Merge pull request #6756 from arronwy/measured_rootfs

Port Measured rootfs feature from CCv0 branch to main

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -32,6 +32,7 @@ jobs:
           - qemu-snp-experimental
           - qemu-tdx-experimental
           - rootfs-image
+          - rootfs-image-tdx
           - rootfs-initrd
           - rootfs-initrd-sev
           - shim-v2

src/runtime/Makefile

@@ -133,6 +133,10 @@ FIRMWARETDVFVOLUMEPATH :=
 FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
 
+ROOTMEASURECONFIG ?= ""
+KERNELPARAMS += $(ROOTMEASURECONFIG)
+KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
+
 # Name of default configuration file the runtime will use.
 CONFIG_FILE = configuration.toml
 

tools/osbuilder/image-builder/Dockerfile

@@ -14,5 +14,6 @@ RUN ([ -n "$http_proxy" ] && \
         gdisk \
         parted \
         qemu-img \
+        veritysetup \
         xfsprogs && \
     dnf clean all

tools/osbuilder/image-builder/image_builder.sh

@@ -11,6 +11,7 @@ set -o errexit
 set -o pipefail
 
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
 
 readonly script_name="${0##*/}"
 readonly script_dir=$(dirname "$(readlink -f "$0")")
@@ -185,6 +186,7 @@ build_with_container() {
 		   --env BLOCK_SIZE="${block_size}" \
 		   --env ROOT_FREE_SPACE="${root_free_space}" \
 		   --env NSDAX_BIN="${nsdax_bin}" \
+		   --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \
 		   --env SELINUX="${SELINUX}" \
 		   --env DEBUG="${DEBUG}" \
 		   -v /dev:/dev \
@@ -391,9 +393,21 @@ create_disk() {
 	# Kata runtime expect an image with just one partition
 	# The partition is the rootfs content
 	info "Creating partitions"
+
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+		info "Creating partitions with hash device"
+		# The hash data will take less than one percent disk space to store
+		hash_start=$(echo $img_size | awk '{print $1 * 0.99}' |cut -d $(locale decimal_point) -f 1)
+		partition_param="mkpart primary ${fs_type} ${part_start}M ${hash_start}M "
+		partition_param+="mkpart primary ${fs_type} ${hash_start}M ${rootfs_end}M "
+		partition_param+="set 1 boot on"
+	else
+		partition_param="mkpart primary ${fs_type} ${part_start}M ${rootfs_end}M"
+	fi
+
 	parted -s -a optimal "${image}" -- \
 		   mklabel msdos \
-		   mkpart primary "${fs_type}" "${part_start}"M "${rootfs_end}"M
+		   "${partition_param}"
 
 	OK "Partitions created"
 }
@@ -490,6 +504,12 @@ create_rootfs_image() {
 		fsck.ext4 -D -y "${device}p1"
 	fi
 
+	if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -b "${device}p2" ]; then
+		info "veritysetup format rootfs device: ${device}p1, hash device: ${device}p2"
+		local image_dir=$(dirname "${image}")
+		veritysetup format "${device}p1" "${device}p2" > "${image_dir}"/root_hash.txt 2>&1
+	fi
+
 	losetup -d "${device}"
 	rm -rf "${mount_dir}"
 }

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -16,6 +16,7 @@ AGENT_VERSION=${AGENT_VERSION:-}
 RUST_VERSION="null"
 AGENT_BIN=${AGENT_BIN:-kata-agent}
 AGENT_INIT=${AGENT_INIT:-no}
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
 KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""}
 OSBUILDER_VERSION="unknown"
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
@@ -434,6 +435,7 @@ build_rootfs_distro()
 			--env AGENT_INIT="${AGENT_INIT}" \
 			--env ARCH="${ARCH}" \
 			--env CI="${CI}" \
+			--env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \
 			--env KERNEL_MODULES_DIR="${KERNEL_MODULES_DIR}" \
 			--env LIBC="${LIBC}" \
 			--env EXTRA_PKGS="${EXTRA_PKGS}" \

