build: shim-v2: Rebuild if root_hashes do not match

Let's make sure we take the root_hashes into consideration to decide whether the shim-v2 should or should not be used from the cached artefacts. Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-08-02 08:17:01 +00:00 · 2024-10-24 20:17:55 +02:00 · 2024-10-24 20:17:55 +02:00 · 9c8b20b2bf
commit 9c8b20b2bf
parent 9c84998de9
2 changed files with 46 additions and 1 deletions
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -166,6 +166,12 @@ get_kernel_modules_dir() {
 	echo ${kernel_modules_dir}
 }

+cleanup_and_fail_shim_v2_specifics() {
+	rm -f "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash.txt"
+
+	return $(cleanup_and_fail "${1:-}" "${2:-}")
+}
+
 cleanup_and_fail() {
 	local component_tarball_name="${1:-}"
 	local extra_tarballs="${2:-}"
@ -184,6 +190,36 @@ cleanup_and_fail() {
 	return 1
 }

+install_cached_shim_v2_tarball_get_root_hash() {
+	if [ "${MEASURED_ROOTFS}" != "yes" ]; then
+		return 0
+	fi
+
+	local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
+	local image_conf_tarball="kata-static-rootfs-image-confidential.tar.xz"
+
+	local root_hash_basedir="./opt/kata/share/kata-containers/"
+
+	tar xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},,
+	mv root_hash.txt "${tarball_dir}/root_hash.txt"
+
+	return 0
+}
+
+install_cached_shim_v2_tarball_compare_root_hashes() {
+	if [ "${MEASURED_ROOTFS}" != "yes" ]; then
+		return 0
+	fi
+
+	local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
+
+	[ -f shim-v2-root_hash.txt ] || return 1
+
+	diff "${tarball_dir}/root_hash.txt" shim-v2-root_hash.txt || return 1
+
+	return 0
+}
+
 install_cached_tarball_component() {
 	if [ "${USE_CACHE}" != "yes" ]; then
 		return 1
@ -198,6 +234,10 @@ install_cached_tarball_component() {
 	# "tarball1_name:tarball1_path tarball2_name:tarball2_path ... tarballN_name:tarballN_path"
 	local extra_tarballs="${6:-}"

+	if [ "${component}" = "shim-v2" ]; then
+		install_cached_shim_v2_tarball_get_root_hash
+	fi
+
 	oras pull ${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1

 	cached_version="$(cat ${component}-version)"
@ -210,6 +250,10 @@ install_cached_tarball_component() {
 	[ "${cached_version}" != "${current_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")
 	sha256sum -c "${component}-sha256sum" || return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}")

+	if [ "${component}" = "shim-v2" ]; then
+		install_cached_shim_v2_tarball_compare_root_hashes || return $(cleanup_and_fail_shim_v2_specifics "${component_tarball_path}" "${extra_tarballs}")
+	fi
+
 	info "Using cached tarball of ${component}"
 	mv "${component_tarball_name}" "${component_tarball_path}"

--- a/tools/packaging/static-build/shim-v2/build.sh
+++ b/tools/packaging/static-build/shim-v2/build.sh
@ -28,7 +28,8 @@ EXTRA_OPTS="${EXTRA_OPTS:-""}"
 if [ "${MEASURED_ROOTFS}" == "yes" ]; then
 	info "Enable rootfs measurement config"

-	root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt"
+	root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash.txt"
+
 	[ -f "$root_hash_file" ] || \
 		die "Root hash file for measured rootfs not found at ${root_hash_file}"