800 Subject: [PATCH 2/6] image-build: generate root hash as an separate partition for rootfs Generate rootfs hash data during creating the kata rootfs, current kata image only have one partition, we add another partition as hash device to save hash data of rootfs data blocks. Fixes: #6674 Signed-off-by: Wang, Arron --- tools/osbuilder/image-builder/Dockerfile | 1 + .../osbuilder/image-builder/image_builder.sh | 22 ++++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/tools/osbuilder/image-builder/Dockerfile b/tools/osbuilder/image-builder/Dockerfile index 87f1e570f..fcfa5ac20 100644 --- a/tools/osbuilder/image-builder/Dockerfile +++ b/tools/osbuilder/image-builder/Dockerfile @@ -14,5 +14,6 @@ RUN ([ -n "$http_proxy" ] && \ gdisk \ parted \ qemu-img \ + veritysetup \ xfsprogs && \ dnf clean all diff --git a/tools/osbuilder/image-builder/image_builder.sh b/tools/osbuilder/image-builder/image_builder.sh index 2ae656b94..3e7f0babc 100755 --- a/tools/osbuilder/image-builder/image_builder.sh +++ b/tools/osbuilder/image-builder/image_builder.sh @@ -11,6 +11,7 @@ set -o errexit set -o pipefail DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc} +MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} readonly script_name="${0##*/}" readonly script_dir=$(dirname "$(readlink -f "$0")") @@ -185,6 +186,7 @@ build_with_container() { --env BLOCK_SIZE="${block_size}" \ --env ROOT_FREE_SPACE="${root_free_space}" \ --env NSDAX_BIN="${nsdax_bin}" \ + --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \ --env SELINUX="${SELINUX}" \ --env DEBUG="${DEBUG}" \ -v /dev:/dev \ @@ -391,9 +393,21 @@ create_disk() { # Kata runtime expect an image with just one partition # The partition is the rootfs content info "Creating partitions" + + if [ "${MEASURED_ROOTFS}" == "yes" ]; then + info "Creating partitions with hash device" + # The hash data will take less than one percent disk space to store + hash_start=$(echo $img_size | awk '{print $1 * 0.99}' |cut -d $(locale decimal_point) -f 1) + partition_param="mkpart primary ${fs_type} ${part_start}M ${hash_start}M " + partition_param+="mkpart primary ${fs_type} ${hash_start}M ${rootfs_end}M " + partition_param+="set 1 boot on" + else + partition_param="mkpart primary ${fs_type} ${part_start}M ${rootfs_end}M" + fi + parted -s -a optimal "${image}" -- \ mklabel msdos \ - mkpart primary "${fs_type}" "${part_start}"M "${rootfs_end}"M + "${partition_param}" OK "Partitions created" } @@ -490,6 +504,12 @@ create_rootfs_image() { fsck.ext4 -D -y "${device}p1" fi + if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -b "${device}p2" ]; then + info "veritysetup format rootfs device: ${device}p1, hash device: ${device}p2" + local image_dir=$(dirname "${image}") + veritysetup format "${device}p1" "${device}p2" > "${image_dir}"/root_hash.txt 2>&1 + fi + losetup -d "${device}" rm -rf "${mount_dir}" } From 28b2645624e86abedc9158c6261f1859a70611c8 Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Thu, 1 Sep 2022 13:02:22 +0800 Subject: [PATCH 3/6] initramfs: Add build script to generate initramfs The init.sh in initramfs will parse the verity scheme, roothash, root device and setup the root device accordingly. Fixes: #6674 Signed-off-by: Wang, Arron --- .../local-build/kata-deploy-binaries.sh | 7 +++ .../static-build/initramfs/Dockerfile | 38 +++++++++++++ .../static-build/initramfs/build-initramfs.sh | 55 +++++++++++++++++++ .../packaging/static-build/initramfs/build.sh | 46 ++++++++++++++++ .../packaging/static-build/initramfs/init.sh | 44 +++++++++++++++ .../static-build/initramfs/initramfs.list | 21 +++++++ versions.yaml | 10 ++++ 7 files changed, 221 insertions(+) create mode 100644 tools/packaging/static-build/initramfs/Dockerfile create mode 100755 tools/packaging/static-build/initramfs/build-initramfs.sh create mode 100755 tools/packaging/static-build/initramfs/build.sh create mode 100755 tools/packaging/static-build/initramfs/init.sh create mode 100644 tools/packaging/static-build/initramfs/initramfs.list diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 877576ca6..e80972f35 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -24,6 +24,7 @@ readonly versions_yaml="${repo_root_dir}/versions.yaml" readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh" readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh" +readonly initramfs_builder="${static_build_dir}/initramfs/build.sh" readonly kernel_builder="${static_build_dir}/kernel/build.sh" readonly ovmf_builder="${static_build_dir}/ovmf/build.sh" readonly qemu_builder="${static_build_dir}/qemu/build-static-qemu.sh" @@ -38,6 +39,7 @@ readonly jenkins_url="http://jenkins.katacontainers.io" readonly cached_artifacts_path="lastSuccessfulBuild/artifact/artifacts" ARCH=$(uname -m) +MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} workdir="${WORKDIR:-$PWD}" @@ -241,6 +243,11 @@ install_kernel_helper() { install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0 + if [ "${MEASURED_ROOTFS}" == "yes" ]; then + info "build initramfs for cc kernel" + "${initramfs_builder}" + fi + info "build ${kernel_name}" info "Kernel version ${kernel_version}" DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" ${extra_cmd} diff --git a/tools/packaging/static-build/initramfs/Dockerfile b/tools/packaging/static-build/initramfs/Dockerfile new file mode 100644 index 000000000..3ebe0f347 --- /dev/null +++ b/tools/packaging/static-build/initramfs/Dockerfile @@ -0,0 +1,38 @@ +# Copyright (c) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +from ubuntu:20.04 + +ARG DEBIAN_FRONTEND=noninteractive +ENV TZ=UTC +RUN apt-get update &&\ + apt-get --no-install-recommends install -y software-properties-common &&\ + add-apt-repository ppa:git-core/ppa -y &&\ + apt-get update && apt-get upgrade -y && \ + apt-get --no-install-recommends install -y \ + apt-utils \ + asciidoctor \ + autoconf \ + autopoint \ + automake \ + busybox-static \ + ca-certificates \ + curl \ + gcc \ + gettext \ + git \ + libaio-dev \ + libblkid-dev \ + libselinux1-dev \ + libtool \ + libpopt-dev \ + libjson-c-dev \ + libssl-dev \ + make \ + ninja-build \ + pkg-config \ + uuid-dev \ + libseccomp-dev \ + libseccomp2 \ + zlib1g-dev &&\ + apt-get clean && rm -rf /var/lib/apt/lists/ diff --git a/tools/packaging/static-build/initramfs/build-initramfs.sh b/tools/packaging/static-build/initramfs/build-initramfs.sh new file mode 100755 index 000000000..a011e9822 --- /dev/null +++ b/tools/packaging/static-build/initramfs/build-initramfs.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +source "${script_dir}/../../scripts/lib.sh" +install_dir="${1:-.}" + +cryptsetup_repo="${cryptsetup_repo:-}" +cryptsetup_version="${cryptsetup_version:-}" +lvm2_repo="${lvm2_repo:-}" +lvm2_version="${lvm2_version:-}" + +[ -n "${cryptsetup_repo}" ] || die "Failed to get cryptsetup repo" +[ -n "${cryptsetup_version}" ] || die "Failed to get cryptsetup version" +[ -n "${lvm2_repo}" ] || die "Failed to get lvm2 repo" +[ -n "${lvm2_version}" ] || die "Failed to get lvm2 version" + +build_root=$(mktemp -d) +pushd ${build_root} + +info "Build ${lvm2_repo} version: ${lvm2_version}" +git clone --depth 1 --branch "${lvm2_version}" "${lvm2_repo}" lvm2 +pushd lvm2 +./configure --enable-static_link --disable-selinux +make && make install +cp ./libdm/libdevmapper.pc /usr/lib/pkgconfig/devmapper.pc +popd #lvm2 + +info "Build ${cryptsetup_repo} version: ${cryptsetup_version}" +git clone --depth 1 --branch "${cryptsetup_version}" "${cryptsetup_repo}" cryptsetup +pushd cryptsetup +./autogen.sh +./configure --enable-static --enable-static-cryptsetup --disable-udev --disable-external-tokens --disable-ssh-token +make && make install +strip /usr/sbin/veritysetup.static +popd #cryptsetup + +info "Build gen_init_cpio tool" +git clone --depth 1 --filter=blob:none --sparse https://github.com/torvalds/linux.git +pushd linux +git sparse-checkout add usr && cd usr && make gen_init_cpio +install gen_init_cpio /usr/sbin/ +popd #linux + +popd #${build_root} + +install "${script_dir}/init.sh" /usr/sbin/ +gen_init_cpio "${script_dir}/initramfs.list" | gzip -9 -n > "${install_dir}"/initramfs.cpio.gz diff --git a/tools/packaging/static-build/initramfs/build.sh b/tools/packaging/static-build/initramfs/build.sh new file mode 100755 index 000000000..489ddd5e1 --- /dev/null +++ b/tools/packaging/static-build/initramfs/build.