From 9c8b20b2bf7f5060551b27aa4842224bd5618385 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Thu, 24 Oct 2024 20:17:55 +0200 Subject: [PATCH] build: shim-v2: Rebuild if root_hashes do not match MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's make sure we take the root_hashes into consideration to decide whether the shim-v2 should or should not be used from the cached artefacts. Signed-off-by: Fabiano FidĂȘncio --- .../local-build/kata-deploy-binaries.sh | 44 +++++++++++++++++++ tools/packaging/static-build/shim-v2/build.sh | 3 +- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index f673f5edfe..95dfb22771 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -166,6 +166,12 @@ get_kernel_modules_dir() { echo ${kernel_modules_dir} } +cleanup_and_fail_shim_v2_specifics() { + rm -f "${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash.txt" + + return $(cleanup_and_fail "${1:-}" "${2:-}") +} + cleanup_and_fail() { local component_tarball_name="${1:-}" local extra_tarballs="${2:-}" @@ -184,6 +190,36 @@ cleanup_and_fail() { return 1 } +install_cached_shim_v2_tarball_get_root_hash() { + if [ "${MEASURED_ROOTFS}" != "yes" ]; then + return 0 + fi + + local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + local image_conf_tarball="kata-static-rootfs-image-confidential.tar.xz" + + local root_hash_basedir="./opt/kata/share/kata-containers/" + + tar xvf "${tarball_dir}/${image_conf_tarball}" ${root_hash_basedir}root_hash.txt --transform s,${root_hash_basedir},, + mv root_hash.txt "${tarball_dir}/root_hash.txt" + + return 0 +} + +install_cached_shim_v2_tarball_compare_root_hashes() { + if [ "${MEASURED_ROOTFS}" != "yes" ]; then + return 0 + fi + + local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build" + + [ -f shim-v2-root_hash.txt ] || return 1 + + diff "${tarball_dir}/root_hash.txt" shim-v2-root_hash.txt || return 1 + + return 0 +} + install_cached_tarball_component() { if [ "${USE_CACHE}" != "yes" ]; then return 1 @@ -198,6 +234,10 @@ install_cached_tarball_component() { # "tarball1_name:tarball1_path tarball2_name:tarball2_path ... tarballN_name:tarballN_path" local extra_tarballs="${6:-}" + if [ "${component}" = "shim-v2" ]; then + install_cached_shim_v2_tarball_get_root_hash + fi + oras pull ${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:latest-${TARGET_BRANCH}-$(uname -m) || return 1 cached_version="$(cat ${component}-version)" @@ -210,6 +250,10 @@ install_cached_tarball_component() { [ "${cached_version}" != "${current_version}" ] && return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") sha256sum -c "${component}-sha256sum" || return $(cleanup_and_fail "${component_tarball_path}" "${extra_tarballs}") + if [ "${component}" = "shim-v2" ]; then + install_cached_shim_v2_tarball_compare_root_hashes || return $(cleanup_and_fail_shim_v2_specifics "${component_tarball_path}" "${extra_tarballs}") + fi + info "Using cached tarball of ${component}" mv "${component_tarball_name}" "${component_tarball_path}" diff --git a/tools/packaging/static-build/shim-v2/build.sh b/tools/packaging/static-build/shim-v2/build.sh index 9a1160f7bf..3944b09284 100755 --- a/tools/packaging/static-build/shim-v2/build.sh +++ b/tools/packaging/static-build/shim-v2/build.sh @@ -28,7 +28,8 @@ EXTRA_OPTS="${EXTRA_OPTS:-""}" if [ "${MEASURED_ROOTFS}" == "yes" ]; then info "Enable rootfs measurement config" - root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt" + root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/root_hash.txt" + [ -f "$root_hash_file" ] || \ die "Root hash file for measured rootfs not found at ${root_hash_file}"