diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 27a00c11da..11a016a4ba 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -53,11 +53,6 @@ jobs: - qemu - qemu-snp-experimental - stratovirt - - rootfs-image - - rootfs-image-confidential - - rootfs-image-mariner - - rootfs-initrd - - rootfs-initrd-confidential - runk - trace-forwarder - virtiofsd @@ -134,7 +129,7 @@ jobs: push-to-registry: true - name: store-artifact ${{ matrix.asset }} - if: ${{ matrix.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }} + if: ${{ matrix.stage != 'release' }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} @@ -142,9 +137,17 @@ jobs: retention-days: 15 if-no-files-found: error - build-asset-shim-v2: + build-asset-rootfs: runs-on: ubuntu-22.04 needs: build-asset + strategy: + matrix: + asset: + - rootfs-image + - rootfs-image-confidential + - rootfs-image-mariner + - rootfs-initrd + - rootfs-initrd-confidential steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -165,9 +168,73 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + + - name: Build ${{ matrix.asset }} + id: build + run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-amd64-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 15 + if-no-files-found: error + + build-asset-shim-v2: + runs-on: ubuntu-22.04 + needs: [build-asset, build-asset-rootfs] + steps: + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-amd64-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + - name: Build shim-v2 id: build run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink @@ -181,6 +248,7 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + MEASURED_ROOTFS: yes - name: store-artifact shim-v2 uses: actions/upload-artifact@v4 @@ -192,7 +260,7 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04 - needs: [build-asset, build-asset-shim-v2] + needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index a4df332892..4f549c5fb3 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -35,8 +35,6 @@ jobs: - nydus - qemu - stratovirt - - rootfs-image - - rootfs-initrd - virtiofsd steps: - name: Login to Kata Containers quay.io @@ -75,7 +73,6 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} @@ -83,9 +80,14 @@ jobs: retention-days: 15 if-no-files-found: error - build-asset-shim-v2: + build-asset-rootfs: runs-on: arm64-builder needs: build-asset + strategy: + matrix: + asset: + - rootfs-image + - rootfs-initrd steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -106,8 +108,72 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + + - name: Build ${{ matrix.asset }} + run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} + if: ${{ inputs.stage != 'release' }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 15 + if-no-files-found: error + + build-asset-shim-v2: + runs-on: arm64-builder + needs: [build-asset, build-asset-rootfs] + steps: + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-arm64-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + - name: Build shim-v2 run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink @@ -132,7 +198,7 @@ jobs: create-kata-tarball: runs-on: arm64-builder - needs: [build-asset, build-asset-shim-v2] + needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index 79e7ad5b78..d322db9bde 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -30,7 +30,6 @@ jobs: - agent - kernel - qemu - - rootfs-initrd - virtiofsd stage: - ${{ inputs.stage }} @@ -76,7 +75,7 @@ jobs: RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} - name: store-artifact ${{ matrix.asset }} - if: ${{ inputs.stage != 'release' || matrix.asset != 'agent' }} + if: ${{ inputs.stage != 'release' }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }} @@ -84,9 +83,15 @@ jobs: retention-days: 1 if-no-files-found: error - build-asset-shim-v2: + build-asset-rootfs: runs-on: ppc64le needs: build-asset + strategy: + matrix: + asset: + - rootfs-initrd + stage: + - ${{ inputs.stage }} steps: - name: Prepare the self-hosted runner run: | @@ -112,8 +117,76 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + + - name: Build ${{ matrix.asset }} + run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-ppc64le-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 1 + if-no-files-found: error + + build-asset-shim-v2: + runs-on: ppc64le + needs: [build-asset, build-asset-rootfs] + steps: + - name: Prepare the self-hosted runner + run: | + ${HOME}/scripts/prepare_runner.sh + sudo rm -rf $GITHUB_WORKSPACE/* + + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-ppc64le-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + - name: Build shim-v2 run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink @@ -138,7 +211,7 @@ jobs: create-kata-tarball: runs-on: ppc64le - needs: [build-asset, build-asset-shim-v2] + needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 693f81a478..bef76dae66 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -38,10 +38,6 @@ jobs: - kernel-confidential - pause-image - qemu - - rootfs-image - - rootfs-image-confidential - - rootfs-initrd - - rootfs-initrd-confidential - virtiofsd env: PERFORM_ATTESTATION: ${{ matrix.asset == 'agent' && inputs.push-to-registry == 'yes' && 'yes' || 'no' }} @@ -106,7 +102,70 @@ jobs: push-to-registry: true - name: store-artifact ${{ matrix.asset }} - if: ${{ inputs.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }} + if: ${{ inputs.stage != 'release' }} + uses: actions/upload-artifact@v4 + with: + name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-build/kata-static-${{ matrix.asset }}.tar.xz + retention-days: 15 + if-no-files-found: error + + build-asset-rootfs: + runs-on: s390x + needs: build-asset + strategy: + matrix: + asset: + - rootfs-image + - rootfs-image-confidential + - rootfs-initrd + - rootfs-initrd-confidential + steps: + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@v3 + with: + registry: quay.io + username: ${{ secrets.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@v4 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + + - name: Build ${{ matrix.asset }} + id: build + run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} uses: actions/upload-artifact@v4 with: name: kata-artifacts-s390x-${{ matrix.asset }}${{ inputs.tarball-suffix }} @@ -116,7 +175,7 @@ jobs: build-asset-boot-image-se: runs-on: s390x - needs: build-asset + needs: [build-asset, build-asset-rootfs] steps: - uses: actions/checkout@v4 @@ -142,11 +201,7 @@ jobs: - name: Build boot-image-se run: | - base_dir=tools/packaging/kata-deploy/local-build/ - cp -r kata-artifacts ${base_dir}/build - # Skip building dependant artifacts of boot-image-se-tarball - # because we already have them from the previous build - sed -i 's/\(^boot-image-se-tarball:\).*/\1/g' ${base_dir}/Makefile + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "boot-image-se" make boot-image-se-tarball build_dir=$(readlink -f build) sudo cp -r "${build_dir}" "kata-build" @@ -164,7 +219,7 @@ jobs: build-asset-shim-v2: runs-on: s390x - needs: build-asset + needs: [build-asset, build-asset-rootfs] steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -185,9 +240,17 @@ jobs: env: TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@v4 + with: + pattern: kata-artifacts-s390x-*${{ inputs.tarball-suffix }} + path: kata-artifacts + merge-multiple: true + - name: Build shim-v2 id: build run: | + ./tests/gha-adjust-to-use-prebuilt-components.sh kata-artifacts "${KATA_ASSET}" make "${KATA_ASSET}-tarball" build_dir=$(readlink -f build) # store-artifact does not work with symlink @@ -201,6 +264,7 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + MEASURED_ROOTFS: yes - name: store-artifact shim-v2 uses: actions/upload-artifact@v4 @@ -212,7 +276,7 @@ jobs: create-kata-tarball: runs-on: s390x - needs: [build-asset, build-asset-boot-image-se, build-asset-shim-v2] + needs: [build-asset, build-asset-rootfs, build-asset-boot-image-se, build-asset-shim-v2] steps: - uses: actions/checkout@v4 with: diff --git a/src/runtime/Makefile b/src/runtime/Makefile index 06fa601274..afe0ea0ab6 100644 --- a/src/runtime/Makefile +++ b/src/runtime/Makefile @@ -151,8 +151,8 @@ FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd SNPCERTSPATH := /opt/snp/cert_chain.cert ROOTMEASURECONFIG ?