tools/osbuilder/rootfs-builder/ubuntu/config.sh

@@ -7,6 +7,7 @@ OS_NAME=ubuntu
 OS_VERSION=${OS_VERSION:-focal}
 PACKAGES="chrony iptables dbus"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
+[ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2"
 REPO_URL=http://ports.ubuntu.com
 

tools/packaging/guest-image/build_image.sh

@@ -22,6 +22,7 @@ readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)"
 export GOPATH=${GOPATH:-${HOME}/go}
 
 arch_target="$(uname -m)"
+final_image_name="kata-containers"
 final_initrd_name="kata-containers-initrd"
 image_initrd_extension=".img"
 
@@ -54,9 +55,12 @@ build_image() {
 		IMG_OS_VERSION="${img_os_version}" \
 		ROOTFS_BUILD_DEST="${builddir}/rootfs-image"
 	mv -f "kata-containers.img" "${install_dir}/${image_name}"
+	if [ -e "root_hash.txt" ]; then
+	    cp root_hash.txt "${install_dir}/"
+	fi
 	(
 		cd "${install_dir}"
-		ln -sf "${image_name}" kata-containers.img
+		ln -sf "${image_name}" "${final_image_name}${image_initrd_extension}"
 	)
 }
 
@@ -83,6 +87,7 @@ main() {
 	image_type=image
 	destdir="$PWD"
 	prefix="/opt/kata"
+	image_suffix=""
 	image_initrd_suffix=""
 	builddir="${PWD}"
 	while getopts "h-:" opt; do
@@ -110,6 +115,11 @@ main() {
 					initrd_os_version=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.sev.version")
 					initrd_name="kata-${initrd_distro}-${initrd_os_version}-${image_initrd_suffix}.${image_type}"
 					final_initrd_name="${final_initrd_name}-${image_initrd_suffix}"
+				elif [ "${image_initrd_suffix}" == "tdx" ]; then
+					img_distro=$(get_from_kata_deps "assets.image.architecture.${arch_target}.name")
+					img_os_version=$(get_from_kata_deps "assets.image.architecture.${arch_target}.version")
+					image_name="kata-${img_distro}-${img_os_version}-${image_initrd_suffix}.${image_type}"
+					final_image_name="${final_image_name}-${image_initrd_suffix}"
 				fi
 				;;
 			prefix=*)

tools/packaging/kata-deploy/local-build/Makefile

@@ -42,6 +42,7 @@ all: serial-targets \
 serial-targets:
 	${MAKE} -f $(MK_PATH) -j 1 V= \
 	rootfs-image-tarball \
+	rootfs-image-tdx-tarball \
 	rootfs-initrd-sev-tarball \
 	rootfs-initrd-tarball \
 	cloud-hypervisor-tarball
@@ -100,6 +101,9 @@ qemu-tdx-experimental-tarball:
 rootfs-image-tarball:
 	${MAKE} $@-build
 
+rootfs-image-tdx-tarball: kernel-tdx-experimental-tarball
+	${MAKE} $@-build
+
 rootfs-initrd-sev-tarball: kernel-sev-tarball
 	${MAKE} $@-build
 

tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh

@@ -64,6 +64,7 @@ docker run \
 	--env SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER:-}" \
 	--env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" \
 	--env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" \
+	--env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \
 	--rm \
 	-w ${script_dir} \
 	build-kata-deploy "${kata_deploy_create}" $@

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -24,6 +24,7 @@ readonly versions_yaml="${repo_root_dir}/versions.yaml"
 
 readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
 readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
+readonly initramfs_builder="${static_build_dir}/initramfs/build.sh"
 readonly kernel_builder="${static_build_dir}/kernel/build.sh"
 readonly ovmf_builder="${static_build_dir}/ovmf/build.sh"
 readonly qemu_builder="${static_build_dir}/qemu/build-static-qemu.sh"
@@ -38,6 +39,7 @@ readonly jenkins_url="http://jenkins.katacontainers.io"
 readonly cached_artifacts_path="lastSuccessfulBuild/artifact/artifacts"
 
