From d053f848b412e9295885b6e07902723017075c18 Mon Sep 17 00:00:00 2001
From: ChengyuZhu6 <chengyu.zhu@intel.com>
Date: Wed, 9 Aug 2023 21:54:06 +0800
Subject: [PATCH] tools: Install the dependencies with dm-verity

Fixes #7636

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
---
 .../osbuilder/image-builder/image_builder.sh  | 20 +++++++++++++++----
 tools/osbuilder/rootfs-builder/rootfs.sh      |  2 ++
 .../osbuilder/rootfs-builder/ubuntu/config.sh |  1 +
 .../kata-deploy-binaries-in-docker.sh         |  1 +
 .../local-build/kata-deploy-binaries.sh       |  2 ++
 5 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/tools/osbuilder/image-builder/image_builder.sh b/tools/osbuilder/image-builder/image_builder.sh
index 26f37d122a..8fe9ea33fd 100755
--- a/tools/osbuilder/image-builder/image_builder.sh
+++ b/tools/osbuilder/image-builder/image_builder.sh
@@ -12,6 +12,7 @@ set -o pipefail
 
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+DM_VERITY=${DM_VERITY:-no}
 
 #For cross build
 CROSS_BUILD=${CROSS_BUILD:-false}
@@ -51,6 +52,13 @@ readonly dax_header_sz=2
 readonly dax_alignment=2
 
 # The list of systemd units and files that are not needed in Kata Containers
+readonly -a udev_systemd_units=(
+	"systemd-udevd"
+	"systemd-udevd-control"
+	"systemd-udevd-kernel"
+	"systemd-udev-trigger"
+)
+
 readonly -a systemd_units=(
 	"systemd-coredump@"
 	"systemd-journald"
@@ -59,10 +67,6 @@ readonly -a systemd_units=(
 	"systemd-random-seed"
 	"systemd-timesyncd"
 	"systemd-tmpfiles-setup"
-	"systemd-udevd"
-	"systemd-udevd-control"
-	"systemd-udevd-kernel"
-	"systemd-udev-trigger"
 	"systemd-update-utmp"
 )
 
@@ -455,6 +459,14 @@ setup_selinux() {
 
 setup_systemd() {
 		local mount_dir="$1"
+		if [ "${DM_VERITY}" == "no" ]; then
+			for u in "${udev_systemd_units[@]}"; do
+				find "${mount_dir}" -type f \( \
+					-name "${u}.service" -o \
+					-name "${u}.socket" \) \
+					-exec rm -f {} \;
+			done
+		fi
 
 		info "Removing unneeded systemd services and sockets"
 		for u in "${systemd_units[@]}"; do
diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index 35c8450d22..4715a2e831 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -18,6 +18,7 @@ AGENT_BIN=${AGENT_BIN:-kata-agent}
 AGENT_INIT=${AGENT_INIT:-no}
 KATA_BUILD_CC=${KATA_BUILD_CC:-no}
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+DM_VERITY=${DM_VERITY:-no}
 KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""}
 OSBUILDER_VERSION="unknown"
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
@@ -459,6 +460,7 @@ build_rootfs_distro()
 			--env ARCH="${ARCH}" \
 			--env CI="${CI}" \
 			--env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \
+			--env DM_VERITY="${DM_VERITY}" \
 			--env KERNEL_MODULES_DIR="${KERNEL_MODULES_DIR}" \
 			--env LIBC="${LIBC}" \
 			--env EXTRA_PKGS="${EXTRA_PKGS}" \
diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
index e868939313..850858dad2 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -9,6 +9,7 @@ PACKAGES="chrony iptables dbus kmod"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
 [ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2"
+[ "$DM_VERITY" = yes ] && PACKAGES+=" udev dmsetup"
 REPO_URL=http://ports.ubuntu.com
 
 case "$ARCH" in
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
index 838c0bdfa6..c45bfb085c 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@@ -94,6 +94,7 @@ docker run \
 	--env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" \
 	--env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" \
 	--env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \
+	--env DM_VERITY="${DM_VERITY:-}" \
 	--env USE_CACHE="${USE_CACHE:-}" \
 	--env CROSS_BUILD="${CROSS_BUILD}" \
 	--env TARGET_ARCH="${TARGET_ARCH}" \
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 15d0262f86..8d1835bdad 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -44,6 +44,7 @@ readonly cached_artifacts_path="lastSuccessfulBuild/artifact/artifacts"
 
 ARCH=${ARCH:-$(uname -m)}
 MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+DM_VERITY=${DM_VERITY:-no}
 USE_CACHE="${USE_CACHE:-"yes"}"
 
 workdir="${WORKDIR:-$PWD}"
@@ -226,6 +227,7 @@ install_cc_image() {
 	export AA_KBC="${AA_KBC:-offline_fs_kbc}"
 	export KATA_BUILD_CC=yes
 	export MEASURED_ROOTFS=yes
+	export DM_VERITY=yes
 	variant="${1:-}"
 
 	install_image "${variant}"