From e1f075dc60794dbcf680e6e9bd424781126b7f5c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Fri, 9 Dec 2022 15:28:02 +0100
Subject: [PATCH] actions: Consider root_hash_*.txt for the CC actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The ability to do a measured boot has been overlooked when releasing the
payload consumed by the Confidential Containers project, and this
happened as we depend, at the shim-v2 build time, of a `root_hash_*.txt`
generated in the `tools/osbuilder/` directory, which is then used to add
a specific parameter to the `kernel_params` in the Kata Containers
configuration files.

With everything said above, the best way we can ensure this is done is
by saving those files during the rootfs build, download them during the
shim-v2 build (which *must* happen only after the rootfs builds happen),
and correctly use them there.

Fixes: #5847

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 .../cc-payload-after-push-amd64.yaml          | 54 ++++++++++++++++++-
 .../cc-payload-after-push-s390x.yaml          | 44 ++++++++++++++-
 .github/workflows/cc-payload.yaml             | 52 +++++++++++++++++-
 3 files changed, 144 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/cc-payload-after-push-amd64.yaml b/.github/workflows/cc-payload-after-push-amd64.yaml
index d753dd4117..0838d66f70 100644
--- a/.github/workflows/cc-payload-after-push-amd64.yaml
+++ b/.github/workflows/cc-payload-after-push-amd64.yaml
@@ -16,7 +16,6 @@ jobs:
           - cc-kernel
           - cc-qemu
           - cc-rootfs-image
-          - cc-shim-v2
           - cc-virtiofsd
           - cc-sev-kernel
           - cc-sev-ovmf
@@ -56,9 +55,60 @@ jobs:
           retention-days: 1
           if-no-files-found: error
 
-  create-kata-tarball:
+      - name: store-artifact root_hash_tdx.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_tdx.txt
+          path: tools/osbuilder/root_hash_tdx.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+      - name: store-artifact root_hash_vanilla.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_vanilla.txt
+          path: tools/osbuilder/root_hash_vanilla.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+  build-asset-cc-shim-v2:
     runs-on: ubuntu-latest
     needs: build-asset
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Get root_hash_tdx.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_tdx.txt
+          path: tools/osbuilder/
+
+      - name: Get root_hash_vanilla.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_vanilla.txt
+          path: tools/osbuilder/
+
+      - name: Build cc-shim-v2
+        run: |
+          make cc-shim-v2-tarball
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+        env:
+          PUSH_TO_REGISTRY: yes
+
+      - name: store-artifact cc-shim-v2
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-cc-shim-v2.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: [build-asset, build-asset-cc-shim-v2]
     steps:
       - uses: actions/checkout@v3
       - name: get-artifacts
diff --git a/.github/workflows/cc-payload-after-push-s390x.yaml b/.github/workflows/cc-payload-after-push-s390x.yaml
index aaf0aa6102..3e1799f619 100644
--- a/.github/workflows/cc-payload-after-push-s390x.yaml
+++ b/.github/workflows/cc-payload-after-push-s390x.yaml
@@ -15,7 +15,6 @@ jobs:
           - cc-kernel
           - cc-qemu
           - cc-rootfs-image
-          - cc-shim-v2
           - cc-virtiofsd
     steps:
       - name: Login to Kata Containers quay.io
@@ -52,9 +51,50 @@ jobs:
           retention-days: 1
           if-no-files-found: error
 
-  create-kata-tarball:
+      - name: store-artifact root_hash_vanilla.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_vanilla.txt-s390x
+          path: tools/osbuilder/root_hash_vanilla.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+  build-asset-cc-shim-v2:
     runs-on: s390x
     needs: build-asset
+    steps:
+      - name: Adjust a permission for repo
+        run: |
+          sudo chown -R $USER:$USER $GITHUB_WORKSPACE
+
+      - uses: actions/checkout@v3
+
+      - name: Get root_hash_vanilla.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_vanilla.txt-s390x
+          path: tools/osbuilder/
+
+      - name: Build cc-shim-v2
+        run: |
+          make cc-shim-v2-tarball
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+        env:
+          PUSH_TO_REGISTRY: yes
+
+      - name: store-artifact cc-shim-v2
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-artifacts-s390x
+          path: kata-build/kata-static-cc-shim-v2.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: s390x
+    needs: [build-asset, build-asset-cc-shim-v2]
     steps:
       - name: Adjust a permission for repo
         run: |
diff --git a/.github/workflows/cc-payload.yaml b/.github/workflows/cc-payload.yaml
index ca9b38a549..a0b32f8b6d 100644
--- a/.github/workflows/cc-payload.yaml
+++ b/.github/workflows/cc-payload.yaml
@@ -14,7 +14,6 @@ jobs:
           - cc-kernel
           - cc-qemu
           - cc-rootfs-image
-          - cc-shim-v2
           - cc-virtiofsd
           - cc-sev-kernel
           - cc-sev-ovmf
@@ -44,9 +43,58 @@ jobs:
           retention-days: 1
           if-no-files-found: error
 
-  create-kata-tarball:
+      - name: store-artifact root_hash_tdx.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_tdx.txt
+          path: tools/osbuilder/root_hash_tdx.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+      - name: store-artifact root_hash_vanilla.txt 
+        uses: actions/upload-artifact@v3
+        with:
+          name: root_hash_vanilla.txt
+          path: tools/osbuilder/root_hash_vanilla.txt
+          retention-days: 1
+          if-no-files-found: ignore
+
+  build-asset-cc-shim-v2:
     runs-on: ubuntu-latest
     needs: build-asset
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Get root_hash_tdx.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_tdx.txt
+          path: tools/osbuilder/
+
+      - name: Get root_hash_vanilla.txt
+        uses: actions/download-artifact@v3
+        with:
+          name: root_hash_vanilla.txt
+          path: tools/osbuilder/
+
+      - name: Build cc-shim-v2
+        run: |
+          make cc-shim-v2-tarball
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          sudo cp -r "${build_dir}" "kata-build"
+
+      - name: store-artifact cc-shim-v2
+        uses: actions/upload-artifact@v3
+        with:
+          name: kata-artifacts
+          path: kata-build/kata-static-cc-shim-v2.tar.xz
+          retention-days: 1
+          if-no-files-found: error
+
+  create-kata-tarball:
+    runs-on: ubuntu-latest
+    needs: [build-asset, build-asset-cc-shim-v2]
     steps:
       - uses: actions/checkout@v3
       - name: get-artifacts