github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-24 02:07:31 +00:00
Code Issues Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
Fix malicious host can circumvent initdata verification on TDX
This commit is contained in:
Steve Horsman
2025-09-23 13:31:29 +01:00
committed by GitHub
parent a9ec8ef21f 96108006f2
commit 3e67f92e34
2 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/agent/src/main.rs
View File

@@ -30,6 +30,7 @@ use nix::unistd::{self, dup, sync, Pid};
use std::env; use std::env;
use std::ffi::OsStr; use std::ffi::OsStr;
use std::fs::{self, File}; use std::fs::{self, File};
use std::io::ErrorKind;
use std::os::unix::fs::{self as unixfs, FileTypeExt}; use std::os::unix::fs::{self as unixfs, FileTypeExt};
use std::os::unix::io::AsRawFd; use std::os::unix::io::AsRawFd;
use std::path::Path; use std::path::Path;
@@ -465,8 +466,17 @@ fn attestation_binaries_available(logger: &Logger, procs: &GuestComponentsProcs)
_ => vec![], _ => vec![],
}; };
for binary in binaries.iter() { for binary in binaries.iter() {
if !Path::new(binary).exists() { let exists = Path::new(binary).try_exists().unwrap_or_else(|error| {
match error.kind() {
ErrorKind::NotFound => {
warn!(logger, "{} not found", binary); warn!(logger, "{} not found", binary);
false
},
_ => panic!("Path existence check failed for '{}': {}", binary, error)
}
});
if !exists {
return false; return false;
} }
} }

2
tools/packaging/static-build/initramfs/init.sh
View File

@@ -48,7 +48,7 @@ then
exit 1 exit 1
fi fi
veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}" veritysetup open --panic-on-corruption "${root_device}" root "${hash_device}" "${rootfs_hash}"
mount /dev/mapper/root /mnt mount /dev/mapper/root /mnt
else else
echo "No LUKS device found" echo "No LUKS device found"