github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-01 17:06:28 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #10466 from kata-containers/topic/ensure-shim-v2-sets-the-measured-rootfs-parameters-to-the-config

Browse Source 
re-enable measured rootfs build & tests
This commit is contained in:
Steve Horsman
2024-10-28 13:11:50 +00:00
committed by GitHub
parent b5f503b0b5 b70d7c1aac
commit 51bc71b8d9
10 changed files with 425 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@@ -53,11 +53,6 @@ jobs:
- qemu
- qemu-snp-experimental
- stratovirt
- rootfs-image
- rootfs-image-confidential
- rootfs-image-mariner
- rootfs-initrd
- rootfs-initrd-confidential
- runk
- trace-forwarder
- virtiofsd
@@ -134,7 +129,7 @@ jobs:
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
if: ${{ matrix.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
if: ${{ matrix.stage != 'release' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
@@ -142,9 +137,17 @@ jobs:
retention-days: 15
if-no-files-found: error
build-asset-shim-v2:
build-asset-rootfs:
runs-on: ubuntu-22.04
needs: build-asset
strategy:
matrix:
asset:
- rootfs-image
- rootfs-image-confidential
- rootfs-image-mariner
- rootfs-initrd
- rootfs-initrd-confidential
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -165,9 +168,73 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build ${{ matrix.asset }}
id: build
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15
if-no-files-found: error
build-asset-shim-v2:
runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs]
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build shim-v2
id: build
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -181,6 +248,7 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
MEASURED_ROOTFS: yes
- name: store-artifact shim-v2
uses: actions/upload-artifact@v4
@@ -192,7 +260,7 @@ jobs:
create-kata-tarball:
runs-on: ubuntu-22.04
needs: [build-asset, build-asset-shim-v2]
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
steps:
- uses: actions/checkout@v4
with:

76
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@@ -35,8 +35,6 @@ jobs:
- nydus
- qemu
- stratovirt
- rootfs-image
- rootfs-initrd
- virtiofsd
steps:
- name: Login to Kata Containers quay.io
@@ -75,7 +73,6 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
@@ -83,9 +80,14 @@ jobs:
retention-days: 15
if-no-files-found: error
build-asset-shim-v2:
build-asset-rootfs:
runs-on: arm64-builder
needs: build-asset
strategy:
matrix:
asset:
- rootfs-image
- rootfs-initrd
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -106,8 +108,72 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build ${{ matrix.asset }}
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15
if-no-files-found: error
build-asset-shim-v2:
runs-on: arm64-builder
needs: [build-asset, build-asset-rootfs]
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build shim-v2
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -132,7 +198,7 @@ jobs:
create-kata-tarball:
runs-on: arm64-builder
needs: [build-asset, build-asset-shim-v2]
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
steps:
- name: Adjust a permission for repo
run: |

81
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@@ -30,7 +30,6 @@ jobs:
- agent
- kernel
- qemu
- rootfs-initrd
- virtiofsd
stage:
- ${{ inputs.stage }}
@@ -76,7 +75,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }}
if: ${{ inputs.stage != 'release' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
@@ -84,9 +83,15 @@ jobs:
retention-days: 1
if-no-files-found: error
build-asset-shim-v2:
build-asset-rootfs:
runs-on: ppc64le
needs: build-asset
strategy:
matrix:
asset:
- rootfs-initrd
stage:
- ${{ inputs.stage }}
steps:
- name: Prepare the self-hosted runner
run: |
@@ -112,8 +117,76 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build ${{ matrix.asset }}
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 1
if-no-files-found: error
build-asset-shim-v2:
runs-on: ppc64le
needs: [build-asset, build-asset-rootfs]
steps:
- name: Prepare the self-hosted runner
run: |
${HOME}/scripts/prepare_runner.sh
sudo rm -rf $GITHUB_WORKSPACE/*
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build shim-v2
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -138,7 +211,7 @@ jobs:
create-kata-tarball:
runs-on: ppc64le
needs: [build-asset, build-asset-shim-v2]
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
steps:
- name: Adjust a permission for repo
run: |

