github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-06-23 14:08:31 +00:00
Code Issues Projects Releases Wiki Activity

local-build: Extract build_secure_image() as a separate library

Browse Source 
Currently, all functions in `build_se_image.sh` are dedicated to
publishing a payload image. However, `build_secure_image()` is now
also used for repackaging a secure image when a kernel parameter
is reconfigured. This reconfiguration is necessary because the KBS
service address is determined after the initial secure image build.

This commit extracts `build_secure_image()` from `build_se_image.sh`
and creates a separate library, which can be loaded by bats-core.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
This commit is contained in:
Hyounggyu Choi 2024-06-26 12:49:29 +02:00
parent bf2f0ea2ca
commit 5d0f74cd70
2 changed files with 88 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
tools/packaging/guest-image/build_se_image.sh
View File

@ -9,27 +9,18 @@ set -o errexit
set -o nounset set -o nounset
set -o pipefail set -o pipefail
readonly script_name="$(basename "${BASH_SOURCE[0]}")" script_name="$(basename "${BASH_SOURCE[0]}")"
readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly packaging_root_dir="$(cd "${script_dir}/../" && pwd)" packaging_root_dir="$(cd "${script_dir}/../" && pwd)"
readonly kata_root_dir="$(cd "${packaging_root_dir}/../../" && pwd)" kata_root_dir="$(cd "${packaging_root_dir}/../../" && pwd)"
source "$kata_root_dir/tests/common.bash"
source "${packaging_root_dir}/scripts/lib.sh" source "${packaging_root_dir}/scripts/lib.sh"
source "${script_dir}/lib_se.sh"
ARCH=${ARCH:-$(uname -m)} ARCH=${ARCH:-$(uname -m)}
if [ $(uname -m) == "${ARCH}" ]; then if [ $(uname -m) == "${ARCH}" ]; then
[ "${ARCH}" == "s390x" ] || die "Building a Secure Execution image is currently only supported on s390x." [ "${ARCH}" == "s390x" ] || die "Building a Secure Execution image is currently only supported on s390x."
fi fi
finish() {
if [ -e "${parmfile}" ]; then
rm -f "${parmfile}"
fi
}
trap finish EXIT
usage() { usage() {
cat >&2 << EOF cat >&2 << EOF
Usage: Usage:
@ -51,76 +42,6 @@ EOF
exit "${1:-0}" exit "${1:-0}"
} }
# Build a IBM zSystem secure execution (SE) image
#
# Parameters:
# $1 - kernel_parameters
# $2 - a source directory where kernel and initrd are located
# $3 - a destination directory where a SE image is built
#
# Return:
# 0 if the image is successfully built
# 1 otherwise
build_secure_image() {
kernel_params="${1:-}"
install_src_dir="${2:-}"
install_dest_dir="${3:-}"
key_verify_option="--no-verify" # no verification for CI testing purposes
if [ -n "${SIGNING_KEY_CERT_PATH:-}" ] && [ -n "${INTERMEDIATE_CA_CERT_PATH:-}" ]; then
if [ -e "${SIGNING_KEY_CERT_PATH}" ] && [ -e "${INTERMEDIATE_CA_CERT_PATH}" ]; then
key_verify_option="--cert=${SIGNING_KEY_CERT_PATH} --cert=${INTERMEDIATE_CA_CERT_PATH}"
else
die "Specified certificate(s) not found"
fi
fi
if [ ! -f "${install_src_dir}/vmlinuz-confidential.container" ] ||
[ ! -f "${install_src_dir}/kata-containers-initrd-confidential.img" ]; then
cat << EOF >&2
Either kernel or initrd does not exist or is mistakenly named
A file name for kernel must be vmlinuz-confidential.container (raw binary)
A file name for initrd must be kata-containers-initrd-confidential.img
EOF
return 1
fi
cmdline="${kernel_params} panic=1 scsi_mod.scan=none swiotlb=262144"
parmfile="$(mktemp --suffix=-cmdline)"
echo "${cmdline}" > "${parmfile}"
chmod 600 "${parmfile}"
[ -n "${HKD_PATH:-}" ] || (echo >&2 "No host key document specified." && return 1)
cert_list=($(ls -1 $HKD_PATH))
declare hkd_options
eval "for cert in ${cert_list[*]}; do
hkd_options+=\"--host-key-document=\\\"\$HKD_PATH/\$cert\\\" \"
done"
command -v genprotimg > /dev/null 2>&1 || die "A package s390-tools is not installed."
extra_arguments=""
genprotimg_version=$(genprotimg --version | grep -Po '(?<=version )[^-]+')
if ! version_greater_than_equal "${genprotimg_version}" "2.17.0"; then
extra_arguments="--x-pcf '0xe0'"
fi
eval genprotimg \
"${extra_arguments}" \
"${hkd_options}" \
--output="${install_dest_dir}/kata-containers-se.img" \
--image="${install_src_dir}/vmlinuz-confidential.container" \
--ramdisk="${install_src_dir}/kata-containers-initrd-confidential.img" \
--parmfile="${parmfile}" \
"${key_verify_option}"
build_result=$?
if [ $build_result -eq 0 ]; then
return 0
else
return 1
fi
}
build_image() { build_image() {
image_source_dir="${builddir}/secure-image" image_source_dir="${builddir}/secure-image"
mkdir -p "${image_source_dir}" mkdir -p "${image_source_dir}"

