From a9b222f91e689f9132e75e9fc465eab8e97e32d9 Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Thu, 5 Feb 2026 16:48:44 -0800 Subject: [PATCH] gpu: Update chiseled rootfs with new CDH deps With CDH requiring libcryptsetup, mkfs.ext4, dd, and their dependencies, we will need to update the chiseled NVIDIA rootfs accordingly. Signed-off-by: Manuel Huber --- .../rootfs-builder/nvidia/nvidia_chroot.sh | 7 ++++ .../rootfs-builder/nvidia/nvidia_rootfs.sh | 40 +++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh index 6f782373d0..bafcfa5f06 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_chroot.sh @@ -67,6 +67,13 @@ install_userspace_components() { libnvidia-cfg1 libnvidia-gl libnvidia-extra \ libnvidia-decode libnvidia-fbc1 libnvidia-encode \ libnvidia-nscq libnvidia-compute nvidia-settings + + # Needed for confidential-data-hub runtime dependencies + eval "${APT_INSTALL}" cryptsetup-bin dmsetup \ + libargon2-1 e2fsprogs + + apt-mark hold cryptsetup-bin dmsetup libargon2-1 \ + e2fsprogs } setup_apt_repositories() { diff --git a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh index b0529155aa..691406d589 100644 --- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh +++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh @@ -308,6 +308,44 @@ compress_rootfs() { chmod +x "${libdir}"/ld-linux-* } +copy_cdh_runtime_deps() { + local libdir="lib/${machine_arch}-linux-gnu" + + # Shared libraries required by /usr/local/bin/confidential-data-hub. + # Note: libcryptsetup loads some optional helpers (e.g. libpopt/libssh) only + # when specific features are used. The current CDH path (LUKS2 + mkfs.ext4) + # does not require those optional libs. + cp -a "${stage_one}/${libdir}"/libcryptsetup.so.12* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libuuid.so.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libdevmapper.so.1.02.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libselinux.so.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libpcre2-8.so.0* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libudev.so.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libcap.so.2* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libcrypto.so.3* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libz.so.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libzstd.so.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libjson-c.so.5* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libblkid.so.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libargon2.so.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libgcc_s.so.1* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libm.so.6* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libc.so.6* "${libdir}/." + + # e2fsprogs (mkfs.ext4) runtime libs + cp -a "${stage_one}/${libdir}"/libext2fs.so.2* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libe2p.so.2* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libss.so.2* "${libdir}/." + cp -a "${stage_one}/${libdir}"/libcom_err.so.2* "${libdir}/." + + # mkfs.ext4 and dd are used by CDH secure_mount + mkdir -p sbin etc usr/bin bin + cp -a "${stage_one}/sbin/mke2fs" sbin/. + cp -a "${stage_one}/sbin/mkfs.ext4" sbin/. + cp -a "${stage_one}/etc/mke2fs.conf" etc/. + cp -a "${stage_one}/usr/bin/dd" bin/. +} + coco_guest_components() { if [[ "${type}" != "confidential" ]]; then return @@ -329,6 +367,8 @@ coco_guest_components() { mkdir -p "${pause_dir}/rootfs" cp -a "${stage_one}/${pause_dir}"/config.json "${pause_dir}/." cp -a "${stage_one}/${pause_dir}"/rootfs/pause "${pause_dir}/rootfs/." + + copy_cdh_runtime_deps } setup_nvidia_gpu_rootfs_stage_two() {