build: cache: Cache root_hash.txt used by the shim-v2

Let's cache the root_hash.txt from the confidential image so we can use them later on to decide whether there was a rootfs change that would require shim-v2 to be rebuilt. Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-07-19 09:51:29 +00:00 · 2024-10-23 19:38:40 +02:00 · 2024-10-23 19:38:40 +02:00 · 9c84998de9
commit 9c84998de9
parent d2d9792720
1 changed files with 22 additions and 0 deletions
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -1145,6 +1145,21 @@ handle_build() {
 			fi
 			tar tvf "${modules_final_tarball_path}"
 			;;
+		shim-v2)
+			if [ "${MEASURED_ROOTFS}" = "yes" ]; then
+				local image_conf_tarball="${workdir}/kata-static-rootfs-image-confidential.tar.xz"
+				if [ ! -f "${image_conf_tarball}" ]; then
+					die "Building the shim-v2 with MEASURED_ROOTFS support requires a rootfs confidential image tarball"
+				fi
+
+				local root_hash_basedir="./opt/kata/share/kata-containers/"
+				if ! tar xvf ${image_conf_tarball} ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,; then
+					die "Building the shim-v2 with MEASURED_ROOTFS support requres a rootfs confidential image tarball built with MEASURED_ROOTFS support"
+				fi
+
+				mv root_hash.txt shim-v2-root_hash.txt
+			fi
+			;;
 	esac

 	pushd ${workdir}
@ -1210,6 +1225,13 @@ handle_build() {
 					"kata-static-${build_target}-modules.tar.xz"
 				)
 				;;
+			shim-v2)
+				if [ "${MEASURED_ROOTFS}" = "yes" ]; then
+					files_to_push+=(
+						"shim-v2-root_hash.txt"
+					)
+				fi
+				;;
 			*)
 				;;
 		esac