83
tools/packaging/guest-image/lib_se.sh Executable file
View File

@ -0,0 +1,83 @@
#!/usr/bin/env bash
# Copyright (c) 2024 IBM Corp.
#
# SPDX-License-Identifier: Apache-2.0
set -o nounset
readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
readonly packaging_root_dir="$(cd "${script_dir}/../" && pwd)"
readonly kata_root_dir="$(cd "${packaging_root_dir}/../../" && pwd)"
source "$kata_root_dir/tests/common.bash"
# Build a IBM zSystem secure execution (SE) image
#
# Parameters:
# $1 - kernel_parameters
# $2 - a source directory where kernel and initrd are located
# $3 - a destination directory where a SE image is built
#
# Return:
# 0 if the image is successfully built
# 1 otherwise
build_secure_image() {
kernel_params="${1:-}"
install_src_dir="${2:-}"
install_dest_dir="${3:-}"
key_verify_option="--no-verify" # no verification for CI testing purposes
if [ -n "${SIGNING_KEY_CERT_PATH:-}" ] && [ -n "${INTERMEDIATE_CA_CERT_PATH:-}" ]; then
if [ -e "${SIGNING_KEY_CERT_PATH}" ] && [ -e "${INTERMEDIATE_CA_CERT_PATH}" ]; then
key_verify_option="--cert=${SIGNING_KEY_CERT_PATH} --cert=${INTERMEDIATE_CA_CERT_PATH}"
else
die "Specified certificate(s) not found"
fi
fi
if [ ! -f "${install_src_dir}/vmlinuz-confidential.container" ] ||
[ ! -f "${install_src_dir}/kata-containers-initrd-confidential.img" ]; then
cat << EOF >&2
Either kernel or initrd does not exist or is mistakenly named
A file name for kernel must be vmlinuz-confidential.container (raw binary)
A file name for initrd must be kata-containers-initrd-confidential.img
EOF
return 1
fi
cmdline="${kernel_params} panic=1 scsi_mod.scan=none swiotlb=262144 agent.debug_console agent.debug_console_vport=1026"
parmfile="$(mktemp --suffix=-cmdline)"
echo "${cmdline}" > "${parmfile}"
chmod 600 "${parmfile}"
[ -n "${HKD_PATH:-}" ] || (echo >&2 "No host key document specified." && return 1)
cert_list=($(ls -1 $HKD_PATH/HKD-*.crt | xargs -n 1 basename))
declare hkd_options
eval "for cert in ${cert_list[*]}; do
hkd_options+=\"--host-key-document=\\\"\$HKD_PATH/\$cert\\\" \"
done"
command -v genprotimg > /dev/null 2>&1 || die "A package s390-tools is not installed."
extra_arguments=""
genprotimg_version=$(genprotimg --version | grep -Po '(?<=version )[^-]+')
if ! version_greater_than_equal "${genprotimg_version}" "2.17.0"; then
extra_arguments="--x-pcf '0xe0'"
fi
eval genprotimg \
"${extra_arguments}" \
"${hkd_options}" \
--output="${install_dest_dir}/kata-containers-se.img" \
--image="${install_src_dir}/vmlinuz-confidential.container" \
--ramdisk="${install_src_dir}/kata-containers-initrd-confidential.img" \
--parmfile="${parmfile}" \
"${key_verify_option}"
build_result=$?
rm -f "${parmfile}"
if [ $build_result -eq 0 ]; then
return 0
else
return 1
fi
}