mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-10-21 11:58:41 +00:00
Merge pull request #7231 from wainersm/measured_rootfs-improvements
Build for measured rootfs improvements
This commit is contained in:
Fabiano Fidêncio
GitHub
@@ -25,7 +25,6 @@ readonly versions_yaml="${repo_root_dir}/versions.yaml"
|
||||
readonly agent_builder="${static_build_dir}/agent/build.sh"
|
||||
readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
|
||||
readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
|
||||
readonly initramfs_builder="${static_build_dir}/initramfs/build.sh"
|
||||
readonly kernel_builder="${static_build_dir}/kernel/build.sh"
|
||||
readonly ovmf_builder="${static_build_dir}/ovmf/build.sh"
|
||||
readonly qemu_builder="${static_build_dir}/qemu/build-static-qemu.sh"
|
||||
@@ -300,7 +299,7 @@ install_cached_kernel_tarball_component() {
|
||||
install_kernel_helper() {
|
||||
local kernel_version_yaml_path="${1}"
|
||||
local kernel_name="${2}"
|
||||
local extra_cmd=${3}
|
||||
local extra_cmd="${3:-}"
|
||||
|
||||
export kernel_version="$(get_from_kata_deps ${kernel_version_yaml_path})"
|
||||
export kernel_kata_config_version="$(cat ${repo_root_dir}/tools/packaging/kernel/kata_config_version)"
|
||||
@@ -314,11 +313,6 @@ install_kernel_helper() {
|
||||
|
||||
install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
|
||||
|
||||
if [ "${MEASURED_ROOTFS}" == "yes" ]; then
|
||||
info "build initramfs for cc kernel"
|
||||
"${initramfs_builder}"
|
||||
fi
|
||||
|
||||
info "build ${kernel_name}"
|
||||
info "Kernel version ${kernel_version}"
|
||||
DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" ${extra_cmd}
|
||||
@@ -605,18 +599,7 @@ install_shimv2() {
|
||||
export GO_VERSION
|
||||
export RUST_VERSION
|
||||
|
||||
if [ "${MEASURED_ROOTFS}" == "yes" ]; then
|
||||
extra_opts="DEFSERVICEOFFLOAD=true"
|
||||
if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then
|
||||
root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt")
|
||||
root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}"
|
||||
extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\""
|
||||
fi
|
||||
|
||||
DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}"
|
||||
else
|
||||
DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
|
||||
fi
|
||||
DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
|
||||
}
|
||||
|
||||
install_ovmf() {
|
||||
|
||||
@@ -64,11 +64,11 @@ PREFIX="${PREFIX:-/usr}"
|
||||
kernel_url=""
|
||||
#Linux headers for GPU guest fs module building
|
||||
linux_headers=""
|
||||
# Enable measurement of the guest rootfs at boot.
|
||||
measured_rootfs="false"
|
||||
|
||||
CROSS_BUILD_ARG=""
|
||||
|
||||
MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
|
||||
|
||||
packaging_scripts_dir="${script_dir}/../scripts"
|
||||
source "${packaging_scripts_dir}/lib.sh"
|
||||
|
||||
@@ -103,6 +103,7 @@ Options:
|
||||
-g <vendor> : GPU vendor, intel or nvidia.
|
||||
-h : Display this help.
|
||||
-H <deb|rpm> : Linux headers for guest fs module building.
|
||||
-m : Enable measured rootfs.
|
||||
-k <path> : Path to kernel to build.
|
||||
-p <path> : Path to a directory with patches to apply to kernel.