= "" -KERNELPARAMS += $(ROOTMEASURECONFIG) KERNELTDXPARAMS += $(ROOTMEASURECONFIG) +KERNELQEMUCOCODEVPARAMS += $(ROOTMEASURECONFIG) # Name of default configuration file the runtime will use. CONFIG_FILE = configuration.toml @@ -646,6 +646,7 @@ USER_VARS += DEFMACHINETYPE_CLH USER_VARS += DEFMACHINETYPE_STRATOVIRT USER_VARS += KERNELPARAMS USER_VARS += KERNELTDXPARAMS +USER_VARS += KERNELQEMUCOCODEVPARAMS USER_VARS += LIBEXECDIR USER_VARS += LOCALSTATEDIR USER_VARS += PKGDATADIR diff --git a/src/runtime/config/configuration-qemu-coco-dev.toml.in b/src/runtime/config/configuration-qemu-coco-dev.toml.in index 2373aabaa6..4b94ed61d4 100644 --- a/src/runtime/config/configuration-qemu-coco-dev.toml.in +++ b/src/runtime/config/configuration-qemu-coco-dev.toml.in @@ -73,7 +73,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@ # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. -kernel_params = "@KERNELPARAMS@" +kernel_params = "@KERNELQEMUCOCODEVPARAMS@" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty diff --git a/tests/gha-adjust-to-use-prebuilt-components.sh b/tests/gha-adjust-to-use-prebuilt-components.sh new file mode 100755 index 0000000000..b16c5e3b4b --- /dev/null +++ b/tests/gha-adjust-to-use-prebuilt-components.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash +# +# Copyright (c) 2024 Intel Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# + +set -o errexit +set -o nounset +set -o pipefail + +this_script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +repo_root_dir="$(cd "${this_script_dir}/../" && pwd)" + +base_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build" +build_dir="${base_dir}/build" + +function main() { + artifacts_dir="${1:-}" + asset="${2:-}" + + if [ -z "${artifacts_dir}" ]; then + echo "The artefacts directory must be passed as the first argument to this script." + exit 1 + fi + + if [ -z "${asset}" ]; then + echo "The asset must be passed as the second argument to this script." + exit 1 + fi + + mv ${artifacts_dir} ${build_dir} + sed -i "s/\(^${asset}-tarball:\).*/\1/g" ${base_dir}/Makefile +} + +main "$@" diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index a33c457530..f442496f8c 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -5,16 +5,19 @@ # SPDX-License-Identifier: Apache-2.0 # +load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/lib.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh" check_and_skip() { - # Currently the kernel-confidential, isn't built withh measured rootfs support, so this test - # should be skipped until it is - # See https://github.com/kata-containers/kata-containers/issues/9612, - # https://github.com/kata-containers/kata-containers/issues/7235 - # and https://github.com/kata-containers/kata-containers/issues/7415 - skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR" + case "${KATA_HYPERVISOR}" in + qemu-tdx|qemu-coco-dev) + return + ;; + *) + skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR" + ;; + esac } setup() { @@ -25,11 +28,10 @@ setup() { @test "Test cannnot launch pod with measured boot enabled and incorrect hash" { pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")" - incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e" + incorrect_hash="1111111111111111111111111111111111111111111111111111111111111111" - # Despite the kernel being built with support, it is not currently enabled - # on configuration.toml. To avoid editing that file on the worker node, - # here it will be enabled via pod annotations. + # To avoid editing that file on the worker node, here it will be + # enabled via pod annotations. set_metadata_annotation "$pod_config" \ "io.katacontainers.config.hypervisor.kernel_params" \ "rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash" @@ -45,10 +47,9 @@ setup() { echo "Pod $pod_config file:" cat $pod_config - assert_pod_fail "$pod_config" + kubectl apply -f $pod_config - assert_logs_contain "$node" kata "$node_start_time" \ - 'verity: .* metadata block .* is corrupted' + waitForProcess "60" "3" "exec_host $node journalctl -t kata | grep \"verity: .* metadata block .