kernel: measured rootfs as argument to build-kernel.sh

By convention the caller of tools/packaging/kernel/build-kernel.sh changes
the script behavior by passing arguments, whereas, for measured rootfs
it has used an environment variable (MEASURED_ROOTFS). This refactor
the script so that the caller now must pass the "-m" argument to enable
the build of the kernel with measured rootfs support.

Fixes #6674
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -300,7 +300,7 @@ install_cached_kernel_tarball_component() {
 install_kernel_helper() {
 	local kernel_version_yaml_path="${1}"
 	local kernel_name="${2}"
-	local extra_cmd=${3}
+	local extra_cmd="${3:-}"
 
 	export kernel_version="$(get_from_kata_deps ${kernel_version_yaml_path})"
 	export kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
@@ -317,6 +317,9 @@ install_kernel_helper() {
 	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
 		info "build initramfs for cc kernel"
 		"${initramfs_builder}"
+		# Turn on the flag to build the kernel with support to
+		# measured rootfs.
+		extra_cmd+=" -m"
 	fi
 
 	info "build ${kernel_name}"

tools/packaging/kernel/build-kernel.sh

@@ -64,11 +64,11 @@ PREFIX="${PREFIX:-/usr}"
 kernel_url=""
 #Linux headers for GPU guest fs module building
 linux_headers=""
+# Enable measurement of the guest rootfs at boot.
+measured_rootfs="false"
 
 CROSS_BUILD_ARG=""
 
-MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
-
 packaging_scripts_dir="${script_dir}/../scripts"
 source "${packaging_scripts_dir}/lib.sh"
 
@@ -103,6 +103,7 @@ Options:
 	-g <vendor> 	: GPU vendor, intel or nvidia.
 	-h          	: Display this help.
 	-H <deb|rpm>	: Linux headers for guest fs module building.
+	-m              : Enable measured rootfs.
 	-k <path>   	: Path to kernel to build.
 	-p <path>   	: Path to a directory with patches to apply to kernel.
 	-s          	: Skip .config checks
@@ -270,7 +271,7 @@ get_kernel_frag_path() {
 		all_configs="${all_configs} ${gpu_configs}"
 	fi
 
-	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+	if [ "${measured_rootfs}" == "true" ]; then
 		info "Enabling config for confidential guest trust storage protection"
 		local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)"
 		all_configs="${all_configs} ${cryptsetup_configs}"
@@ -431,7 +432,7 @@ setup_kernel() {
 	[ -n "${hypervisor_target}" ] || hypervisor_target="kvm"
 	[ -n "${kernel_config_path}" ] || kernel_config_path=$(get_default_kernel_config "${kernel_version}" "${hypervisor_target}" "${arch_target}" "${kernel_path}")
 
-	if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -f "${default_initramfs}" ]; then
+	if [ "${measured_rootfs}" == "true" ] && [ -f "${default_initramfs}" ]; then
 		info "Copying initramfs from: ${default_initramfs}"
 		cp "${default_initramfs}" ./
 	fi
@@ -538,7 +539,7 @@ install_kata() {
 }
 
 main() {
-	while getopts "a:b:c:deEfg:hH:k:p:t:u:v:x:" opt; do
+	while getopts "a:b:c:deEfg:hH:k:mp:t:u:v:x:" opt; do
 		case "$opt" in
 			a)
 				arch_target="${OPTARG}"
@@ -572,6 +573,9 @@ main() {
 			H)
 				linux_headers="${OPTARG}"
 				;;
+			m)
+				measured_rootfs="true"
+				;;
 			k)
 				kernel_path="$(realpath ${OPTARG})"
 				;;

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-118
+119

tools/packaging/static-build/kernel/build.sh

@@ -39,7 +39,6 @@ sudo docker pull ${container_image} || \
 
 sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${PWD}" \
-	--env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \
 	"${container_image}" \
 	bash -c "${kernel_builder} -a ${ARCH} $* setup"