github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-15 22:53:43 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #5876 from fidencio/topic/CC-rework-build-dependencies-so-measured-rootfs-can-be-used

Browse Source 
Rework how we build the payload so measured boot can be used with the Operator
This commit is contained in:
Fabiano Fidêncio 2022-12-12 16:03:45 +01:00 committed by GitHub
commit d3e0190786
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 177 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
.github/workflows/cc-payload-after-push-amd64.yaml vendored
View File

@ -16,7 +16,6 @@ jobs:
- cc-kernel - cc-kernel
- cc-qemu - cc-qemu
- cc-rootfs-image - cc-rootfs-image
- cc-shim-v2
- cc-virtiofsd - cc-virtiofsd
- cc-sev-kernel - cc-sev-kernel
- cc-sev-ovmf - cc-sev-ovmf
@ -56,9 +55,60 @@ jobs:
retention-days: 1 retention-days: 1
if-no-files-found: error if-no-files-found: error
create-kata-tarball: - name: store-artifact root_hash_tdx.txt
uses: actions/upload-artifact@v3
with:
name: root_hash_tdx.txt
path: tools/osbuilder/root_hash_tdx.txt
retention-days: 1
if-no-files-found: ignore
- name: store-artifact root_hash_vanilla.txt
uses: actions/upload-artifact@v3
with:
name: root_hash_vanilla.txt
path: tools/osbuilder/root_hash_vanilla.txt
retention-days: 1
if-no-files-found: ignore
build-asset-cc-shim-v2:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build-asset needs: build-asset
steps:
- uses: actions/checkout@v3
- name: Get root_hash_tdx.txt
uses: actions/download-artifact@v3
with:
name: root_hash_tdx.txt
path: tools/osbuilder/
- name: Get root_hash_vanilla.txt
uses: actions/download-artifact@v3
with:
name: root_hash_vanilla.txt
path: tools/osbuilder/
- name: Build cc-shim-v2
run: |
make cc-shim-v2-tarball
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
sudo cp -r "${build_dir}" "kata-build"
env:
PUSH_TO_REGISTRY: yes
- name: store-artifact cc-shim-v2
uses: actions/upload-artifact@v3
with:
name: kata-artifacts
path: kata-build/kata-static-cc-shim-v2.tar.xz
retention-days: 1
if-no-files-found: error
create-kata-tarball:
runs-on: ubuntu-latest
needs: [build-asset, build-asset-cc-shim-v2]
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: get-artifacts - name: get-artifacts

44
.github/workflows/cc-payload-after-push-s390x.yaml vendored
View File

@ -15,7 +15,6 @@ jobs:
- cc-kernel - cc-kernel
- cc-qemu - cc-qemu
- cc-rootfs-image - cc-rootfs-image
- cc-shim-v2
- cc-virtiofsd - cc-virtiofsd
steps: steps:
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
@ -52,9 +51,50 @@ jobs:
retention-days: 1 retention-days: 1
if-no-files-found: error if-no-files-found: error
create-kata-tarball: - name: store-artifact root_hash_vanilla.txt
uses: actions/upload-artifact@v3
with:
name: root_hash_vanilla.txt-s390x
path: tools/osbuilder/root_hash_vanilla.txt
retention-days: 1
if-no-files-found: ignore
build-asset-cc-shim-v2:
runs-on: s390x runs-on: s390x
needs: build-asset needs: build-asset
steps:
- name: Adjust a permission for repo
run: |
sudo chown -R $USER:$USER $GITHUB_WORKSPACE
- uses: actions/checkout@v3
- name: Get root_hash_vanilla.txt
uses: actions/download-artifact@v3
with:
name: root_hash_vanilla.txt-s390x
path: tools/osbuilder/
- name: Build cc-shim-v2
run: |
make cc-shim-v2-tarball
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
sudo cp -r "${build_dir}" "kata-build"
env:
PUSH_TO_REGISTRY: yes
- name: store-artifact cc-shim-v2
uses: actions/upload-artifact@v3
with:
name: kata-artifacts-s390x
path: kata-build/kata-static-cc-shim-v2.tar.xz
retention-days: 1
if-no-files-found: error
create-kata-tarball:
runs-on: s390x
needs: [build-asset, build-asset-cc-shim-v2]
steps: steps:
- name: Adjust a permission for repo - name: Adjust a permission for repo
run: | run: |

