Merge pull request #10466 from kata-containers/topic/ensure-shim-v2-sets-the-measured-rootfs-parameters-to-the-config

re-enable measured rootfs build & tests
This commit is contained in:
Steve Horsman
2024-10-28 13:11:50 +00:00
committed by GitHub
10 changed files with 425 additions and 48 deletions

View File

@@ -53,11 +53,6 @@ jobs:
- qemu
- qemu-snp-experimental
- stratovirt
- rootfs-image
- rootfs-image-confidential
- rootfs-image-mariner
- rootfs-initrd
- rootfs-initrd-confidential
- runk
- trace-forwarder
- virtiofsd
@@ -134,7 +129,7 @@ jobs:
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
if: ${{ matrix.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
if: ${{ matrix.stage != 'release' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
@@ -142,9 +137,17 @@ jobs:
retention-days: 15
if-no-files-found: error
build-asset-shim-v2:
build-asset-rootfs:
runs-on: ubuntu-22.04
needs: build-asset
strategy:
matrix:
asset:
- rootfs-image
- rootfs-image-confidential
- rootfs-image-mariner
- rootfs-initrd
- rootfs-initrd-confidential
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -165,9 +168,73 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build ${{ matrix.asset }}
id: build
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15
if-no-files-found: error
build-asset-shim-v2:
runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs]
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build shim-v2
id: build
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -181,6 +248,7 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
MEASURED_ROOTFS: yes
- name: store-artifact shim-v2
uses: actions/upload-artifact@v4
@@ -192,7 +260,7 @@ jobs:
create-kata-tarball:
runs-on: ubuntu-22.04
needs: [build-asset, build-asset-shim-v2]
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
steps:
- uses: actions/checkout@v4
with:

View File

@@ -35,8 +35,6 @@ jobs:
- nydus
- qemu
- stratovirt
- rootfs-image
- rootfs-initrd
- virtiofsd
steps:
- name: Login to Kata Containers quay.io
@@ -75,7 +73,6 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
@@ -83,9 +80,14 @@ jobs:
retention-days: 15
if-no-files-found: error
build-asset-shim-v2:
build-asset-rootfs:
runs-on: arm64-builder
needs: build-asset
strategy:
matrix:
asset:
- rootfs-image
- rootfs-initrd
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -106,8 +108,72 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build ${{ matrix.asset }}
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15
if-no-files-found: error
build-asset-shim-v2:
runs-on: arm64-builder
needs: [build-asset, build-asset-rootfs]
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build shim-v2
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -132,7 +198,7 @@ jobs:
create-kata-tarball:
runs-on: arm64-builder
needs: [build-asset, build-asset-shim-v2]
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
steps:
- name: Adjust a permission for repo
run: |

View File

@@ -30,7 +30,6 @@ jobs:
- agent
- kernel
- qemu
- rootfs-initrd
- virtiofsd
stage:
- ${{ inputs.stage }}
@@ -76,7 +75,7 @@ jobs:
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }}
if: ${{ inputs.stage != 'release' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
@@ -84,9 +83,15 @@ jobs:
retention-days: 1
if-no-files-found: error
build-asset-shim-v2:
build-asset-rootfs:
runs-on: ppc64le
needs: build-asset
strategy:
matrix:
asset:
- rootfs-initrd
stage:
- ${{ inputs.stage }}
steps:
- name: Prepare the self-hosted runner
run: |
@@ -112,8 +117,76 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build ${{ matrix.asset }}
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 1
if-no-files-found: error
build-asset-shim-v2:
runs-on: ppc64le
needs: [build-asset, build-asset-rootfs]
steps:
- name: Prepare the self-hosted runner
run: |
${HOME}/scripts/prepare_runner.sh
sudo rm -rf $GITHUB_WORKSPACE/*
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build shim-v2
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -138,7 +211,7 @@ jobs:
create-kata-tarball:
runs-on: ppc64le
needs: [build-asset, build-asset-shim-v2]
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
steps:
- name: Adjust a permission for repo
run: |