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +set -o errexit +set -o nounset +set -o pipefail + +script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)" +readonly initramfs_builder="${script_dir}/build-initramfs.sh" +readonly default_install_dir="$(cd "${script_dir}/../../kernel" && pwd)" + +source "${script_dir}/../../scripts/lib.sh" + +container_image="kata-initramfs-builder" +kata_version="${kata_version:-}" +cryptsetup_repo="${cryptsetup_repo:-}" +cryptsetup_version="${cryptsetup_version:-}" +lvm2_repo="${lvm2_repo:-}" +lvm2_version="${lvm2_version:-}" +package_output_dir="${package_output_dir:-}" + +[ -n "${cryptsetup_repo}" ] || cryptsetup_repo=$(get_from_kata_deps "externals.cryptsetup.url" "${kata_version}") +[ -n "${cryptsetup_version}" ] || cryptsetup_version=$(get_from_kata_deps "externals.cryptsetup.version" "${kata_version}") +[ -n "${lvm2_repo}" ] || lvm2_repo=$(get_from_kata_deps "externals.lvm2.url" "${kata_version}") +[ -n "${lvm2_version}" ] || lvm2_version=$(get_from_kata_deps "externals.lvm2.version" "${kata_version}") + +[ -n "${cryptsetup_repo}" ] || die "Failed to get cryptsetup repo" +[ -n "${cryptsetup_version}" ] || die "Failed to get cryptsetup version" +[ -n "${lvm2_repo}" ] || die "Failed to get lvm2 repo" +[ -n "${lvm2_version}" ] || die "Failed to get lvm2 version" + +sudo docker build \ + -t "${container_image}" "${script_dir}" + +sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ + -w "${PWD}" \ + --env cryptsetup_repo="${cryptsetup_repo}" \ + --env cryptsetup_version="${cryptsetup_version}" \ + --env lvm2_repo="${lvm2_repo}" \ + --env lvm2_version="${lvm2_version}" \ + "${container_image}" \ + bash -c "${initramfs_builder} ${default_install_dir}" diff --git a/tools/packaging/static-build/initramfs/init.sh b/tools/packaging/static-build/initramfs/init.sh new file mode 100755 index 000000000..d6a68d62f --- /dev/null +++ b/tools/packaging/static-build/initramfs/init.sh @@ -0,0 +1,44 @@ +#!/bin/sh +# +# Copyright (c) 2022 Intel +# +# SPDX-License-Identifier: Apache-2.0 + +[ -d /dev ] || mkdir -m 0755 /dev +[ -d /root ] || mkdir -m 0700 /root +[ -d /sys ] || mkdir /sys +[ -d /proc ] || mkdir /proc +[ -d /mnt ] || mkdir /mnt +[ -d /tmp ] || mkdir /tmp + +mount -t sysfs -o nodev,noexec,nosuid sysfs /sys +mount -t proc -o nodev,noexec,nosuid proc /proc + +echo "/sbin/mdev" > /proc/sys/kernel/hotplug +mdev -s + +get_option() { + local value + value=" $(cat /proc/cmdline) " + value="${value##* ${1}=}" + value="${value%% *}" + [ "${value}" != "" ] && echo "${value}" +} + +rootfs_verifier=$(get_option rootfs_verity.scheme) +rootfs_hash=$(get_option rootfs_verity.hash) +root_device=$(get_option root) +hash_device=${root_device%?}2 + +if [ -e ${root_device} ] && [ -e ${hash_device} ] && [ "${rootfs_verifier}" = "dm-verity" ] +then + veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}" + mount /dev/mapper/root /mnt +else + echo "No LUKS device found" + mount "${root_device}" /mnt +fi + +umount /proc +umount /sys +exec switch_root /mnt /sbin/init diff --git a/tools/packaging/static-build/initramfs/initramfs.list b/tools/packaging/static-build/initramfs/initramfs.list new file mode 100644 index 000000000..90c8af8c9 --- /dev/null +++ b/tools/packaging/static-build/initramfs/initramfs.list @@ -0,0 +1,21 @@ +# Copyright (c) 2022 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +# initramfs to setup verified boot for rootfs +dir /dev 0755 0 0 +dir /root 0700 0 0 +dir /sbin 0755 0 0 +dir /bin 0755 0 0 +dir /run 0755 0 0 +dir /mnt 0755 0 0 +file /init /usr/sbin/init.sh 0755 0 0 +file /sbin/busybox /usr/bin/busybox 0755 0 0 +file /sbin/veritysetup /usr/sbin/veritysetup.static 0755 0 0 +slink /bin/sh /sbin/busybox 0755 0 0 +slink /sbin/mount /sbin/busybox 0755 0 0 +slink /bin/mkdir /sbin/busybox 0755 0 0 +slink /sbin/mdev /sbin/busybox 0755 0 0 +slink /sbin/switch_root /sbin/busybox 0755 0 0 +slink /sbin/umount /sbin/busybox 0755 0 0 +slink /sbin/cat /sbin/busybox 0755 0 0 diff --git a/versions.yaml b/versions.yaml