From 1ec0e344e5f2f4b96b4fa1dc5ecb3c2a7057c12d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <ffidencio@nvidia.com>
Date: Fri, 17 Apr 2026 14:30:40 +0200
Subject: [PATCH] runtime-rs: enable measured rootfs for
 qemu-coco-dev-runtime-rs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add kernel_verity_params to the qemu-coco-dev-runtime-rs configuration
so the runtime can assemble dm-verity kernel parameters, and remove the
test skip that was disabling measured rootfs tests for this hypervisor.

Fixes: #12851

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
---
 .../config/configuration-qemu-coco-dev-runtime-rs.toml.in    | 5 +++++
 tests/integration/kubernetes/k8s-measured-rootfs.bats        | 2 --
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in
index b2ee0eba35..2734d83cbb 100644
--- a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in
+++ b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in
@@ -72,6 +72,11 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 # container and look for 'default-kernel-parameters' log entries.
 kernel_params = "@KERNELPARAMS@"
 
+# Optional dm-verity parameters (comma-separated key=value list):
+# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
+# These are used by the runtime to assemble dm-verity kernel params.
+kernel_verity_params = "@KERNELVERITYPARAMS@"
+
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
 firmware = "@FIRMWAREPATH@"
diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats
index d5a1e6310b..927972e555 100644
--- a/tests/integration/kubernetes/k8s-measured-rootfs.bats
+++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats
@@ -22,8 +22,6 @@ check_and_skip() {
 	if is_confidential_runtime_class "${KATA_HYPERVISOR}"; then
 		if [[ "$(uname -m)" == "s390x" ]]; then
 			skip "measured rootfs tests not implemented for s390x"
-		elif [[ "${KATA_HYPERVISOR}" == "qemu-coco-dev-runtime-rs" ]]; then
-			skip "measured rootfs not working on qemu-coco-dev-runtime-rs: https://github.com/kata-containers/kata-containers/issues/12851"
 		fi
 		return
 	else