image-build: generate root hash as an separate partition for rootfs

Generate rootfs hash data during creating the kata rootfs, current kata image only have one partition, we add another partition as hash device to save hash data of rootfs data blocks. Fixes: #6674 Signed-off-by: Wang, Arron <arron.wang@intel.com>
2025-06-23 14:08:31 +00:00 · 2022-08-23 17:21:07 +08:00 · 2022-08-23 17:21:07 +08:00 · 5cb02a8067
commit 5cb02a8067
parent 31c0ad2076
2 changed files with 22 additions and 1 deletions
--- a/tools/osbuilder/image-builder/Dockerfile
+++ b/tools/osbuilder/image-builder/Dockerfile
@ -14,5 +14,6 @@ RUN ([ -n "$http_proxy" ] && \
        gdisk \
        parted \
        qemu-img \
+        veritysetup \
        xfsprogs && \
    dnf clean all
--- a/tools/osbuilder/image-builder/image_builder.sh
+++ b/tools/osbuilder/image-builder/image_builder.sh
@ -11,6 +11,7 @@ set -o errexit
 set -o pipefail

 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}

 readonly script_name="${0##*/}"
 readonly script_dir=$(dirname "$(readlink -f "$0")")
@ -185,6 +186,7 @@ build_with_container() {
 		   --env BLOCK_SIZE="${block_size}" \
 		   --env ROOT_FREE_SPACE="${root_free_space}" \
 		   --env NSDAX_BIN="${nsdax_bin}" \
+		   --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \
 		   --env SELINUX="${SELINUX}" \
 		   --env DEBUG="${DEBUG}" \
 		   -v /dev:/dev \
@ -391,9 +393,21 @@ create_disk() {
 	# Kata runtime expect an image with just one partition
 	# The partition is the rootfs content
 	info "Creating partitions"
+
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+		info "Creating partitions with hash device"
+		# The hash data will take less than one percent disk space to store
+		hash_start=$(echo $img_size | awk '{print $1 * 0.99}' |cut -d $(locale decimal_point) -f 1)
+		partition_param="mkpart primary ${fs_type} ${part_start}M ${hash_start}M "
+		partition_param+="mkpart primary ${fs_type} ${hash_start}M ${rootfs_end}M "
+		partition_param+="set 1 boot on"
+	else
+		partition_param="mkpart primary ${fs_type} ${part_start}M ${rootfs_end}M"
+	fi
+
 	parted -s -a optimal "${image}" -- \
 		   mklabel msdos \
-		   mkpart primary "${fs_type}" "${part_start}"M "${rootfs_end}"M
+		   "${partition_param}"

 	OK "Partitions created"
 }
@ -490,6 +504,12 @@ create_rootfs_image() {
 		fsck.ext4 -D -y "${device}p1"
 	fi

+	if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -b "${device}p2" ]; then
+		info "veritysetup format rootfs device: ${device}p1, hash device: ${device}p2"
+		local image_dir=$(dirname "${image}")
+		veritysetup format "${device}p1" "${device}p2" > "${image_dir}"/root_hash.txt 2>&1
+	fi
+
 	losetup -d "${device}"
 	rm -rf "${mount_dir}"
 }