From 8225457dd5b31f77396381e01df14df1f504cbf8 Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Thu, 15 Sep 2022 10:17:55 +0800 Subject: [PATCH] config: Add root hash value and measure config to kernel params After we have a guest kernel with builtin initramfs which provide the rootfs measurement capability and Kata rootfs image with hash device, we need set related root hash value and measure config to the kernel params in kata configuration file. Fixes: #5168 Signed-off-by: Wang, Arron --- src/runtime/Makefile | 6 ++++-- tools/packaging/guest-image/build_image.sh | 3 +++ .../kata-deploy/local-build/kata-deploy-binaries.sh | 10 +++++++++- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 7594932adf..4f7ed2373d 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -125,8 +125,10 @@ SEVFIRMWAREPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd AGENTCONFIGFILEPATH := /etc/agent-config.toml AGENTCONFIGFILEKERNELPARAM := agent.config_file=$(AGENTCONFIGFILEPATH) -TDXKERNELPARAMS := tdx_disable_filter -SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) +ROOTMEASURECONFIG ?= "" +TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG) +SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG) +KERNELPARAMS += $(ROOTMEASURECONFIG) # Name of default configuration file the runtime will use. CONFIG_FILE = configuration.toml diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index 05d783de87..d32a0130a6 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -68,6 +68,9 @@ build_image() { IMG_OS_VERSION="${img_os_version}" \ ROOTFS_BUILD_DEST="${builddir}/rootfs-image" mv -f "kata-containers.img" "${install_dir}/${image_name}" + if [ -e "root_hash.txt" ]; then + cp root_hash.txt "${install_dir}/" + fi ( cd "${install_dir}" ln -sf "${image_name}" kata-containers.img diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 9331b333d4..8a196b3226 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -150,7 +150,15 @@ install_cc_shimv2() { GO_VERSION="$(yq r ${versions_yaml} languages.golang.meta.newest-version)" export GO_VERSION export REMOVE_VMM_CONFIGS="acrn fc" - DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="DEFSERVICEOFFLOAD=true" "${shimv2_builder}" + + extra_opts="DEFSERVICEOFFLOAD=true" + if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then + root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt") + root_measure_config="cc_rootfs_verity.scheme=dm-verity cc_rootfs_verity.hash=${root_hash}" + extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\"" + fi + + DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" } # Install static CC virtiofsd asset