From 261177925508da999289d3826e97311a5302f477 Mon Sep 17 00:00:00 2001
From: "Wang, Arron" <arron.wang@intel.com>
Date: Tue, 23 Aug 2022 17:21:07 +0800
Subject: [PATCH] image-build: generate root hash as an separate partition for
 rootfs

Generate rootfs hash data during creating the kata rootfs,
current kata image only have one partition, we add another
partition as hash device to save hash data of rootfs data blocks.

Fixes: #4966

Signed-off-by: Wang, Arron <arron.wang@intel.com>
---
 tools/osbuilder/image-builder/Dockerfile      |  1 +
 .../osbuilder/image-builder/image_builder.sh  | 22 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/tools/osbuilder/image-builder/Dockerfile b/tools/osbuilder/image-builder/Dockerfile
index 02f93475fd..ae919b3b1c 100644
--- a/tools/osbuilder/image-builder/Dockerfile
+++ b/tools/osbuilder/image-builder/Dockerfile
@@ -14,5 +14,6 @@ RUN ([ -n "$http_proxy" ] && \
         gdisk \
         parted \
         qemu-img \
+	veritysetup \
         xfsprogs && \
     dnf clean all
diff --git a/tools/osbuilder/image-builder/image_builder.sh b/tools/osbuilder/image-builder/image_builder.sh
index 8b65ab4e8f..da3caeac10 100755
--- a/tools/osbuilder/image-builder/image_builder.sh
+++ b/tools/osbuilder/image-builder/image_builder.sh
@@ -11,6 +11,7 @@ set -o errexit
 set -o pipefail
 
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
+KATA_BUILD_CC=${KATA_BUILD_CC:-no}
 
 readonly script_name="${0##*/}"
 readonly script_dir=$(dirname "$(readlink -f "$0")")
@@ -170,6 +171,7 @@ build_with_container() {
 		   --env BLOCK_SIZE="${block_size}" \
 		   --env ROOT_FREE_SPACE="${root_free_space}" \
 		   --env NSDAX_BIN="${nsdax_bin}" \
+		   --env KATA_BUILD_CC="${KATA_BUILD_CC}" \
 		   --env DEBUG="${DEBUG}" \
 		   -v /dev:/dev \
 		   -v "${script_dir}":"/osbuilder" \
@@ -371,9 +373,21 @@ create_disk() {
 	# Kata runtime expect an image with just one partition
 	# The partition is the rootfs content
 	info "Creating partitions"
+
+	if [ "${KATA_BUILD_CC}" == "yes" ]; then
+		info "Creating partitions with hash device"
+		# The hash data will take less than one percent disk space to store
+		hash_start=$(echo $img_size | awk '{print $1 * 0.99}' |cut -d $(locale decimal_point) -f 1)
+		partition_param="mkpart primary ${fs_type} ${part_start}M ${hash_start}M "
+		partition_param+="mkpart primary ${fs_type} ${hash_start}M ${rootfs_end}M "
+		partition_param+="set 1 boot on"
+	else
+		partition_param="mkpart primary ${fs_type} ${part_start}M ${rootfs_end}M"
+	fi
+
 	parted -s -a optimal "${image}" -- \
 		   mklabel msdos \
-		   mkpart primary "${fs_type}" "${part_start}"M "${rootfs_end}"M
+		   "${partition_param}"
 
 	OK "Partitions created"
 }
@@ -429,6 +443,12 @@ create_rootfs_image() {
 		fsck.ext4 -D -y "${device}p1"
 	fi
 
+	if [ "${KATA_BUILD_CC}" == "yes" ] && [ -b "${device}p2" ]; then
+		info "veritysetup format rootfs device: ${device}p1, hash device: ${device}p2"
+		local image_dir=$(dirname "${image}")
+		veritysetup format "${device}p1" "${device}p2" > "${image_dir}"/root_hash.txt 2>&1
+	fi
+
 	losetup -d "${device}"
 	rmdir "${mount_dir}"
 }