diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index cb93fd1a15..31753b3769 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -300,7 +300,7 @@ install_cached_kernel_tarball_component() { install_kernel_helper() { local kernel_version_yaml_path="${1}" local kernel_name="${2}" - local extra_cmd=${3} + local extra_cmd="${3:-}" export kernel_version="$(get_from_kata_deps ${kernel_version_yaml_path})" export kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)" @@ -317,6 +317,9 @@ install_kernel_helper() { if [ "${MEASURED_ROOTFS}" == "yes" ]; then info "build initramfs for cc kernel" "${initramfs_builder}" + # Turn on the flag to build the kernel with support to + # measured rootfs. + extra_cmd+=" -m" fi info "build ${kernel_name}" diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 8119be7047..55a28a2347 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -64,11 +64,11 @@ PREFIX="${PREFIX:-/usr}" kernel_url="" #Linux headers for GPU guest fs module building linux_headers="" +# Enable measurement of the guest rootfs at boot. +measured_rootfs="false" CROSS_BUILD_ARG="" -MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} - packaging_scripts_dir="${script_dir}/../scripts" source "${packaging_scripts_dir}/lib.sh" @@ -103,6 +103,7 @@ Options: -g : GPU vendor, intel or nvidia. -h : Display this help. -H : Linux headers for guest fs module building. + -m : Enable measured rootfs. -k : Path to kernel to build. -p : Path to a directory with patches to apply to kernel. -s : Skip .config checks @@ -270,7 +271,7 @@ get_kernel_frag_path() { all_configs="${all_configs} ${gpu_configs}" fi - if [ "${MEASURED_ROOTFS}" == "yes" ]; then + if [ "${measured_rootfs}" == "true" ]; then info "Enabling config for confidential guest trust storage protection" local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)" all_configs="${all_configs} ${cryptsetup_configs}" @@ -431,7 +432,7 @@ setup_kernel() { [ -n "${hypervisor_target}" ] || hypervisor_target="kvm" [ -n "${kernel_config_path}" ] || kernel_config_path=$(get_default_kernel_config "${kernel_version}" "${hypervisor_target}" "${arch_target}" "${kernel_path}") - if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -f "${default_initramfs}" ]; then + if [ "${measured_rootfs}" == "true" ] && [ -f "${default_initramfs}" ]; then info "Copying initramfs from: ${default_initramfs}" cp "${default_initramfs}" ./ fi @@ -538,7 +539,7 @@ install_kata() { } main() { - while getopts "a:b:c:deEfg:hH:k:p:t:u:v:x:" opt; do + while getopts "a:b:c:deEfg:hH:k:mp:t:u:v:x:" opt; do case "$opt" in a) arch_target="${OPTARG}" @@ -572,6 +573,9 @@ main() { H) linux_headers="${OPTARG}" ;; + m) + measured_rootfs="true" + ;; k) kernel_path="$(realpath ${OPTARG})" ;; diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index 415196e47f..078fa0fe57 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -118 +119 diff --git a/tools/packaging/static-build/kernel/build.sh b/tools/packaging/static-build/kernel/build.sh index b8deea4f09..cbf7dc30f7 100755 --- a/tools/packaging/static-build/kernel/build.sh +++ b/tools/packaging/static-build/kernel/build.sh @@ -39,7 +39,6 @@ sudo docker pull ${container_image} || \ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \ -w "${PWD}" \ - --env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \ "${container_image}" \ bash -c "${kernel_builder} -a ${ARCH} $* setup"