From 5cb02a80670e6f19da4da937f5f26f8f54051ff0 Mon Sep 17 00:00:00 2001 From: "Wang, Arron" Date: Tue, 23 Aug 2022 17:21:07 +0800 Subject: [PATCH] image-build: generate root hash as an separate partition for rootfs Generate rootfs hash data during creating the kata rootfs, current kata image only have one partition, we add another partition as hash device to save hash data of rootfs data blocks. Fixes: #6674 Signed-off-by: Wang, Arron --- tools/osbuilder/image-builder/Dockerfile | 1 + .../osbuilder/image-builder/image_builder.sh | 22 ++++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/tools/osbuilder/image-builder/Dockerfile b/tools/osbuilder/image-builder/Dockerfile index 87f1e570f0..fcfa5ac208 100644 --- a/tools/osbuilder/image-builder/Dockerfile +++ b/tools/osbuilder/image-builder/Dockerfile @@ -14,5 +14,6 @@ RUN ([ -n "$http_proxy" ] && \ gdisk \ parted \ qemu-img \ + veritysetup \ xfsprogs && \ dnf clean all diff --git a/tools/osbuilder/image-builder/image_builder.sh b/tools/osbuilder/image-builder/image_builder.sh index 2ae656b94c..3e7f0babc0 100755 --- a/tools/osbuilder/image-builder/image_builder.sh +++ b/tools/osbuilder/image-builder/image_builder.sh @@ -11,6 +11,7 @@ set -o errexit set -o pipefail DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc} +MEASURED_ROOTFS=${MEASURED_ROOTFS:-no} readonly script_name="${0##*/}" readonly script_dir=$(dirname "$(readlink -f "$0")") @@ -185,6 +186,7 @@ build_with_container() { --env BLOCK_SIZE="${block_size}" \ --env ROOT_FREE_SPACE="${root_free_space}" \ --env NSDAX_BIN="${nsdax_bin}" \ + --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \ --env SELINUX="${SELINUX}" \ --env DEBUG="${DEBUG}" \ -v /dev:/dev \ @@ -391,9 +393,21 @@ create_disk() { # Kata runtime expect an image with just one partition # The partition is the rootfs content info "Creating partitions" + + if [ "${MEASURED_ROOTFS}" == "yes" ]; then + info "Creating partitions with hash device" + # The hash data will take less than one percent disk space to store + hash_start=$(echo $img_size | awk '{print $1 * 0.99}' |cut -d $(locale decimal_point) -f 1) + partition_param="mkpart primary ${fs_type} ${part_start}M ${hash_start}M " + partition_param+="mkpart primary ${fs_type} ${hash_start}M ${rootfs_end}M " + partition_param+="set 1 boot on" + else + partition_param="mkpart primary ${fs_type} ${part_start}M ${rootfs_end}M" + fi + parted -s -a optimal "${image}" -- \ mklabel msdos \ - mkpart primary "${fs_type}" "${part_start}"M "${rootfs_end}"M + "${partition_param}" OK "Partitions created" } @@ -490,6 +504,12 @@ create_rootfs_image() { fsck.ext4 -D -y "${device}p1" fi + if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -b "${device}p2" ]; then + info "veritysetup format rootfs device: ${device}p1, hash device: ${device}p2" + local image_dir=$(dirname "${image}") + veritysetup format "${device}p1" "${device}p2" > "${image_dir}"/root_hash.txt 2>&1 + fi + losetup -d "${device}" rm -rf "${mount_dir}" }