diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 2d548b74cd..4cd7520702 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -154,6 +154,8 @@ FIRMWARETDVFVOLUMEPATH := FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd ROOTMEASURECONFIG ?= "" +ROOTMEASURECONFIG_NV ?= "" + KERNELTDXPARAMS += $(ROOTMEASURECONFIG) KERNELQEMUCOCODEVPARAMS += $(ROOTMEASURECONFIG) @@ -478,6 +480,7 @@ ifneq (,$(QEMUCMD)) KERNELPARAMS_NV = "agent.hotplug_timeout=20" KERNELPARAMS_NV += "cgroup_no_v1=all" + KERNELPARAMS_NV += $(ROOTMEASURECONFIG_NV) KERNELTDXPARAMS_NV = $(KERNELPARAMS_NV) KERNELTDXPARAMS_NV += "authorize_allow_devs=pci:ALL" diff --git a/tools/osbuilder/image-builder/image_builder.sh b/tools/osbuilder/image-builder/image_builder.sh index 04aaaf960a..d909d88aa7 100755 --- a/tools/osbuilder/image-builder/image_builder.sh +++ b/tools/osbuilder/image-builder/image_builder.sh @@ -23,6 +23,7 @@ ARCH=${ARCH:-$(uname -m)} [ "${TARGET_ARCH}" == "aarch64" ] && TARGET_ARCH=arm64 TARGET_OS=${TARGET_OS:-linux} [ "${CROSS_BUILD}" == "true" ] && BUILDX=buildx && PLATFORM="--platform=${TARGET_OS}/${TARGET_ARCH}" +VARIANT=${VARIANT:-} readonly script_name="${0##*/}" readonly script_dir=$(dirname "$(readlink -f "$0")") @@ -177,6 +178,7 @@ build_with_container() { --env USER="$(id -u)" \ --env GROUP="$(id -g)" \ --env IMAGE_SIZE_ALIGNMENT_MB="${IMAGE_SIZE_ALIGNMENT_MB}" \ + --env VARIANT="${VARIANT}" \ -v /dev:/dev \ -v "${script_dir}":"/osbuilder" \ -v "${script_dir}/../scripts":"/scripts" \ @@ -487,7 +489,8 @@ create_rootfs_image() { if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -b "${device}p2" ]; then info "veritysetup format rootfs device: ${device}p1, hash device: ${device}p2" local image_dir=$(dirname "${image}") - veritysetup format "${device}p1" "${device}p2" > "${image_dir}"/root_hash.txt 2>&1 + veritysetup format "${device}p1" "${device}p2" > "${image_dir}"/root_hash_${VARIANT}.txt 2>&1 + OK "Root hash file created for variant: ${VARIANT}" fi losetup -d "${device}" diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh index b0f896c7b7..2b6936306d 100755 --- a/tools/packaging/guest-image/build_image.sh +++ b/tools/packaging/guest-image/build_image.sh @@ -86,8 +86,9 @@ build_image() { fi mv -f "kata-containers.img" "${install_dir}/${artifact_name}" - if [ -e "root_hash.txt" ]; then - cp root_hash.txt "${install_dir}/" + info "Copying root hash file for variant: ${image_initrd_suffix} $PWD" + if [ -e "root_hash_${image_initrd_suffix}.txt" ]; then + cp "root_hash_${image_initrd_suffix}.txt" "${install_dir}/" fi ( cd "${install_dir}" diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 1741850522..455b421aa6 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -195,7 +195,10 @@ get_kernel_modules_dir() { } cleanup_and_fail_shim_v2_specifics() { - rm -f "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash.txt" + for variant in confidential nvidia-gpu-confidential; do + local root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash_${variant}.txt" + [ -f "${root_hash_file}" ] && rm -f "${root_hash_file}" + done return $(cleanup_and_fail "${1:-}" "${2:-}") } @@ -224,12 +227,22 @@ install_cached_shim_v2_tarball_get_root_hash() { fi local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" - local image_conf_tarball="kata-static-rootfs-image-confidential.tar.zst" - local root_hash_basedir="./opt/kata/share/kata-containers/" + local found_any="" - tar --zstd -xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},, - mv root_hash.txt "${tarball_dir}/root_hash.txt" + for variant in confidential nvidia-gpu-confidential; do + local image_conf_tarball="kata-static-rootfs-image-${variant}.tar.zst" + local tarball_path="${tarball_dir}/${image_conf_tarball}" + + # If variant does not exist we skip the current iteration + [ ! -f "${tarball_path}" ] && continue + + tar --zstd -xvf "${tarball_path}" "${root_hash_basedir}root_hash_${variant}.txt" --transform s,"${root_hash_basedir}",, || die "Failed to extract root hash from ${tarball_path}" + mv "root_hash_${variant}.txt" "${tarball_dir}/" + found_any="yes" + done + + [ -z "${found_any}" ] && die "No files to copy for shim-v2 with MEASURED_ROOTFS support" return 0 } @@ -239,11 +252,17 @@ install_cached_shim_v2_tarball_compare_root_hashes() { return 0 fi + local found_any="" local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" - [ -f shim-v2-root_hash.txt ] || return 1 + for variant in confidential nvidia-gpu-confidential; do + # skip if one or the other does not exist + [ ! -f "${tarball_dir}/root_hash_${variant}.txt" ] && continue - diff "${tarball_dir}/root_hash.txt" shim-v2-root_hash.txt || return 1 + diff "${tarball_dir}/root_hash_${variant}.txt" "shim-v2-root_hash_${variant}.txt" || return 1 + found_any="yes" + done + [ -z "${found_any}" ] && die "No root_hash_variant.txt