|
||||
-s : Skip .config checks
|
||||
@@ -127,6 +128,12 @@ arch_to_kernel() {
|
||||
esac
|
||||
}
|
||||
|
||||
# When building for measured rootfs the initramfs image should be previously built.
|
||||
check_initramfs_or_die() {
|
||||
[ -f "${default_initramfs}" ] || \
|
||||
die "Initramfs for measured rootfs not found at ${default_initramfs}"
|
||||
}
|
||||
|
||||
get_tee_kernel() {
|
||||
local version="${1}"
|
||||
local kernel_path="${2}"
|
||||
@@ -270,16 +277,15 @@ get_kernel_frag_path() {
|
||||
all_configs="${all_configs} ${gpu_configs}"
|
||||
fi
|
||||
|
||||
if [ "${MEASURED_ROOTFS}" == "yes" ]; then
|
||||
if [ "${measured_rootfs}" == "true" ]; then
|
||||
info "Enabling config for confidential guest trust storage protection"
|
||||
local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)"
|
||||
all_configs="${all_configs} ${cryptsetup_configs}"
|
||||
|
||||
if [ -f "${default_initramfs}" ]; then
|
||||
info "Enabling config for confidential guest measured boot"
|
||||
local initramfs_configs="$(ls ${common_path}/confidential_containers/initramfs.conf)"
|
||||
all_configs="${all_configs} ${initramfs_configs}"
|
||||
fi
|
||||
check_initramfs_or_die
|
||||
info "Enabling config for confidential guest measured boot"
|
||||
local initramfs_configs="$(ls ${common_path}/confidential_containers/initramfs.conf)"
|
||||
all_configs="${all_configs} ${initramfs_configs}"
|
||||
fi
|
||||
|
||||
if [[ "${conf_guest}" != "" ]];then
|
||||
@@ -431,7 +437,8 @@ setup_kernel() {
|
||||
[ -n "${hypervisor_target}" ] || hypervisor_target="kvm"
|
||||
[ -n "${kernel_config_path}" ] || kernel_config_path=$(get_default_kernel_config "${kernel_version}" "${hypervisor_target}" "${arch_target}" "${kernel_path}")
|
||||
|
||||
if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -f "${default_initramfs}" ]; then
|
||||
if [ "${measured_rootfs}" == "true" ]; then
|
||||
check_initramfs_or_die
|
||||
info "Copying initramfs from: ${default_initramfs}"
|
||||
cp "${default_initramfs}" ./
|
||||
fi
|
||||
@@ -538,7 +545,7 @@ install_kata() {
|
||||
}
|
||||
|
||||
main() {
|
||||
while getopts "a:b:c:deEfg:hH:k:p:t:u:v:x:" opt; do
|
||||
while getopts "a:b:c:deEfg:hH:k:mp:t:u:v:x:" opt; do
|
||||
case "$opt" in
|
||||
a)
|
||||
arch_target="${OPTARG}"
|
||||
@@ -572,6 +579,9 @@ main() {
|
||||
H)
|
||||
linux_headers="${OPTARG}"
|
||||
;;
|
||||
m)
|
||||
measured_rootfs="true"
|
||||
;;
|
||||
k)
|
||||
kernel_path="$(realpath ${OPTARG})"
|
||||
;;
|
||||
|
||||
@@ -30,8 +30,24 @@ rootfs_hash=$(get_option rootfs_verity.hash)
|
||||
root_device=$(get_option root)
|
||||
hash_device=${root_device%?}2
|
||||
|
||||
if [ -e ${root_device} ] && [ -e ${hash_device} ] && [ "${rootfs_verifier}" = "dm-verity" ]
|
||||
# The root device should exist to be either verified then mounted or
|
||||
# just mounted when verification is disabled.
|
||||
if [ ! -e "${root_device}" ]
|
||||
then
|
||||
echo "No root device ${root_device} found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${rootfs_verifier}" = "dm-verity" ]
|
||||
then
|
||||
echo "Verify the root device with ${rootfs_verifier}"
|
||||
|
||||
if [ ! -e "${hash_device}" ]
|
||||
then
|
||||
echo "No hash device ${hash_device} found. Cannot verify the root device"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
veritysetup open "${root_device}" root "${hash_device}" "${rootfs_hash}"
|
||||
mount /dev/mapper/root /mnt
|
||||
else
|
||||
|
||||
@@ -13,6 +13,7 @@ script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
source "${script_dir}/../../scripts/lib.sh"
|
||||
|
||||
readonly kernel_builder="${repo_root_dir}/tools/packaging/kernel/build-kernel.sh"
|
||||
readonly initramfs_builder="${repo_root_dir}/tools/packaging/static-build/initramfs/build.sh"
|
||||
|
||||
BUILDX=
|
||||
PLATFORM=
|
||||
@@ -20,6 +21,16 @@ PLATFORM=
|
||||
DESTDIR=${DESTDIR:-${PWD}}
|
||||
PREFIX=${PREFIX:-/opt/kata}
|
||||
container_image="${KERNEL_CONTAINER_BUILDER:-$(get_kernel_image_name)}"
|
||||
MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
|
||||
kernel_builder_args="-a ${ARCH} $*"
|
||||
|
||||
if [ "${MEASURED_ROOTFS}" == "yes" ]; then
|
||||
info "build initramfs for cc kernel"
|
||||
"${initramfs_builder}"