 ARCH=$(uname -m)
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
 
 workdir="${WORKDIR:-$PWD}"
 
@@ -93,6 +95,7 @@ options:
 	qemu-snp-experimental
 	qemu-tdx-experimental
 	rootfs-image
+	rootfs-image-tdx
 	rootfs-initrd
 	rootfs-initrd-sev
 	shim-v2
@@ -133,8 +136,10 @@ install_cached_tarball_component() {
 
 #Install guest image
 install_image() {
-	local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-image-$(uname -m)/${cached_artifacts_path}"
-	local component="rootfs-image"
+	local image_type="${1:-"image"}"
+	local initrd_suffix="${2:-""}"
+	local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-${image_type}-$(uname -m)/${cached_artifacts_path}"
+	local component="rootfs-${image_type}"
 
 	local osbuilder_last_commit="$(get_last_modification "${repo_root_dir}/tools/osbuilder")"
 	local guest_image_last_commit="$(get_last_modification "${repo_root_dir}/tools/packaging/guest-image")"
@@ -154,7 +159,12 @@ install_image() {
 		&& return 0
 
 	info "Create image"
-	"${rootfs_builder}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}"
+	"${rootfs_builder}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${initrd_suffix}"
+}
+
+#Install guest image for tdx
+install_image_tdx() {
+	install_image "image-tdx" "tdx"
 }
 
 #Install guest initrd
@@ -241,6 +251,11 @@ install_kernel_helper() {
 
 	install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
 
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+		info "build initramfs for cc kernel"
+		"${initramfs_builder}"
+	fi
+
 	info "build ${kernel_name}"
 	info "Kernel version ${kernel_version}"
 	DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" ${extra_cmd}
@@ -303,6 +318,8 @@ install_kernel_experimental() {
 install_kernel_tdx_experimental() {
 	local kernel_url="$(get_from_kata_deps assets.kernel-tdx-experimental.url)"
 
+	export MEASURED_ROOTFS=yes
+
 	install_kernel_helper \
 		"assets.kernel-tdx-experimental.version" \
 		"kernel-tdx-experimental" \
@@ -478,7 +495,19 @@ install_shimv2() {
 
 	export GO_VERSION
 	export RUST_VERSION
-	DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
+
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+	        extra_opts="DEFSERVICEOFFLOAD=true"
+		if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then
+			root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt")
+			root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}"
+			extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\""
+		fi
+
+		DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}"
+	else
+		DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
+	fi
 }
 
 install_ovmf() {
@@ -581,6 +610,8 @@ handle_build() {
 
 	rootfs-image) install_image ;;
 
+	rootfs-image-tdx) install_image_tdx ;;
+
 	rootfs-initrd) install_initrd ;;
 
 	rootfs-initrd-sev) install_initrd_sev ;;

tools/packaging/kernel/build-kernel.sh

@@ -31,6 +31,7 @@ readonly default_kernel_config_dir="${script_dir}/configs"
 # Default path to search for kernel config fragments
 readonly default_config_frags_dir="${script_dir}/configs/fragments"
 readonly default_config_whitelist="${script_dir}/configs/fragments/whitelist.conf"
+readonly default_initramfs="${script_dir}/initramfs.cpio.gz"
 # GPU vendor
 readonly GV_INTEL="intel"
 readonly GV_NVIDIA="nvidia"
@@ -64,6 +65,8 @@ kernel_url=""
 #Linux headers for GPU guest fs module building
 linux_headers=""
 
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+
 packaging_scripts_dir="${script_dir}/../scripts"
 source "${packaging_scripts_dir}/lib.sh"
 
