Merge pull request #5876 from fidencio/topic/CC-rework-build-dependencies-so-measured-rootfs-can-be-used

Rework how we build the payload so measured boot can be used with the Operator

.github/workflows/cc-payload-after-push-amd64.yaml

@@ -16,7 +16,6 @@ jobs:
           - cc-kernel
           - cc-qemu
           - cc-rootfs-image
-          - cc-shim-v2
           - cc-virtiofsd
           - cc-sev-kernel
           - cc-sev-ovmf
@@ -56,9 +55,60 @@ jobs:
           retention-days: 1
           if-no-files-found: error
 
-  create-kata-tarball:
+      - name: store-artifact root_hash_tdx.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_tdx.txt
+          path: tools/osbuilder/root_hash_tdx.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+      - name: store-artifact root_hash_vanilla.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_vanilla.txt
+          path: tools/osbuilder/root_hash_vanilla.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+  build-asset-cc-shim-v2:
     runs-on: ubuntu-latest
     needs: build-asset
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Get root_hash_tdx.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_tdx.txt
+          path: tools/osbuilder/
+
+      - name: Get root_hash_vanilla.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_vanilla.txt
+          path: tools/osbuilder/
+
+      - name: Build cc-shim-v2
+        run: |
+          make cc-shim-v2-tarball
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+        env:
+          PUSH_TO_REGISTRY: yes
+
+      - name: store-artifact cc-shim-v2
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-cc-shim-v2.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: [build-asset, build-asset-cc-shim-v2]
     steps:
       - uses: actions/checkout@v3
       - name: get-artifacts

.github/workflows/cc-payload-after-push-s390x.yaml

@@ -15,7 +15,6 @@ jobs:
           - cc-kernel
           - cc-qemu
           - cc-rootfs-image
-          - cc-shim-v2
           - cc-virtiofsd
     steps:
       - name: Login to Kata Containers quay.io
@@ -52,9 +51,50 @@ jobs:
           retention-days: 1
           if-no-files-found: error
 
-  create-kata-tarball:
+      - name: store-artifact root_hash_vanilla.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_vanilla.txt-s390x
+          path: tools/osbuilder/root_hash_vanilla.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+  build-asset-cc-shim-v2:
     runs-on: s390x
     needs: build-asset
+    steps:
+      - name: Adjust a permission for repo
+        run: |
+          sudo chown -R $USER:$USER $GITHUB_WORKSPACE
+
+      - uses: actions/checkout@v3
+
+      - name: Get root_hash_vanilla.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_vanilla.txt-s390x
+          path: tools/osbuilder/
+
+      - name: Build cc-shim-v2
+        run: |
+          make cc-shim-v2-tarball
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+        env:
+          PUSH_TO_REGISTRY: yes
+
+      - name: store-artifact cc-shim-v2
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-artifacts-s390x
+          path: kata-build/kata-static-cc-shim-v2.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: s390x
+    needs: [build-asset, build-asset-cc-shim-v2]
     steps:
       - name: Adjust a permission for repo
         run: |

.github/workflows/cc-payload.yaml

@@ -14,7 +14,6 @@ jobs:
           - cc-kernel
           - cc-qemu
           - cc-rootfs-image
-          - cc-shim-v2
           - cc-virtiofsd
           - cc-sev-kernel
           - cc-sev-ovmf
@@ -44,9 +43,58 @@ jobs:
           retention-days: 1
           if-no-files-found: error
 
-  create-kata-tarball:
+      - name: store-artifact root_hash_tdx.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_tdx.txt
+          path: tools/osbuilder/root_hash_tdx.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+      - name: store-artifact root_hash_vanilla.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_vanilla.txt
+          path: tools/osbuilder/root_hash_vanilla.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+  build-asset-cc-shim-v2:
     runs-on: ubuntu-latest
     needs: build-asset
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Get root_hash_tdx.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_tdx.txt
+          path: tools/osbuilder/
+
+      - name: Get root_hash_vanilla.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_vanilla.txt
+          path: tools/osbuilder/
+
+      - name: Build cc-shim-v2
+        run: |
+          make cc-shim-v2-tarball
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+
+      - name: store-artifact cc-shim-v2
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-cc-shim-v2.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: [build-asset, build-asset-cc-shim-v2]
     steps:
       - uses: actions/checkout@v3
       - name: get-artifacts

src/runtime/Makefile

@@ -128,11 +128,14 @@ AGENTCONFIGFILEPATH := /etc/agent-config.toml
 AGENTCONFIGFILEKERNELPARAM := agent.config_file=$(AGENTCONFIGFILEPATH)
 
 ROOTMEASURECONFIG ?= ""
+ROOTMEASURECONFIGTDX ?= ""
 AGENT_AA_KBC_PARAMS ?= ""
 AGENT_AA_KBC_PARAMS_TDX ?= ""
 AGENT_AA_KBC_PARAMS_SEV ?= ""
-TDXKERNELPARAMS := tdx_disable_filter $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_TDX)
-SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_SEV)
+TDXKERNELPARAMS := tdx_disable_filter agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_TDX)
+TDXKERNELPARAMS_QEMU += $(TDXKERNELPARAMS) $(ROOTMEASURECONFIGTDX)
+TDXKERNELPARAMS_CLH += $(TDXKERNELPARAMS) $(ROOTMEASURECONFIG)
+SEVKERNELPARAMS := $(AGENTCONFIGFILEKERNELPARAM) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS_SEV)
 KERNELPARAMS += $(ROOTMEASURECONFIG) agent.enable_signature_verification=false $(AGENT_AA_KBC_PARAMS)
 