|
||||
# Turn on the flag to build the kernel with support to
|
||||
# measured rootfs.
|
||||
kernel_builder_args+=" -m"
|
||||
fi
|
||||
|
||||
if [ "${CROSS_BUILD}" == "true" ]; then
|
||||
container_image="${container_image}-${ARCH}-cross-build"
|
||||
@@ -39,23 +50,22 @@ sudo docker pull ${container_image} || \
|
||||
|
||||
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
-w "${PWD}" \
|
||||
--env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \
|
||||
"${container_image}" \
|
||||
bash -c "${kernel_builder} -a ${ARCH} $* setup"
|
||||
bash -c "${kernel_builder} ${kernel_builder_args} setup"
|
||||
|
||||
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
-w "${PWD}" \
|
||||
"${container_image}" \
|
||||
bash -c "${kernel_builder} -a ${ARCH} $* build"
|
||||
bash -c "${kernel_builder} ${kernel_builder_args} build"
|
||||
|
||||
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
-w "${PWD}" \
|
||||
--env DESTDIR="${DESTDIR}" --env PREFIX="${PREFIX}" \
|
||||
"${container_image}" \
|
||||
bash -c "${kernel_builder} -a ${ARCH} $* install"
|
||||
bash -c "${kernel_builder} ${kernel_builder_args} install"
|
||||
|
||||
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
-w "${PWD}" \
|
||||
--env DESTDIR="${DESTDIR}" --env PREFIX="${PREFIX}" \
|
||||
"${container_image}" \
|
||||
bash -c "${kernel_builder} -a ${ARCH} $* build-headers"
|
||||
bash -c "${kernel_builder} ${kernel_builder_args} build-headers"
|
||||
|
||||
@@ -25,6 +25,19 @@ container_image="${SHIM_V2_CONTAINER_BUILDER:-$(get_shim_v2_image_name)}"
|
||||
EXTRA_OPTS="${EXTRA_OPTS:-""}"
|
||||
|
||||
[ "${CROSS_BUILD}" == "true" ] && container_image_bk="${container_image}" && container_image="${container_image}-cross-build"
|
||||
if [ "${MEASURED_ROOTFS}" == "yes" ]; then
|
||||
EXTRA_OPTS+=" DEFSERVICEOFFLOAD=true"
|
||||
info "Enable rootfs measurement config"
|
||||
|
||||
root_hash_file="${repo_root_dir}/tools/osbuilder/root_hash.txt"
|
||||
[ -f "$root_hash_file" ] || \
|
||||
die "Root hash file for measured rootfs not found at ${root_hash_file}"
|
||||
|
||||
root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${root_hash_file}")
|
||||
root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}"
|
||||
EXTRA_OPTS+=" ROOTMEASURECONFIG=\"${root_measure_config}\""
|
||||
fi
|
||||
|
||||
sudo docker pull ${container_image} || \
|
||||
(sudo docker ${BUILDX} build ${PLATFORM} \
|
||||
--build-arg GO_VERSION="${GO_VERSION}" \
|
||||
@@ -49,7 +62,8 @@ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
--env CC="${CC}" \
|
||||
-w "${repo_root_dir}/src/runtime-rs" \
|
||||
"${container_image}" \
|
||||
bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch}"
|
||||
bash -c "git config --global --add safe.directory ${repo_root_dir} && \
|
||||
make clean-generated-files && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch}"
|
||||
|
||||
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
--env CROSS_BUILD=${CROSS_BUILD} \
|
||||
@@ -64,7 +78,8 @@ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
-w "${repo_root_dir}/src/runtime" \
|
||||
"${container_image}" \
|
||||
bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch} ${EXTRA_OPTS}"
|
||||
bash -c "git config --global --add safe.directory ${repo_root_dir} && \
|
||||
make clean-generated-files && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch} ${EXTRA_OPTS}"
|
||||
|
||||
sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
|
||||
-w "${repo_root_dir}/src/runtime" \
|
||||
|
||||
Reference in New Issue
Block a user