52
.github/workflows/cc-payload.yaml vendored
View File

@ -14,7 +14,6 @@ jobs:
- cc-kernel - cc-kernel
- cc-qemu - cc-qemu
- cc-rootfs-image - cc-rootfs-image
- cc-shim-v2
- cc-virtiofsd - cc-virtiofsd
- cc-sev-kernel - cc-sev-kernel
- cc-sev-ovmf - cc-sev-ovmf
@ -44,9 +43,58 @@ jobs:
retention-days: 1 retention-days: 1
if-no-files-found: error if-no-files-found: error
create-kata-tarball: - name: store-artifact root_hash_tdx.txt
uses: actions/upload-artifact@v3
with:
name: root_hash_tdx.txt
path: tools/osbuilder/root_hash_tdx.txt
retention-days: 1
if-no-files-found: ignore
- name: store-artifact root_hash_vanilla.txt
uses: actions/upload-artifact@v3
with:
name: root_hash_vanilla.txt
path: tools/osbuilder/root_hash_vanilla.txt
retention-days: 1
if-no-files-found: ignore
build-asset-cc-shim-v2:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: build-asset needs: build-asset
steps:
- uses: actions/checkout@v3
- name: Get root_hash_tdx.txt
uses: actions/download-artifact@v3
with:
name: root_hash_tdx.txt
path: tools/osbuilder/
- name: Get root_hash_vanilla.txt
uses: actions/download-artifact@v3
with:
name: root_hash_vanilla.txt
path: tools/osbuilder/
- name: Build cc-shim-v2
run: |
make cc-shim-v2-tarball
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
sudo cp -r "${build_dir}" "kata-build"
- name: store-artifact cc-shim-v2
uses: actions/upload-artifact@v3
with:
name: kata-artifacts
path: kata-build/kata-static-cc-shim-v2.tar.xz
retention-days: 1
if-no-files-found: error
create-kata-tarball:
runs-on: ubuntu-latest
needs: [build-asset, build-asset-cc-shim-v2]
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: get-artifacts - name: get-artifacts

9
src/runtime/Makefile
View File

@ -128,11 +128,14 @@ AGENTCONFIGFILEPATH := /etc/agent-config.toml
AGENTCONFIGFILEKERNELPARAM := agent.config_file=$(AGENTCONFIGFILEPATH) AGENTCONFIGFILEKERNELPARAM := agent.config_file=$(AGENTCONFIGFILEPATH)
ROOTMEASURECONFIG ?= "" ROOTMEASURECONFIG ?= ""
ROOTMEASURECONFIGTDX ?= ""
AGENT_AA_KBC_PARAMS ?= "" AGENT_AA_KBC_PARAMS ?= ""
AGENT_AA_KBC_PARAMS_TDX ?= "" AGENT_AA_KBC_PARAMS_TDX ?= ""
AGENT_AA_KBC_PARAMS_SEV ?= "" AGENT_AA_KBC_PARAMS_SEV ?= ""
TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_TDX) TDXKERNELPARAMS := tdx_disable_filter agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_TDX)
SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_SEV) TDXKERNELPARAMS_QEMU += $(TDXKERNELPARAMS) $(ROOTMEASURECONFIGTDX)
TDXKERNELPARAMS_CLH += $(TDXKERNELPARAMS) $(ROOTMEASURECONFIG)
SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_SEV)
KERNELPARAMS += $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS) KERNELPARAMS += $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS)
# Name of default configuration file the runtime will use. # Name of default configuration file the runtime will use.
@ -518,6 +521,8 @@ USER_VARS += TDXCPUFEATURES
USER_VARS += DEFMACHINETYPE_CLH USER_VARS += DEFMACHINETYPE_CLH
USER_VARS += KERNELPARAMS USER_VARS += KERNELPARAMS
USER_VARS += TDXKERNELPARAMS USER_VARS += TDXKERNELPARAMS
USER_VARS += TDXKERNELPARAMS_QEMU
USER_VARS += TDXKERNELPARAMS_CLH
USER_VARS += SEVKERNELPARAMS USER_VARS += SEVKERNELPARAMS
USER_VARS += LIBEXECDIR USER_VARS += LIBEXECDIR
USER_VARS += LOCALSTATEDIR USER_VARS += LOCALSTATEDIR

2
src/runtime/config/configuration-clh-tdx.toml.in
View File

@ -70,7 +70,7 @@ valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@
# may stop the virtual machine from booting. # may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a # To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries. # container and look for 'default-kernel-parameters' log entries.
kernel_params = "@TDXKERNELPARAMS@" kernel_params = "@TDXKERNELPARAMS_CLH@"
# Default number of vCPUs per SB/VM: # Default number of vCPUs per SB/VM:
# unspecified or 0 --> will be set to @DEFVCPUS@ # unspecified or 0 --> will be set to @DEFVCPUS@

