From b58cfc765c3bfdedf7e4b7d3b29e9dfcee231d94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Fri, 2 Feb 2024 16:10:20 +0100
Subject: [PATCH] packaging: Ensure rootfs is rebuilt in case kernel changes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We need to do this in order to ensure that the measure boot will be
taking the latest kernel bits, as needed.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 .../local-build/kata-deploy-binaries.sh       | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 7f10e9464..f47cce9dd 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -222,6 +222,15 @@ get_agent_tarball_path() {
 	echo "${agent_local_build_dir}/${agent_tarball_name}"
 }
 
+get_latest_kernel_confidential_artefact_and_builder_image_version() {
+		local kernel_version=$(get_from_kata_deps "assets.kernel.confidential.version")
+		local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
+		local latest_kernel_artefact="${kernel_version}-${kernel_kata_config_version}-$(get_last_modification $(dirname $kernel_builder))"
+		local latest_kernel_builder_image="$(get_kernel_image_name)"
+
+		echo "${latest_kernel_artefact}-${latest_kernel_builder_image}"
+}
+
 #Install guest image
 install_image() {
 	local variant="${1:-}"
@@ -243,7 +252,14 @@ install_image() {
 		"$(get_last_modification "${repo_root_dir}/src/agent")" \
 		"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")
 
+
 	latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}"
+	if [ "${variant}" == "tdx" ]; then
+		# For the TDX image we depend on the kernel built in order to ensure that
+		# measured boot is used
+		latest_artefacts+="-$(get_latest_kernel_confidential_artefact_and_builder_image_version)"
+	fi
+
 	latest_builder_image=""
 
 	install_cached_tarball_component \
@@ -296,6 +312,12 @@ install_initrd() {
 		"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")
 
 	latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}"
+	if [ "${variant}" == "tdx" ]; then
+		# For the TDX image we depend on the kernel built in order to ensure that
+		# measured boot is used
+		latest_artefacts+="-$(get_latest_kernel_confidential_artefact_and_builder_image_version)"
+	fi
+
 	latest_builder_image=""
 
 	[[ "${ARCH}" == "aarch64" && "${CROSS_BUILD}" == "true" ]] && echo "warning: Don't cross build initrd for aarch64 as it's too slow" && exit 0