90
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@@ -38,10 +38,6 @@ jobs:
- kernel-confidential
- pause-image
- qemu
- rootfs-image
- rootfs-image-confidential
- rootfs-initrd
- rootfs-initrd-confidential
- virtiofsd
env:
PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
@@ -106,7 +102,70 @@ jobs:
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
if: ${{ inputs.stage != 'release' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15
if-no-files-found: error
build-asset-rootfs:
runs-on: s390x
needs: build-asset
strategy:
matrix:
asset:
- rootfs-image
- rootfs-image-confidential
- rootfs-initrd
- rootfs-initrd-confidential
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build ${{ matrix.asset }}
id: build
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
@@ -116,7 +175,7 @@ jobs:
build-asset-boot-image-se:
runs-on: s390x
needs: build-asset
needs: [build-asset, build-asset-rootfs]
steps:
- uses: actions/checkout@v4
@@ -142,11 +201,7 @@ jobs:
- name: Build boot-image-se
run: |
base_dir=tools/packaging/kata-deploy/local-build/
cp -r kata-artifacts ${base_dir}/build
# Skip building dependant artifacts of boot-image-se-tarball
# because we already have them from the previous build
sed -i 's/\(^boot-image-se-tarball:\).*/\1/g' ${base_dir}/Makefile
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "boot-image-se"
make boot-image-se-tarball
build_dir=$(readlink -f build)
sudo cp -r "${build_dir}" "kata-build"
@@ -164,7 +219,7 @@ jobs:
build-asset-shim-v2:
runs-on: s390x
needs: build-asset
needs: [build-asset, build-asset-rootfs]
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -185,9 +240,17 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build shim-v2
id: build
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -201,6 +264,7 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
MEASURED_ROOTFS: yes
- name: store-artifact shim-v2
uses: actions/upload-artifact@v4
@@ -212,7 +276,7 @@ jobs:
create-kata-tarball:
runs-on: s390x
needs: [build-asset, build-asset-boot-image-se, build-asset-shim-v2]
needs: [build-asset, build-asset-rootfs, build-asset-boot-image-se, build-asset-shim-v2]
steps:
- uses: actions/checkout@v4
with:

3
src/runtime/Makefile
View File

@@ -151,8 +151,8 @@ FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
SNPCERTSPATH := /opt/snp/cert_chain.cert
ROOTMEASURECONFIG ?= ""
KERNELPARAMS += $(ROOTMEASURECONFIG)
KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
KERNELQEMUCOCODEVPARAMS += $(ROOTMEASURECONFIG)
# Name of default configuration file the runtime will use.
CONFIG_FILE = configuration.toml
@@ -646,6 +646,7 @@ USER_VARS += DEFMACHINETYPE_CLH
USER_VARS += DEFMACHINETYPE_STRATOVIRT
USER_VARS += KERNELPARAMS
USER_VARS += KERNELTDXPARAMS
USER_VARS += KERNELQEMUCOCODEVPARAMS
USER_VARS += LIBEXECDIR
USER_VARS += LOCALSTATEDIR
USER_VARS += PKGDATADIR

2
src/runtime/config/configuration-qemu-coco-dev.toml.in
View File

@@ -73,7 +73,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = "@KERNELPARAMS@"
kernel_params = "@KERNELQEMUCOCODEVPARAMS@"
# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty

36
tests/gha-adjust-to-use-prebuilt-components.sh Executable file
View File

@@ -0,0 +1,36 @@
#!/usr/bin/env bash
#
# Copyright (c) 2024 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o nounset
set -o pipefail
this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
repo_root_dir="$(cd "${this_script_dir}/../" && pwd)"
base_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build"
build_dir="${base_dir}/build"
function main() {
artifacts_dir="${1:-}"
asset="${2:-}"
if [ -z "${artifacts_dir}" ]; then
echo "The artefacts directory must be passed as the first argument to this script."
exit 1
fi
if [ -z "${asset}" ]; then
echo "The asset must be passed as the second argument to this script."
exit 1
fi
mv ${artifacts_dir} ${build_dir}
sed -i "s/\(^${asset}-tarball:\).*/\1/g" ${base_dir}/Makefile
}
main "$@"

27
tests/integration/kubernetes/k8s-measured-rootfs.bats
View File

@@ -5,16 +5,19 @@
# SPDX-License-Identifier: Apache-2.0
#
load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/tests_common.sh"
check_and_skip() {
# Currently the kernel-confidential, isn't built withh measured rootfs support, so this test
# should be skipped until it is
# See https://github.com/kata-containers/kata-containers/issues/9612,
# https://github.com/kata-containers/kata-containers/issues/7235
# and https://github.com/kata-containers/kata-containers/issues/7415
skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
case "${KATA_HYPERVISOR}" in
qemu-tdx|qemu-coco-dev)
return
;;
*)
skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
;;
esac
}
setup() {
@@ -25,11 +28,10 @@ setup() {
@test "Test cannnot launch pod with measured boot enabled and incorrect hash" {
pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")"
incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e"
incorrect_hash="1111111111111111111111111111111111111111111111111111111111111111"
# Despite the kernel being built with support, it is not currently enabled
# on configuration.toml. To avoid editing that file on the worker node,
# here it will be enabled via pod annotations.
# To avoid editing that file on the worker node, here it will be
# enabled via pod annotations.
set_metadata_annotation "$pod_config" \
"io.katacontainers.config.hypervisor.kernel_params" \
"rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash"
@@ -45,10 +47,9 @@ setup() {
echo "Pod $pod_config file:"
cat $pod_config
assert_pod_fail "$pod_config"
kubectl apply -f $pod_config
assert_logs_contain "$node" kata "$node_start_time" \
'verity: .* metadata block .* is corrupted'
waitForProcess "60" "3" "exec_host $node journalctl -t kata | grep \"verity: .* metadata block .* is corrupted\""
}
teardown() {

