github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-29 20:24:31 +00:00
Code Issues Projects Releases Wiki Activity

kernel: Integrate initramfs into Guest kernel

Browse Source 
Integrate initramfs into guest kernel as one binary,
which will be measured by the firmware together.

Fixes: #6674

Signed-off-by: Wang, Arron <arron.wang@intel.com>
This commit is contained in:
Wang, Arron 2022-09-05 17:36:42 +08:00 committed by Fabiano Fidêncio
parent 28b2645624
commit 0080588075
3 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
tools/packaging/kernel/build-kernel.sh
View File

@ -31,6 +31,7 @@ readonly default_kernel_config_dir="${script_dir}/configs"
# Default path to search for kernel config fragments # Default path to search for kernel config fragments
readonly default_config_frags_dir="${script_dir}/configs/fragments" readonly default_config_frags_dir="${script_dir}/configs/fragments"
readonly default_config_whitelist="${script_dir}/configs/fragments/whitelist.conf" readonly default_config_whitelist="${script_dir}/configs/fragments/whitelist.conf"
readonly default_initramfs="${script_dir}/initramfs.cpio.gz"
# GPU vendor # GPU vendor
readonly GV_INTEL="intel" readonly GV_INTEL="intel"
readonly GV_NVIDIA="nvidia" readonly GV_NVIDIA="nvidia"
@ -64,6 +65,8 @@ kernel_url=""
#Linux headers for GPU guest fs module building #Linux headers for GPU guest fs module building
linux_headers="" linux_headers=""
MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
packaging_scripts_dir="${script_dir}/../scripts" packaging_scripts_dir="${script_dir}/../scripts"
source "${packaging_scripts_dir}/lib.sh" source "${packaging_scripts_dir}/lib.sh"
@ -269,11 +272,19 @@ get_kernel_frag_path() {
fi fi
fi fi
if [[ "${conf_guest}" != "" ]];then if [ "${MEASURED_ROOTFS}" == "yes" ]; then
info "Enabling config for confidential guest trust storage protection" info "Enabling config for confidential guest trust storage protection"
local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)" local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)"
all_configs="${all_configs} ${cryptsetup_configs}" all_configs="${all_configs} ${cryptsetup_configs}"
if [ -f "${default_initramfs}" ]; then
info "Enabling config for confidential guest measured boot"
local initramfs_configs="$(ls ${common_path}/confidential_containers/initramfs.conf)"
all_configs="${all_configs} ${initramfs_configs}"
fi
fi
if [[ "${conf_guest}" != "" ]];then
info "Enabling config for '${conf_guest}' confidential guest protection" info "Enabling config for '${conf_guest}' confidential guest protection"
local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)" local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)"
all_configs="${all_configs} ${conf_configs}" all_configs="${all_configs} ${conf_configs}"
@ -422,6 +433,11 @@ setup_kernel() {
[ -n "${hypervisor_target}" ] || hypervisor_target="kvm" [ -n "${hypervisor_target}" ] || hypervisor_target="kvm"
[ -n "${kernel_config_path}" ] || kernel_config_path=$(get_default_kernel_config "${kernel_version}" "${hypervisor_target}" "${arch_target}" "${kernel_path}") [ -n "${kernel_config_path}" ] || kernel_config_path=$(get_default_kernel_config "${kernel_version}" "${hypervisor_target}" "${arch_target}" "${kernel_path}")
if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -f "${default_initramfs}" ]; then
info "Copying initramfs from: ${default_initramfs}"
cp "${default_initramfs}" ./
fi
info "Copying config file from: ${kernel_config_path}" info "Copying config file from: ${kernel_config_path}"
cp "${kernel_config_path}" ./.config cp "${kernel_config_path}" ./.config
make oldconfig make oldconfig

1
tools/packaging/kernel/configs/fragments/common/confidential_containers/initramfs.conf Normal file
View File

@ -0,0 +1 @@
CONFIG_INITRAMFS_SOURCE="initramfs.cpio.gz"

1
tools/packaging/static-build/kernel/build.sh
View File

@ -25,6 +25,7 @@ sudo docker pull ${container_image} || \
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
-w "${PWD}" \ -w "${PWD}" \
--env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \
"${container_image}" \ "${container_image}" \
bash -c "${kernel_builder} $* setup" bash -c "${kernel_builder} $* setup"