@@ -269,6 +272,18 @@ get_kernel_frag_path() {
 		fi
 	fi
 
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+		info "Enabling config for confidential guest trust storage protection"
+		local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)"
+		all_configs="${all_configs} ${cryptsetup_configs}"
+
+		if [ -f "${default_initramfs}" ]; then
+			info "Enabling config for confidential guest measured boot"
+			local initramfs_configs="$(ls ${common_path}/confidential_containers/initramfs.conf)"
+			all_configs="${all_configs} ${initramfs_configs}"
+		fi
+	fi
+
 	if [[ "${conf_guest}" != "" ]];then
 		info "Enabling config for '${conf_guest}' confidential guest protection"
 		local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)"
@@ -418,6 +433,11 @@ setup_kernel() {
 	[ -n "${hypervisor_target}" ] || hypervisor_target="kvm"
 	[ -n "${kernel_config_path}" ] || kernel_config_path=$(get_default_kernel_config "${kernel_version}" "${hypervisor_target}" "${arch_target}" "${kernel_path}")
 
+	if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -f "${default_initramfs}" ]; then
+		info "Copying initramfs from: ${default_initramfs}"
+		cp "${default_initramfs}" ./
+	fi
+
 	info "Copying config file from: ${kernel_config_path}"
 	cp "${kernel_config_path}" ./.config
 	make oldconfig

tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf

@@ -0,0 +1,21 @@
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM_BUILTIN=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_CRYPT=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_INTEGRITY=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_ESSIV=y
+CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_HMAC=y

tools/packaging/kernel/configs/fragments/common/confidential_containers/initramfs.conf

@@ -0,0 +1 @@
+CONFIG_INITRAMFS_SOURCE="initramfs.cpio.gz"

tools/packaging/kernel/configs/fragments/x86_64/crypto.conf

@@ -0,0 +1,3 @@
+# x86 cryptographic instructions to improve AES encryption and SHA256 hashing.
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_AES_NI_INTEL=y

tools/packaging/kernel/kata_config_version

@@ -1 +1 @@
-107
+108

tools/packaging/static-build/initramfs/Dockerfile

@@ -0,0 +1,38 @@
+# Copyright (c) 2022 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+from ubuntu:20.04
+
+ARG DEBIAN_FRONTEND=noninteractive
+ENV TZ=UTC
+RUN apt-get update &&\
+    apt-get --no-install-recommends install -y software-properties-common &&\
+    add-apt-repository ppa:git-core/ppa -y &&\
+    apt-get update && apt-get upgrade -y && \
+    apt-get --no-install-recommends install -y \
+	    apt-utils \
+	    asciidoctor \
+	    autoconf \
+	    autopoint \
+	    automake \
+	    busybox-static \
+	    ca-certificates \
+	    curl \
+	    gcc \
+	    gettext \
+	    git \
+	    libaio-dev \
+	    libblkid-dev \
+	    libselinux1-dev \
+	    libtool \
+	    libpopt-dev \
+	    libjson-c-dev \
+	    libssl-dev \
+	    make \
+	    ninja-build \
+	    pkg-config \
+	    uuid-dev \
+	    libseccomp-dev \
+	    libseccomp2 \
+	    zlib1g-dev &&\
+    apt-get clean && rm -rf /var/lib/apt/lists/

tools/packaging/static-build/initramfs/build-initramfs.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+#
+# Copyright (c) 2022 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+source "${script_dir}/../../scripts/lib.sh"
+install_dir="${1:-.}"
+
+cryptsetup_repo="${cryptsetup_repo:-}"
+cryptsetup_version="${cryptsetup_version:-}"
+lvm2_repo="${lvm2_repo:-}"
+lvm2_version="${lvm2_version:-}"
+
+[ -n "${cryptsetup_repo}" ] || die "Failed to get cryptsetup repo"
+[ -n "${cryptsetup_version}" ] || die "Failed to get cryptsetup version"
+[ -n "${lvm2_repo}" ] || die "Failed to get lvm2 repo"
+[ -n "${lvm2_version}" ] || die "Failed to get lvm2 version"
+
+build_root=$(mktemp -d)
+pushd ${build_root}
+
+info "Build ${lvm2_repo} version: ${lvm2_version}"
+git clone --depth 1 --branch "${lvm2_version}" "${lvm2_repo}" lvm2
+pushd lvm2
+./configure --enable-static_link --disable-selinux
+make && make install
+cp ./libdm/libdevmapper.pc /usr/lib/pkgconfig/devmapper.pc
+popd #lvm2
+
+info "Build ${cryptsetup_repo} version: ${cryptsetup_version}"
+git clone --depth 1 --branch "${cryptsetup_version}" "${cryptsetup_repo}" cryptsetup
+pushd cryptsetup
+./autogen.sh
+./configure  --enable-static --enable-static-cryptsetup --disable-udev --disable-external-tokens --disable-ssh-token
+make && make install
+strip /usr/sbin/veritysetup.static
+popd #cryptsetup
+
+info "Build gen_init_cpio tool"
+git clone --depth 1 --filter=blob:none --sparse https://github.com/torvalds/linux.git
+pushd linux
+git sparse-checkout add usr && cd usr && make gen_init_cpio
+install gen_init_cpio /usr/sbin/
+popd #linux
+
+popd #${build_root}
+
+install "${script_dir}/init.sh" /usr/sbin/
+gen_init_cpio "${script_dir}/initramfs.list" | gzip -9 -n > "${install_dir}"/initramfs.cpio.gz