71
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@@ -166,6 +166,12 @@ get_kernel_modules_dir() {
echo ${kernel_modules_dir}
}
cleanup_and_fail_shim_v2_specifics() {
rm -f "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash.txt"
return $(cleanup_and_fail "${1:-}" "${2:-}")
}
cleanup_and_fail() {
local component_tarball_name="${1:-}"
local extra_tarballs="${2:-}"
@@ -184,6 +190,36 @@ cleanup_and_fail() {
return 1
}
install_cached_shim_v2_tarball_get_root_hash() {
if [ "${MEASURED_ROOTFS}" != "yes" ]; then
return 0
fi
local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
local image_conf_tarball="kata-static-rootfs-image-confidential.tar.xz"
local root_hash_basedir="./opt/kata/share/kata-containers/"
tar xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,
mv root_hash.txt "${tarball_dir}/root_hash.txt"
return 0
}
install_cached_shim_v2_tarball_compare_root_hashes() {
if [ "${MEASURED_ROOTFS}" != "yes" ]; then
return 0
fi
local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
[ -f shim-v2-root_hash.txt ] || return 1
diff "${tarball_dir}/root_hash.txt" shim-v2-root_hash.txt || return 1
return 0
}
install_cached_tarball_component() {
if [ "${USE_CACHE}" != "yes" ]; then
return 1
@@ -198,6 +234,10 @@ install_cached_tarball_component() {
# "tarball1_name:tarball1_path tarball2_name:tarball2_path ... tarballN_name:tarballN_path"
local extra_tarballs="${6:-}"
if [ "${component}" = "shim-v2" ]; then
install_cached_shim_v2_tarball_get_root_hash
fi
oras pull ${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1
cached_version="$(cat ${component}-version)"
@@ -206,10 +246,14 @@ install_cached_tarball_component() {
rm -f ${component}-version
rm -f ${component}-builder-image-version
[ "${cached_image_version}" != "${current_image_version}" ] && return 1
[ "${cached_version}" != "${current_version}" ] && return 1
[ "${cached_image_version}" != "${current_image_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
[ "${cached_version}" != "${current_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
sha256sum -c "${component}-sha256sum" || return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
if [ "${component}" = "shim-v2" ]; then
install_cached_shim_v2_tarball_compare_root_hashes || return $(cleanup_and_fail_shim_v2_specifics "${component_tarball_path}" "${extra_tarballs}")
fi
info "Using cached tarball of ${component}"
mv "${component_tarball_name}" "${component_tarball_path}"
@@ -777,6 +821,7 @@ install_shimv2() {
export GO_VERSION
export RUST_VERSION
export MEASURED_ROOTFS
DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
}
@@ -1145,6 +1190,21 @@ handle_build() {
fi
tar tvf "${modules_final_tarball_path}"
;;
shim-v2)
if [ "${MEASURED_ROOTFS}" = "yes" ]; then
local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.xz"
if [ ! -f "${image_conf_tarball}" ]; then
die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball"
fi
local root_hash_basedir="./opt/kata/share/kata-containers/"
if ! tar xvf ${image_conf_tarball} ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,; then
die "Building the shim-v2 with MEASURED_ROOTFS support requres a rootfs confidential image tarball built with MEASURED_ROOTFS support"
fi
mv root_hash.txt shim-v2-root_hash.txt
fi
;;
esac
pushd ${workdir}
@@ -1210,6 +1270,13 @@ handle_build() {
"kata-static-${build_target}-modules.tar.xz"
)
;;
shim-v2)
if [ "${MEASURED_ROOTFS}" = "yes" ]; then
files_to_push+=(
"shim-v2-root_hash.txt"
)
fi
;;
*)
;;
esac

3
tools/packaging/static-build/shim-v2/build.sh
View File

@@ -28,7 +28,8 @@ EXTRA_OPTS="${EXTRA_OPTS:-""}"
if [ "${MEASURED_ROOTFS}" == "yes" ]; then
info "Enable rootfs measurement config"
root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt"
root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash.txt"
[ -f "$root_hash_file" ] || \
die "Root hash file for measured rootfs not found at ${root_hash_file}"