index 18e51fe83..3455221a8 100644 --- a/versions.yaml +++ b/versions.yaml @@ -228,11 +228,21 @@ externals: url: "https://github.com/kubernetes-sigs/cri-tools" version: "1.23.0" + cryptsetup: + description: "A utility used to setup disk encryption, integrity protection" + url: "https://gitlab.com/cryptsetup/cryptsetup" + version: "v2.5.0" + gperf: description: "GNU gperf is a perfect hash function generator" url: "http://ftp.gnu.org/pub/gnu/gperf/" version: "3.1" + lvm2: + description: "LVM2 and device-mapper tools and libraries" + url: "https://github.com/lvmteam/lvm2" + version: "v2_03_16" + kubernetes: description: "Kubernetes project container manager" url: "https://github.com/kubernetes/kubernetes" From 0080588075f1a09d6ed38f6e109a312905bfbefb Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Mon, 5 Sep 2022 17:36:42 +0800 Subject: [PATCH 4/6] kernel: Integrate initramfs into Guest kernel Integrate initramfs into guest kernel as one binary, which will be measured by the firmware together. Fixes: #6674 Signed-off-by: Wang, Arron --- tools/packaging/kernel/build-kernel.sh | 18 +++++++++++++++++- .../confidential_containers/initramfs.conf | 1 + tools/packaging/static-build/kernel/build.sh | 1 + 3 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 tools/packaging/kernel/configs/fragments/common/confidential_containers/initramfs.conf diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 6b42be119..c1f89cfeb 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -31,6 +31,7 @@ readonly default_kernel_config_dir="${script_dir}/configs" # Default path to search for kernel config fragments readonly default_config_frags_dir="${script_dir}/configs/fragments" readonly default_config_whitelist="${script_dir}/configs/fragments/whitelist.conf" +readonly default_initramfs="${script_dir}/initramfs.cpio.gz" # GPU vendor readonly GV_INTEL="intel" readonly GV_NVIDIA="nvidia" @@ -64,6 +65,8 @@ kernel_url="" #Linux headers for GPU guest fs module building linux_headers="" +MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} + packaging_scripts_dir="${script_dir}/../scripts" source "${packaging_scripts_dir}/lib.sh" @@ -269,11 +272,19 @@ get_kernel_frag_path() { fi fi - if [[ "${conf_guest}" != "" ]];then + if [ "${MEASURED_ROOTFS}" == "yes" ]; then info "Enabling config for confidential guest trust storage protection" local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)" all_configs="${all_configs} ${cryptsetup_configs}" + if [ -f "${default_initramfs}" ]; then + info "Enabling config for confidential guest measured boot" + local initramfs_configs="$(ls ${common_path}/confidential_containers/initramfs.conf)" + all_configs="${all_configs} ${initramfs_configs}" + fi + fi + + if [[ "${conf_guest}" != "" ]];then info "Enabling config for '${conf_guest}' confidential guest protection" local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)" all_configs="${all_configs} ${conf_configs}" @@ -422,6 +433,11 @@ setup_kernel() { [ -n "${hypervisor_target}" ] || hypervisor_target="kvm" [ -n "${kernel_config_path}" ] || kernel_config_path=$(get_default_kernel_config "${kernel_version}" "${hypervisor_target}" "${arch_target}" "${kernel_path}") + if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -f "${default_initramfs}" ]; then + info "Copying initramfs from: ${default_initramfs}" + cp "${default_initramfs}" ./ + fi + info "Copying config file from: ${kernel_config_path}" cp "${kernel_config_path}" ./.config make oldconfig diff --git a/tools/packaging/kernel/configs/fragments/common/confidential_containers/initramfs.conf b/tools/packaging/kernel/configs/fragments/common/confidential_containers/initramfs.conf new file mode 100644 index 000000000..35e662a65 --- /dev/null +++ b/tools/packaging/kernel/configs/fragments/common/confidential_containers/initramfs.conf @@ -0,0 +1 @@ +CONFIG_INITRAMFS_SOURCE="initramfs.cpio.gz" diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index 091f76cef..b36f06cff 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -25,6 +25,7 @@ sudo docker pull ${container_image} || \ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ + --env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \ "${container_image}" \ bash -c "${kernel_builder} $* setup" From f62b2670c04a2a09ca33b95b7a3365a1c22f5f92 Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Thu, 15 Sep 2022 10:17:55 +0800 Subject: [PATCH 5/6] config: Add root hash value and measure config to kernel params After we have a guest kernel with builtin initramfs which provide the rootfs measurement capability and Kata rootfs image with hash device, we need set related root hash value and measure config to the kernel params in kata configuration file. Fixes: #6674 Signed-off-by: Wang, Arron --- src/runtime/Makefile | 4 ++++ tools/packaging/guest-image/build_image.sh | 3 +++ .../local-build/kata-deploy-binaries.sh | 14 +++++++++++++- tools/packaging/static-build/shim-v2/build.sh | 6 ++++-- 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index e937b741e..80c423612 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -133,6 +133,10 @@ FIRMWARETDVFVOLUMEPATH := FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd +ROOTMEASURECONFIG ?= "" +KERNELPARAMS += $(ROOTMEASURECONFIG) +KERNELTDXPARAMS += $(ROOTMEASURECONFIG) + # Name of default configuration file the runtime will use. CONFIG_FILE = configuration.toml diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index d602b85c0..3eac34c61 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -54,6 +54,9 @@ build_image() { IMG_OS_VERSION="${img_os_version}" \ ROOTFS_BUILD_DEST="${builddir}/rootfs-image" mv -f "kata-containers.img" "${install_dir}/${image_name}" + if [ -e "root_hash.txt" ]; then + cp root_hash.txt "${install_dir}/" + fi ( cd "${install_dir}" ln -sf "${image_name}" kata-containers.img diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index e80972f35..c09eb7501 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -485,7 +485,19 @@ install_shimv2() { export GO_VERSION export RUST_VERSION - DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}" + + if [ "${MEASURED_ROOTFS}" == "yes" ]; then + extra_opts="DEFSERVICEOFFLOAD=true" + if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then + root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt") + root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}" + extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\"" + fi + + DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" + else + DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}" + fi } install_ovmf() { diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index d948ae1e8..933044564 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -21,6 +21,8 @@ DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} container_image="${SHIM_V2_CONTAINER_BUILDER:-$(get_shim_v2_image_name)}" +EXTRA_OPTS="${EXTRA_OPTS:-""}" + sudo docker pull ${container_image} || \ (sudo docker build \ --build-arg GO_VERSION="${GO_VERSION}" \ @@ -47,12 +49,12 @@ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${repo_root_dir}/src/runtime" \ "${container_image}" \ - bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch}" + bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch} ${EXTRA_OPTS}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${repo_root_dir}/src/runtime" \ "${container_image}" \ - bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" install" + bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" ${EXTRA_OPTS} install" for vmm in ${VMM_CONFIGS}; do config_file="${DESTDIR}/${PREFIX}/share/defaults/kata-containers/configuration-${vmm}.toml" From f6afae9c7335578c52b221920f2b3499a9d8e4c8 Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Sun, 21 May 2023 16:50:00 +0800 Subject: [PATCH 6/6] packaging: Add rootfs-image-tdx-tarball target Add rootfs-image-tdx target: ./tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh --build=rootfs-image-tdx ./opt/kata/share/kata-containers/kata-containers-tdx.img ./opt/kata/share/kata-containers/kata-ubuntu-latest-tdx.image Fixes: #6674 Signed-off-by: Wang, Arron --- .../build-kata-static-tarball-amd64.yaml | 1 + tools/packaging/guest-image/build_image.sh | 9 ++++++++- .../packaging/kata-deploy/local-build/Makefile | 4 ++++ .../local-build/kata-deploy-binaries.sh | 18 +++++++++++++++--- 4 files changed, 28 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index ade4eb9e7..09ddfd05d 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -32,6 +32,7 @@ jobs: - qemu-snp-experimental - qemu-tdx-experimental - rootfs-image + - rootfs-image-tdx - rootfs-initrd - rootfs-initrd-sev - shim-v2 diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index 3eac34c61..230538d1c 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -22,6 +22,7 @@ readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)" export GOPATH=${GOPATH:-${HOME}/go} arch_target="$(uname -m)" +final_image_name="kata-containers" final_initrd_name="kata-containers-initrd" image_initrd_extension=".img" @@ -59,7 +60,7 @@ build_image() { fi ( cd "${install_dir}" - ln -sf "${image_name}" kata-containers.img + ln -sf "${image_name}" "${final_image_name}${image_initrd_extension}" ) } @@ -86,6 +87,7 @@ main() { image_type=image destdir="$PWD" prefix="/opt/kata" + image_suffix="" image_initrd_suffix="" builddir="${PWD}" while getopts "h-:" opt; do @@ -113,6 +115,11 @@ main() { initrd_os_version=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.sev.version") initrd_name="kata-${initrd_distro}-${initrd_os_version}-${image_initrd_suffix}.${image_type}" final_initrd_name="${final_initrd_name}-${image_initrd_suffix}" + elif [ "${image_initrd_suffix}" == "tdx" ]; then + img_distro=$(get_from_kata_deps "assets.image.architecture.${arch_target}.name") + img_os_version=$(get_from_kata_deps "assets.image.architecture.${arch_target}.version") + image_name="kata-${img_distro}-${img_os_version}-${image_initrd_suffix}.${image_type}" + final_image_name="${final_image_name}-${image_initrd_suffix}" fi ;; prefix=*) diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 091e3dc21..eb161e82b 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -42,6 +42,7 @@ all: serial-targets \ serial-targets: ${MAKE} -f $(MK_PATH) -j 1 V= \ rootfs-image-tarball \ + rootfs-image-tdx-tarball \ rootfs-initrd-sev-tarball \ rootfs-initrd-tarball \ cloud-hypervisor-tarball @@ -100,6 +101,9 @@ qemu-tdx-experimental-tarball: rootfs-image-tarball: ${MAKE} $@-build +rootfs-image-tdx-tarball: kernel-tdx-experimental-tarball + ${MAKE} $@-build + rootfs-initrd-sev-tarball: kernel-sev-tarball ${MAKE} $@-build diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index c09eb7501..c65f4cd80 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -95,6 +95,7 @@ options: qemu-snp-experimental qemu-tdx-experimental rootfs-image + rootfs-image-tdx rootfs-initrd rootfs-initrd-sev shim-v2 @@ -135,8 +136,10 @@ install_cached_tarball_component() { #Install guest image install_image() { - local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-image-$(uname -m)/${cached_artifacts_path}" - local component="rootfs-image" + local image_type="${1:-"image"}" + local initrd_suffix="${2:-""}" + local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-${image_type}-$(uname -m)/${cached_artifacts_path}" + local component="rootfs-${image_type}" local osbuilder_last_commit="$(get_last_modification "${repo_root_dir}/tools/osbuilder")" local guest_image_last_commit="$(get_last_modification "${repo_root_dir}/tools/packaging/guest-image")" @@ -156,7 +159,12 @@ install_image() { && return 0 info "Create image" - "${rootfs_builder}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" + "${rootfs_builder}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${initrd_suffix}" +} + +#Install guest image for tdx +install_image_tdx() { + install_image "image-tdx" "tdx" } #Install guest initrd @@ -310,6 +318,8 @@ install_kernel_experimental() { install_kernel_tdx_experimental() { local kernel_url="$(get_from_kata_deps assets.kernel-tdx-experimental.url)" + export MEASURED_ROOTFS=yes + install_kernel_helper \ "assets.kernel-tdx-experimental.version" \ "kernel-tdx-experimental" \ @@ -600,6 +610,8 @@ handle_build() { rootfs-image) install_image ;; + rootfs-image-tdx) install_image_tdx ;; + rootfs-initrd) install_initrd ;; rootfs-initrd-sev) install_initrd_sev ;;