View File

@@ -38,10 +38,6 @@ jobs:
- kernel-confidential
- pause-image
- qemu
- rootfs-image
- rootfs-image-confidential
- rootfs-initrd
- rootfs-initrd-confidential
- virtiofsd
env:
PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }}
@@ -106,7 +102,70 @@ jobs:
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
if: ${{ inputs.stage != 'release' }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
path: kata-build/kata-static-${{ matrix.asset }}.tar.xz
retention-days: 15
if-no-files-found: error
build-asset-rootfs:
runs-on: s390x
needs: build-asset
strategy:
matrix:
asset:
- rootfs-image
- rootfs-image-confidential
- rootfs-initrd
- rootfs-initrd-confidential
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
uses: docker/login-action@v3
with:
registry: quay.io
username: ${{ secrets.QUAY_DEPLOYER_USERNAME }}
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
- uses: actions/checkout@v4
with:
ref: ${{ inputs.commit-hash }}
fetch-depth: 0 # This is needed in order to keep the commit ids history
- name: Rebase atop of the latest target branch
run: |
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build ${{ matrix.asset }}
id: build
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
ARTEFACT_REGISTRY: ghcr.io
ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- name: store-artifact ${{ matrix.asset }}
uses: actions/upload-artifact@v4
with:
name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }}
@@ -116,7 +175,7 @@ jobs:
build-asset-boot-image-se:
runs-on: s390x
needs: build-asset
needs: [build-asset, build-asset-rootfs]
steps:
- uses: actions/checkout@v4
@@ -142,11 +201,7 @@ jobs:
- name: Build boot-image-se
run: |
base_dir=tools/packaging/kata-deploy/local-build/
cp -r kata-artifacts ${base_dir}/build
# Skip building dependant artifacts of boot-image-se-tarball
# because we already have them from the previous build
sed -i 's/\(^boot-image-se-tarball:\).*/\1/g' ${base_dir}/Makefile
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "boot-image-se"
make boot-image-se-tarball
build_dir=$(readlink -f build)
sudo cp -r "${build_dir}" "kata-build"
@@ -164,7 +219,7 @@ jobs:
build-asset-shim-v2:
runs-on: s390x
needs: build-asset
needs: [build-asset, build-asset-rootfs]
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@@ -185,9 +240,17 @@ jobs:
env:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: get-artifacts
uses: actions/download-artifact@v4
with:
pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }}
path: kata-artifacts
merge-multiple: true
- name: Build shim-v2
id: build
run: |
./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}"
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
@@ -201,6 +264,7 @@ jobs:
ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
MEASURED_ROOTFS: yes
- name: store-artifact shim-v2
uses: actions/upload-artifact@v4
@@ -212,7 +276,7 @@ jobs:
create-kata-tarball:
runs-on: s390x
needs: [build-asset, build-asset-boot-image-se, build-asset-shim-v2]
needs: [build-asset, build-asset-rootfs, build-asset-boot-image-se, build-asset-shim-v2]
steps:
- uses: actions/checkout@v4
with:

View File

@@ -151,8 +151,8 @@ FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
SNPCERTSPATH := /opt/snp/cert_chain.cert
ROOTMEASURECONFIG ?= ""
KERNELPARAMS += $(ROOTMEASURECONFIG)
KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
KERNELQEMUCOCODEVPARAMS += $(ROOTMEASURECONFIG)
# Name of default configuration file the runtime will use.
CONFIG_FILE = configuration.toml
@@ -646,6 +646,7 @@ USER_VARS += DEFMACHINETYPE_CLH
USER_VARS += DEFMACHINETYPE_STRATOVIRT
USER_VARS += KERNELPARAMS
USER_VARS += KERNELTDXPARAMS
USER_VARS += KERNELQEMUCOCODEVPARAMS
USER_VARS += LIBEXECDIR
USER_VARS += LOCALSTATEDIR
USER_VARS += PKGDATADIR

View File

@@ -73,7 +73,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
# may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries.
kernel_params = "@KERNELPARAMS@"
kernel_params = "@KERNELQEMUCOCODEVPARAMS@"
# Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty

View File

@@ -0,0 +1,36 @@
#!/usr/bin/env bash
#
# Copyright (c) 2024 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o nounset
set -o pipefail
this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
repo_root_dir="$(cd "${this_script_dir}/../" && pwd)"
base_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build"
build_dir="${base_dir}/build"
function main() {
artifacts_dir="${1:-}"
asset="${2:-}"
if [ -z "${artifacts_dir}" ]; then
echo "The artefacts directory must be passed as the first argument to this script."
exit 1
fi
if [ -z "${asset}" ]; then
echo "The asset must be passed as the second argument to this script."
exit 1
fi
mv ${artifacts_dir} ${build_dir}
sed -i "s/\(^${asset}-tarball:\).*/\1/g" ${base_dir}/Makefile
}
main "$@"

View File

@@ -5,16 +5,19 @@
# SPDX-License-Identifier: Apache-2.0
#
load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/tests_common.sh"
check_and_skip() {
# Currently the kernel-confidential, isn't built withh measured rootfs support, so this test
# should be skipped until it is
# See https://github.com/kata-containers/kata-containers/issues/9612,
# https://github.com/kata-containers/kata-containers/issues/7235
# and https://github.com/kata-containers/kata-containers/issues/7415
skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
case "${KATA_HYPERVISOR}" in
qemu-tdx|qemu-coco-dev)
return
;;
*)
skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
;;
esac
}
setup() {
@@ -25,11 +28,10 @@ setup() {
@test "Test cannnot launch pod with measured boot enabled and incorrect hash" {
pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")"
incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e"
incorrect_hash="1111111111111111111111111111111111111111111111111111111111111111"
# Despite the kernel being built with support, it is not currently enabled
# on configuration.toml. To avoid editing that file on the worker node,
# here it will be enabled via pod annotations.
# To avoid editing that file on the worker node, here it will be
# enabled via pod annotations.
set_metadata_annotation "$pod_config" \
"io.katacontainers.config.hypervisor.kernel_params" \
"rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash"
@@ -45,10 +47,9 @@ setup() {
echo "Pod $pod_config file:"
cat $pod_config
assert_pod_fail "$pod_config"
kubectl apply -f $pod_config
assert_logs_contain "$node" kata "$node_start_time" \
'verity: .* metadata block .* is corrupted'
waitForProcess "60" "3" "exec_host $node journalctl -t kata | grep \"verity: .* metadata block .* is corrupted\""
}
teardown() {