2
src/runtime/config/configuration-qemu-tdx.toml.in
View File

@ -59,7 +59,7 @@ valid_hypervisor_paths = @QEMUTDXVALIDHYPERVISORPATHS@
# may stop the virtual machine from booting. # may stop the virtual machine from booting.
# To see the list of default parameters, enable hypervisor debug, create a # To see the list of default parameters, enable hypervisor debug, create a
# container and look for 'default-kernel-parameters' log entries. # container and look for 'default-kernel-parameters' log entries.
kernel_params = "@TDXKERNELPARAMS@" kernel_params = "@TDXKERNELPARAMS_QEMU@"
# Path to the firmware. # Path to the firmware.
# If you want that qemu uses the default firmware leave this option empty # If you want that qemu uses the default firmware leave this option empty

7
tools/packaging/guest-image/build_image.sh
View File

@ -74,7 +74,8 @@ build_image() {
ROOTFS_BUILD_DEST="${builddir}/rootfs-image" ROOTFS_BUILD_DEST="${builddir}/rootfs-image"
mv -f "kata-containers.img" "${install_dir}/${image_name}" mv -f "kata-containers.img" "${install_dir}/${image_name}"
if [ -e "root_hash.txt" ]; then if [ -e "root_hash.txt" ]; then
cp root_hash.txt "${install_dir}/" [ -z "${root_hash_suffix}" ] && root_hash_suffix=vanilla
mv "${repo_root_dir}/tools/osbuilder/root_hash.txt" "${repo_root_dir}/tools/osbuilder/root_hash_${root_hash_suffix}.txt"
fi fi
( (
cd "${install_dir}" cd "${install_dir}"
@ -106,6 +107,7 @@ main() {
destdir="$PWD" destdir="$PWD"
prefix="/opt/kata" prefix="/opt/kata"
image_initrd_suffix="" image_initrd_suffix=""
root_hash_suffix=""
builddir="${PWD}" builddir="${PWD}"
while getopts "h-:" opt; do while getopts "h-:" opt; do
case "$opt" in case "$opt" in
@ -139,6 +141,9 @@ main() {
final_initrd_name="${final_initrd_name}-${image_initrd_suffix}" final_initrd_name="${final_initrd_name}-${image_initrd_suffix}"
fi fi
;; ;;
root_hash_suffix=*)
root_hash_suffix=${OPTARG#*=}
;;
prefix=*) prefix=*)
prefix=${OPTARG#*=} prefix=${OPTARG#*=}
;; ;;

22
tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
View File

@ -160,10 +160,16 @@ install_cc_image() {
export AA_KBC="${1:-offline_fs_kbc}" export AA_KBC="${1:-offline_fs_kbc}"
image_type="${2:-image}" image_type="${2:-image}"
image_initrd_suffix="${3:-""}" image_initrd_suffix="${3:-""}"
root_hash_suffix="${4:-""}"
export KATA_BUILD_CC=yes export KATA_BUILD_CC=yes
info "Create CC image configured with AA_KBC=${AA_KBC}" info "Create CC image configured with AA_KBC=${AA_KBC}"
"${rootfs_builder}" --imagetype="${image_type}" --prefix="${cc_prefix}" --destdir="${destdir}" --image_initrd_suffix="${image_initrd_suffix}" "${rootfs_builder}" \
--imagetype="${image_type}" \
--prefix="${cc_prefix}" \
--destdir="${destdir}" \
--image_initrd_suffix="${image_initrd_suffix}" \
--root_hash_suffix="${root_hash_suffix}"
} }
install_cc_sev_image() { install_cc_sev_image() {
@ -176,7 +182,8 @@ install_cc_tdx_image() {
AA_KBC="eaa_kbc" AA_KBC="eaa_kbc"
image_type="image" image_type="image"
image_suffix="tdx" image_suffix="tdx"
install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" root_hash_suffix="tdx"
install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}"
} }
#Install CC kernel asset #Install CC kernel asset
@ -224,12 +231,19 @@ install_cc_shimv2() {
export REMOVE_VMM_CONFIGS="acrn fc" export REMOVE_VMM_CONFIGS="acrn fc"
extra_opts="DEFSERVICEOFFLOAD=true" extra_opts="DEFSERVICEOFFLOAD=true"
if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then if [ -f "${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt" ]; then
root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt") root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt")
root_measure_config="cc_rootfs_verity.scheme=dm-verity cc_rootfs_verity.hash=${root_hash}" root_measure_config="cc_rootfs_verity.scheme=dm-verity cc_rootfs_verity.hash=${root_hash}"
extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\"" extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\""
fi fi
if [ -f "${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt" ]; then
root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt")
root_measure_config="cc_rootfs_verity.scheme=dm-verity cc_rootfs_verity.hash=${root_hash}"
extra_opts+=" ROOTMEASURECONFIGTDX=\"${root_measure_config}\""
fi
info "extra_opts: ${extra_opts}"
DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}" DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}"
} }