 # Name of default configuration file the runtime will use.
@@ -518,6 +521,8 @@ USER_VARS += TDXCPUFEATURES
 USER_VARS += DEFMACHINETYPE_CLH
 USER_VARS += KERNELPARAMS
 USER_VARS += TDXKERNELPARAMS
+USER_VARS += TDXKERNELPARAMS_QEMU
+USER_VARS += TDXKERNELPARAMS_CLH
 USER_VARS += SEVKERNELPARAMS
 USER_VARS += LIBEXECDIR
 USER_VARS += LOCALSTATEDIR

src/runtime/config/configuration-clh-tdx.toml.in

@@ -70,7 +70,7 @@ valid_hypervisor_paths = @CLHVALIDHYPERVISORPATHS@
 # may stop the virtual machine from booting.
 # To see the list of default parameters, enable hypervisor debug, create a
 # container and look for 'default-kernel-parameters' log entries.
-kernel_params = "@TDXKERNELPARAMS@"
+kernel_params = "@TDXKERNELPARAMS_CLH@"
 
 # Default number of vCPUs per SB/VM:
 # unspecified or 0                --> will be set to @DEFVCPUS@

src/runtime/config/configuration-qemu-tdx.toml.in

@@ -59,7 +59,7 @@ valid_hypervisor_paths = @QEMUTDXVALIDHYPERVISORPATHS@
 # may stop the virtual machine from booting.
 # To see the list of default parameters, enable hypervisor debug, create a
 # container and look for 'default-kernel-parameters' log entries.
-kernel_params = "@TDXKERNELPARAMS@"
+kernel_params = "@TDXKERNELPARAMS_QEMU@"
 
 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty

tools/packaging/guest-image/build_image.sh

@@ -74,7 +74,8 @@ build_image() {
 		ROOTFS_BUILD_DEST="${builddir}/rootfs-image"
 	mv -f "kata-containers.img" "${install_dir}/${image_name}"
 	if [ -e "root_hash.txt" ]; then
-	    cp root_hash.txt "${install_dir}/"
+		[ -z "${root_hash_suffix}" ] && root_hash_suffix=vanilla
+		mv "${repo_root_dir}/tools/osbuilder/root_hash.txt" "${repo_root_dir}/tools/osbuilder/root_hash_${root_hash_suffix}.txt"
 	fi
 	(
 		cd "${install_dir}"
@@ -106,6 +107,7 @@ main() {
 	destdir="$PWD"
 	prefix="/opt/kata"
 	image_initrd_suffix=""
+	root_hash_suffix=""
 	builddir="${PWD}"
 	while getopts "h-:" opt; do
 		case "$opt" in
@@ -139,6 +141,9 @@ main() {
 					final_initrd_name="${final_initrd_name}-${image_initrd_suffix}"
 				fi
 				;;
+			root_hash_suffix=*)
+				root_hash_suffix=${OPTARG#*=}
+				;;
 			prefix=*)
 				prefix=${OPTARG#*=}
 				;;

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -160,10 +160,16 @@ install_cc_image() {
 	export AA_KBC="${1:-offline_fs_kbc}"
 	image_type="${2:-image}"
 	image_initrd_suffix="${3:-""}"
+	root_hash_suffix="${4:-""}"
 	export KATA_BUILD_CC=yes
 
 	info "Create CC image configured with AA_KBC=${AA_KBC}"
-	"${rootfs_builder}" --imagetype="${image_type}" --prefix="${cc_prefix}" --destdir="${destdir}" --image_initrd_suffix="${image_initrd_suffix}"
+	"${rootfs_builder}" \
+		--imagetype="${image_type}" \
+		--prefix="${cc_prefix}" \
+		--destdir="${destdir}" \
+		--image_initrd_suffix="${image_initrd_suffix}" \
+		--root_hash_suffix="${root_hash_suffix}"
 }
 
 install_cc_sev_image() {
@@ -176,7 +182,8 @@ install_cc_tdx_image() {
 	AA_KBC="eaa_kbc"
 	image_type="image"
 	image_suffix="tdx"
-	install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}"
+	root_hash_suffix="tdx"
+	install_cc_image "${AA_KBC}" "${image_type}" "${image_suffix}" "${root_hash_suffix}"
 }
 
 #Install CC kernel asset
@@ -224,12 +231,19 @@ install_cc_shimv2() {
 	export REMOVE_VMM_CONFIGS="acrn fc"
 
         extra_opts="DEFSERVICEOFFLOAD=true"
-	if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then
-		root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt")
+	if [ -f "${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt" ]; then
+		root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder/root_hash_vanilla.txt")
 		root_measure_config="cc_rootfs_verity.scheme=dm-verity cc_rootfs_verity.hash=${root_hash}"
 		extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\""
 	fi
 
+	if [ -f "${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt" ]; then
+		root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt")
+		root_measure_config="cc_rootfs_verity.scheme=dm-verity cc_rootfs_verity.hash=${root_hash}"
+		extra_opts+=" ROOTMEASURECONFIGTDX=\"${root_measure_config}\""
+	fi
+
+	info "extra_opts: ${extra_opts}"
 	DESTDIR="${destdir}" PREFIX="${cc_prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}"
 }