files found for diff with MEASURED_ROOTFS support" return 0 } @@ -605,8 +624,8 @@ install_initrd_nvidia_gpu() { # Instal NVIDIA GPU confidential image install_image_nvidia_gpu_confidential() { export AGENT_POLICY + export MEASURED_ROOTFS=yes EXTRA_PKGS="apt curl ${EXTRA_PKGS}" - # TODO: export MEASURED_ROOTFS=yes NVIDIA_GPU_STACK=${NVIDIA_GPU_STACK:-"latest,compute,dcgm"} install_image "nvidia-gpu-confidential" } @@ -754,6 +773,7 @@ install_kernel_nvidia_gpu() { #Install GPU and TEE enabled kernel asset install_kernel_nvidia_gpu_confidential() { + export MEASURED_ROOTFS=yes install_kernel_helper \ "assets.kernel.confidential" \ "kernel-nvidia-gpu-confidential" \ @@ -987,17 +1007,22 @@ install_shimv2() { export RUNTIME_CHOICE if [ "${MEASURED_ROOTFS}" = "yes" ]; then - local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.zst" - if [ ! -f "${image_conf_tarball}" ]; then - die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball" - fi + local found_any="" + for variant in confidential nvidia-gpu-confidential; do + local image_conf_tarball="$(find "${workdir}" -name "kata-static-rootfs-image-${variant}.tar.zst" 2>/dev/null | head -n 1)" + # only one variant may be built at a time so we need to + # skip one or the other if not available + [ -f "${image_conf_tarball}" ] || continue - local root_hash_basedir="./opt/kata/share/kata-containers/" - if ! tar --zstd -xvf ${image_conf_tarball} --transform s,${root_hash_basedir},, ${root_hash_basedir}root_hash.txt; then - die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball built with MEASURED_ROOTFS support" - fi + local root_hash_basedir="./opt/kata/share/kata-containers/" + if ! tar --zstd -xvf "${image_conf_tarball}" --transform s,"${root_hash_basedir}",, "${root_hash_basedir}root_hash_${variant}.txt"; then + die "Cannot extract root hash from ${image_conf_tarball} for shim-v2 with MEASURED_ROOTFS support, needs a rootfs with MEASURED_ROOTFS support" + fi - mv root_hash.txt ${workdir}/root_hash.txt + mv "root_hash_${variant}.txt" "${workdir}/root_hash_${variant}.txt" + found_any="yes" + done + [ -z "${found_any}" ] && die "No root_hash_variant.txt files found for shim-v2 with MEASURED_ROOTFS support, needs a rootfs with MEASURED_ROOTFS support" fi DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}" @@ -1440,7 +1465,9 @@ handle_build() { ;; shim-v2) if [ "${MEASURED_ROOTFS}" = "yes" ]; then - mv ${workdir}/root_hash.txt ${workdir}/shim-v2-root_hash.txt + for variant in confidential nvidia-gpu-confidential; do + [ -f "${workdir}/root_hash_${variant}.txt" ] && mv "${workdir}/root_hash_${variant}.txt" "${workdir}/shim-v2-root_hash_${variant}.txt" + done fi ;; esac @@ -1510,9 +1537,14 @@ handle_build() { ;; shim-v2) if [ "${MEASURED_ROOTFS}" = "yes" ]; then - files_to_push+=( - "shim-v2-root_hash.txt" - ) + local found_any="" + for variant in confidential nvidia-gpu-confidential; do + # The variants could be built independently we need to check if + # they exist and then push them to the registry + [ -f "${workdir}/shim-v2-root_hash_${variant}.txt" ] && files_to_push+=("shim-v2-root_hash_${variant}.txt") + found_any="yes" + done + [ -z "${found_any}" ] && die "No files to push for shim-v2 with MEASURED_ROOTFS support" fi ;; *) diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index 5759d1604f..ae6ca2a2c5 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -39,14 +39,26 @@ esac if [ "${MEASURED_ROOTFS}" == "yes" ]; then info "Enable rootfs measurement config" - root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash.txt" + # Two VARIANTS (targets) that build a measured rootfs as of now are: + # - rootfs-image-confidential + # - rootfs-image-nvidia-gpu-confidential + # + found_any="" + for variant in confidential nvidia-gpu-confidential; do + root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash_${variant}.txt" + [ -f "$root_hash_file" ] || \ + die "Root hash file for measured rootfs ${variant} not found at ${root_hash_file}" - [ -f "$root_hash_file" ] || \ - die "Root hash file for measured rootfs not found at ${root_hash_file}" + found_any="yes" - root_hash=$(sed -e 's/Root hash:\s*//g;t;d' "${root_hash_file}") - root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}" - EXTRA_OPTS+=" ROOTMEASURECONFIG=\"${root_measure_config}\"" + root_hash=$(sed -e 's/Root hash:\s*//g;t;d' "${root_hash_file}") + root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}" + + [ "${variant}" == "confidential" ] && EXTRA_OPTS+=" ROOTMEASURECONFIG=\"${root_measure_config}\"" + [ "${variant}" == "nvidia-gpu-confidential" ] && EXTRA_OPTS+=" ROOTMEASURECONFIG_NV=\"${root_measure_config}\"" + + done + [ -z "${found_any}" ] && die "No root hash files found for shim-v2 with MEASURED_ROOTFS support, needs a rootfs with MEASURED_ROOTFS support" fi docker pull ${container_image} || \