tools/packaging/static-build/initramfs/build.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2022 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+repo_root_dir="$(cd "${script_dir}/../../../.." && pwd)"
+readonly initramfs_builder="${script_dir}/build-initramfs.sh"
+readonly default_install_dir="$(cd "${script_dir}/../../kernel" && pwd)"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+container_image="kata-initramfs-builder"
+kata_version="${kata_version:-}"
+cryptsetup_repo="${cryptsetup_repo:-}"
+cryptsetup_version="${cryptsetup_version:-}"
+lvm2_repo="${lvm2_repo:-}"
+lvm2_version="${lvm2_version:-}"
+package_output_dir="${package_output_dir:-}"
+
+[ -n "${cryptsetup_repo}" ] || cryptsetup_repo=$(get_from_kata_deps "externals.cryptsetup.url" "${kata_version}")
+[ -n "${cryptsetup_version}" ] || cryptsetup_version=$(get_from_kata_deps "externals.cryptsetup.version" "${kata_version}")
+[ -n "${lvm2_repo}" ] || lvm2_repo=$(get_from_kata_deps "externals.lvm2.url" "${kata_version}")
+[ -n "${lvm2_version}" ] || lvm2_version=$(get_from_kata_deps "externals.lvm2.version" "${kata_version}")
+
+[ -n "${cryptsetup_repo}" ] || die "Failed to get cryptsetup repo"
+[ -n "${cryptsetup_version}" ] || die "Failed to get cryptsetup version"
+[ -n "${lvm2_repo}" ] || die "Failed to get lvm2 repo"
+[ -n "${lvm2_version}" ] || die "Failed to get lvm2 version"
+
+sudo docker build \
+	-t "${container_image}" "${script_dir}"
+
+sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
+	-w "${PWD}" \
+	--env cryptsetup_repo="${cryptsetup_repo}" \
+	--env cryptsetup_version="${cryptsetup_version}" \
+	--env lvm2_repo="${lvm2_repo}" \
+	--env lvm2_version="${lvm2_version}" \
+	"${container_image}" \
+	bash -c "${initramfs_builder} ${default_install_dir}"

