From f62b2670c04a2a09ca33b95b7a3365a1c22f5f92 Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Thu, 15 Sep 2022 10:17:55 +0800 Subject: [PATCH] config: Add root hash value and measure config to kernel params After we have a guest kernel with builtin initramfs which provide the rootfs measurement capability and Kata rootfs image with hash device, we need set related root hash value and measure config to the kernel params in kata configuration file. Fixes: #6674 Signed-off-by: Wang, Arron --- src/runtime/Makefile | 4 ++++ tools/packaging/guest-image/build_image.sh | 3 +++ .../local-build/kata-deploy-binaries.sh | 14 +++++++++++++- tools/packaging/static-build/shim-v2/build.sh | 6 ++++-- 4 files changed, 24 insertions(+), 3 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index e937b741e..80c423612 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -133,6 +133,10 @@ FIRMWARETDVFVOLUMEPATH := FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd +ROOTMEASURECONFIG ?= "" +KERNELPARAMS += $(ROOTMEASURECONFIG) +KERNELTDXPARAMS += $(ROOTMEASURECONFIG) + # Name of default configuration file the runtime will use. CONFIG_FILE = configuration.toml diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index d602b85c0..3eac34c61 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -54,6 +54,9 @@ build_image() { IMG_OS_VERSION="${img_os_version}" \ ROOTFS_BUILD_DEST="${builddir}/rootfs-image" mv -f "kata-containers.img" "${install_dir}/${image_name}" + if [ -e "root_hash.txt" ]; then + cp root_hash.txt "${install_dir}/" + fi ( cd "${install_dir}" ln -sf "${image_name}" kata-containers.img diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index e80972f35..c09eb7501 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -485,7 +485,19 @@ install_shimv2() { export GO_VERSION export RUST_VERSION - DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}" + + if [ "${MEASURED_ROOTFS}" == "yes" ]; then + extra_opts="DEFSERVICEOFFLOAD=true" + if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then + root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt") + root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}" + extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\"" + fi + + DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" + else + DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}" + fi } install_ovmf() { diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index d948ae1e8..933044564 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -21,6 +21,8 @@ DESTDIR=${DESTDIR:-${PWD}} PREFIX=${PREFIX:-/opt/kata} container_image="${SHIM_V2_CONTAINER_BUILDER:-$(get_shim_v2_image_name)}" +EXTRA_OPTS="${EXTRA_OPTS:-""}" + sudo docker pull ${container_image} || \ (sudo docker build \ --build-arg GO_VERSION="${GO_VERSION}" \ @@ -47,12 +49,12 @@ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${repo_root_dir}/src/runtime" \ "${container_image}" \ - bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch}" + bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch} ${EXTRA_OPTS}" sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${repo_root_dir}/src/runtime" \ "${container_image}" \ - bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" install" + bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" ${EXTRA_OPTS} install" for vmm in ${VMM_CONFIGS}; do config_file="${DESTDIR}/${PREFIX}/share/defaults/kata-containers/configuration-${vmm}.toml"