* is corrupted\"" } teardown() { diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 316ecd257c..47050065b1 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -166,6 +166,12 @@ get_kernel_modules_dir() { echo ${kernel_modules_dir} } +cleanup_and_fail_shim_v2_specifics() { + rm -f "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash.txt" + + return $(cleanup_and_fail "${1:-}" "${2:-}") +} + cleanup_and_fail() { local component_tarball_name="${1:-}" local extra_tarballs="${2:-}" @@ -184,6 +190,36 @@ cleanup_and_fail() { return 1 } +install_cached_shim_v2_tarball_get_root_hash() { + if [ "${MEASURED_ROOTFS}" != "yes" ]; then + return 0 + fi + + local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + local image_conf_tarball="kata-static-rootfs-image-confidential.tar.xz" + + local root_hash_basedir="./opt/kata/share/kata-containers/" + + tar xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},, + mv root_hash.txt "${tarball_dir}/root_hash.txt" + + return 0 +} + +install_cached_shim_v2_tarball_compare_root_hashes() { + if [ "${MEASURED_ROOTFS}" != "yes" ]; then + return 0 + fi + + local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + + [ -f shim-v2-root_hash.txt ] || return 1 + + diff "${tarball_dir}/root_hash.txt" shim-v2-root_hash.txt || return 1 + + return 0 +} + install_cached_tarball_component() { if [ "${USE_CACHE}" != "yes" ]; then return 1 @@ -198,6 +234,10 @@ install_cached_tarball_component() { # "tarball1_name:tarball1_path tarball2_name:tarball2_path ... tarballN_name:tarballN_path" local extra_tarballs="${6:-}" + if [ "${component}" = "shim-v2" ]; then + install_cached_shim_v2_tarball_get_root_hash + fi + oras pull ${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1 cached_version="$(cat ${component}-version)" @@ -206,10 +246,14 @@ install_cached_tarball_component() { rm -f ${component}-version rm -f ${component}-builder-image-version - [ "${cached_image_version}" != "${current_image_version}" ] && return 1 - [ "${cached_version}" != "${current_version}" ] && return 1 + [ "${cached_image_version}" != "${current_image_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") + [ "${cached_version}" != "${current_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") sha256sum -c "${component}-sha256sum" || return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") + if [ "${component}" = "shim-v2" ]; then + install_cached_shim_v2_tarball_compare_root_hashes || return $(cleanup_and_fail_shim_v2_specifics "${component_tarball_path}" "${extra_tarballs}") + fi + info "Using cached tarball of ${component}" mv "${component_tarball_name}" "${component_tarball_path}" @@ -777,6 +821,7 @@ install_shimv2() { export GO_VERSION export RUST_VERSION + export MEASURED_ROOTFS DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}" } @@ -1145,6 +1190,21 @@ handle_build() { fi tar tvf "${modules_final_tarball_path}" ;; + shim-v2) + if [ "${MEASURED_ROOTFS}" = "yes" ]; then + local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.xz" + if [ ! -f "${image_conf_tarball}" ]; then + die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball" + fi + + local root_hash_basedir="./opt/kata/share/kata-containers/" + if ! tar xvf ${image_conf_tarball} ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,; then + die "Building the shim-v2 with MEASURED_ROOTFS support requres a rootfs confidential image tarball built with MEASURED_ROOTFS support" + fi + + mv root_hash.txt shim-v2-root_hash.txt + fi + ;; esac pushd ${workdir} @@ -1210,6 +1270,13 @@ handle_build() { "kata-static-${build_target}-modules.tar.xz" ) ;; + shim-v2) + if [ "${MEASURED_ROOTFS}" = "yes" ]; then + files_to_push+=( + "shim-v2-root_hash.txt" + ) + fi + ;; *) ;; esac diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index 9a1160f7bf..3944b09284 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -28,7 +28,8 @@ EXTRA_OPTS="${EXTRA_OPTS:-""}" if [ "${MEASURED_ROOTFS}" == "yes" ]; then info "Enable rootfs measurement config" - root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt" + root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash.txt" + [ -f "$root_hash_file" ] || \ die "Root hash file for measured rootfs not found at ${root_hash_file}"