tools/packaging/static-build/initramfs/init.sh

@@ -0,0 +1,44 @@
+#!/bin/sh
+#
+# Copyright (c) 2022 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+[ -d /dev ] || mkdir -m 0755 /dev
+[ -d /root ] || mkdir -m 0700 /root
+[ -d /sys ] || mkdir /sys
+[ -d /proc ] || mkdir /proc
+[ -d /mnt ] || mkdir /mnt
+[ -d /tmp ] || mkdir /tmp
+
+mount -t sysfs -o nodev,noexec,nosuid sysfs /sys
+mount -t proc -o nodev,noexec,nosuid proc /proc
+
+echo "/sbin/mdev" > /proc/sys/kernel/hotplug
+mdev -s
+
+get_option() {
+    local value
+    value=" $(cat /proc/cmdline) "
+    value="${value##* ${1}=}"
+    value="${value%% *}"
+    [ "${value}" != "" ] && echo "${value}"
+}
+
+rootfs_verifier=$(get_option rootfs_verity.scheme)
+rootfs_hash=$(get_option rootfs_verity.hash)
+root_device=$(get_option root)
+hash_device=${root_device%?}2
+
+if [ -e ${root_device} ] && [ -e ${hash_device} ] && [ "${rootfs_verifier}" = "dm-verity" ]
+then
+    veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}"
+    mount /dev/mapper/root /mnt
+else
+    echo "No LUKS device found"
+    mount "${root_device}" /mnt
+fi
+
+umount /proc
+umount /sys
+exec switch_root /mnt /sbin/init

tools/packaging/static-build/initramfs/initramfs.list

@@ -0,0 +1,21 @@
+# Copyright (c) 2022 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# initramfs to setup verified boot for rootfs
+dir /dev 0755 0 0
+dir /root 0700 0 0
+dir /sbin 0755 0 0
+dir /bin 0755 0 0
+dir /run 0755 0 0
+dir /mnt 0755 0 0
+file /init /usr/sbin/init.sh 0755 0 0
+file /sbin/busybox /usr/bin/busybox 0755 0 0
+file /sbin/veritysetup /usr/sbin/veritysetup.static 0755 0 0
+slink /bin/sh /sbin/busybox 0755 0 0
+slink /sbin/mount /sbin/busybox 0755 0 0
+slink /bin/mkdir /sbin/busybox 0755 0 0
+slink /sbin/mdev /sbin/busybox 0755 0 0
+slink /sbin/switch_root /sbin/busybox 0755 0 0
+slink /sbin/umount /sbin/busybox 0755 0 0
+slink /sbin/cat /sbin/busybox 0755 0 0

tools/packaging/static-build/kernel/build.sh

@@ -25,6 +25,7 @@ sudo docker pull ${container_image} || \
 
 sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${PWD}" \
+	--env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \
 	"${container_image}" \
 	bash -c "${kernel_builder} $* setup"
 

tools/packaging/static-build/shim-v2/build.sh

@@ -21,6 +21,8 @@ DESTDIR=${DESTDIR:-${PWD}}
 PREFIX=${PREFIX:-/opt/kata}
 container_image="${SHIM_V2_CONTAINER_BUILDER:-$(get_shim_v2_image_name)}"
 
+EXTRA_OPTS="${EXTRA_OPTS:-""}"
+
 sudo docker pull ${container_image} || \
        	(sudo docker build  \
 		--build-arg GO_VERSION="${GO_VERSION}" \
@@ -47,12 +49,12 @@ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${repo_root_dir}/src/runtime" \
 	"${container_image}" \
-	bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch}"
+	bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch} ${EXTRA_OPTS}"
 
 sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${repo_root_dir}/src/runtime" \
 	"${container_image}" \
-	bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" install"
+	bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" ${EXTRA_OPTS} install"
 
 for vmm in ${VMM_CONFIGS}; do
 	config_file="${DESTDIR}/${PREFIX}/share/defaults/kata-containers/configuration-${vmm}.toml"

versions.yaml

@@ -228,11 +228,21 @@ externals:
     url: "https://github.com/kubernetes-sigs/cri-tools"
     version: "1.23.0"
 
+  cryptsetup:
+    description: "A utility used to setup disk encryption, integrity protection"
+    url: "https://gitlab.com/cryptsetup/cryptsetup"
+    version: "v2.5.0"
+
   gperf:
     description: "GNU gperf is a perfect hash function generator"
     url: "http://ftp.gnu.org/pub/gnu/gperf/"
     version: "3.1"
 
+  lvm2:
+    description: "LVM2 and device-mapper tools and libraries"
+    url: "https://github.com/lvmteam/lvm2"
+    version: "v2_03_16"
+
   kubernetes:
     description: "Kubernetes project container manager"
     url: "https://github.com/kubernetes/kubernetes"