View File

@@ -166,6 +166,12 @@ get_kernel_modules_dir() {
echo ${kernel_modules_dir}
}
cleanup_and_fail_shim_v2_specifics() {
rm -f "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash.txt"
return $(cleanup_and_fail "${1:-}" "${2:-}")
}
cleanup_and_fail() {
local component_tarball_name="${1:-}"
local extra_tarballs="${2:-}"
@@ -184,6 +190,36 @@ cleanup_and_fail() {
return 1
}
install_cached_shim_v2_tarball_get_root_hash() {
if [ "${MEASURED_ROOTFS}" != "yes" ]; then
return 0
fi
local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
local image_conf_tarball="kata-static-rootfs-image-confidential.tar.xz"
local root_hash_basedir="./opt/kata/share/kata-containers/"
tar xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,
mv root_hash.txt "${tarball_dir}/root_hash.txt"
return 0
}
install_cached_shim_v2_tarball_compare_root_hashes() {
if [ "${MEASURED_ROOTFS}" != "yes" ]; then
return 0
fi
local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
[ -f shim-v2-root_hash.txt ] || return 1
diff "${tarball_dir}/root_hash.txt" shim-v2-root_hash.txt || return 1
return 0
}
install_cached_tarball_component() {
if [ "${USE_CACHE}" != "yes" ]; then
return 1
@@ -198,6 +234,10 @@ install_cached_tarball_component() {
# "tarball1_name:tarball1_path tarball2_name:tarball2_path ... tarballN_name:tarballN_path"
local extra_tarballs="${6:-}"
if [ "${component}" = "shim-v2" ]; then
install_cached_shim_v2_tarball_get_root_hash
fi
oras pull ${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1
cached_version="$(cat ${component}-version)"
@@ -206,10 +246,14 @@ install_cached_tarball_component() {
rm -f ${component}-version
rm -f ${component}-builder-image-version
[ "${cached_image_version}" != "${current_image_version}" ] && return 1
[ "${cached_version}" != "${current_version}" ] && return 1
[ "${cached_image_version}" != "${current_image_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
[ "${cached_version}" != "${current_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
sha256sum -c "${component}-sha256sum" || return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
if [ "${component}" = "shim-v2" ]; then
install_cached_shim_v2_tarball_compare_root_hashes || return $(cleanup_and_fail_shim_v2_specifics "${component_tarball_path}" "${extra_tarballs}")
fi
info "Using cached tarball of ${component}"
mv "${component_tarball_name}" "${component_tarball_path}"
@@ -777,6 +821,7 @@ install_shimv2() {
export GO_VERSION
export RUST_VERSION
export MEASURED_ROOTFS
DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
}
@@ -1145,6 +1190,21 @@ handle_build() {
fi
tar tvf "${modules_final_tarball_path}"
;;
shim-v2)
if [ "${MEASURED_ROOTFS}" = "yes" ]; then
local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.xz"
if [ ! -f "${image_conf_tarball}" ]; then
die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball"
fi
local root_hash_basedir="./opt/kata/share/kata-containers/"
if ! tar xvf ${image_conf_tarball} ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,; then
die "Building the shim-v2 with MEASURED_ROOTFS support requres a rootfs confidential image tarball built with MEASURED_ROOTFS support"
fi
mv root_hash.txt shim-v2-root_hash.txt
fi
;;
esac
pushd ${workdir}
@@ -1210,6 +1270,13 @@ handle_build() {
"kata-static-${build_target}-modules.tar.xz"
)
;;
shim-v2)
if [ "${MEASURED_ROOTFS}" = "yes" ]; then
files_to_push+=(
"shim-v2-root_hash.txt"
)
fi
;;
*)
;;
esac

View File

@@ -28,7 +28,8 @@ EXTRA_OPTS="${EXTRA_OPTS:-""}"
if [ "${MEASURED_ROOTFS}" == "yes" ]; then
info "Enable rootfs measurement config"
root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt"
root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash.txt"
[ -f "$root_hash_file" ] || \
die "Root hash file for measured rootfs not found at ${root_hash_file}"