packaging: Ensure rootfs is rebuilt in case kernel changes

We need to do this in order to ensure that the measure boot will be taking the latest kernel bits, as needed. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2025-09-16 14:28:35 +00:00 · 2024-02-02 16:10:20 +01:00
parent 4394dacb88
commit b58cfc765c
1 changed files with 22 additions and 0 deletions
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -222,6 +222,15 @@ get_agent_tarball_path() {
 	echo "${agent_local_build_dir}/${agent_tarball_name}"
 }

+get_latest_kernel_confidential_artefact_and_builder_image_version() {
+		local kernel_version=$(get_from_kata_deps "assets.kernel.confidential.version")
+		local kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
+		local latest_kernel_artefact="${kernel_version}-${kernel_kata_config_version}-$(get_last_modification $(dirname $kernel_builder))"
+		local latest_kernel_builder_image="$(get_kernel_image_name)"
+
+		echo "${latest_kernel_artefact}-${latest_kernel_builder_image}"
+}
+
 #Install guest image
 install_image() {
 	local variant="${1:-}"
@@ -243,7 +252,14 @@ install_image() {
 		"$(get_last_modification "${repo_root_dir}/src/agent")" \
 		"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")

+
 	latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${image_type}"
+	if [ "${variant}" == "tdx" ]; then
+		# For the TDX image we depend on the kernel built in order to ensure that
+		# measured boot is used
+		latest_artefacts+="-$(get_latest_kernel_confidential_artefact_and_builder_image_version)"
+	fi
+
 	latest_builder_image=""

 	install_cached_tarball_component \
@@ -296,6 +312,12 @@ install_initrd() {
 		"$(get_last_modification "${repo_root_dir}/tools/packaging/static-build/agent")")

 	latest_artefact="${osbuilder_last_commit}-${guest_image_last_commit}-${agent_last_commit}-${libs_last_commit}-${gperf_version}-${libseccomp_version}-${rust_version}-${initrd_type}"
+	if [ "${variant}" == "tdx" ]; then
+		# For the TDX image we depend on the kernel built in order to ensure that
+		# measured boot is used
+		latest_artefacts+="-$(get_latest_kernel_confidential_artefact_and_builder_image_version)"
+	fi
+
 	latest_builder_image=""

 	[[ "${ARCH}" == "aarch64" && "${CROSS_BUILD}" == "true" ]] && echo "warning: Don't cross build initrd for aarch64 as it's too slow" && exit 0