config: Add root hash value and measure config to kernel params

After we have a guest kernel with builtin initramfs which provide the rootfs measurement capability and Kata rootfs image with hash device, we need set related root hash value and measure config to the kernel params in kata configuration file. Fixes: #6674 Signed-off-by: Wang, Arron <arron.wang@intel.com>
2025-06-27 07:48:55 +00:00 · 2022-09-15 10:17:55 +08:00 · 2022-09-15 10:17:55 +08:00 · f62b2670c0
commit f62b2670c0
parent 0080588075
4 changed files with 24 additions and 3 deletions
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@ -133,6 +133,10 @@ FIRMWARETDVFVOLUMEPATH :=
 FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd

+ROOTMEASURECONFIG ?= ""
+KERNELPARAMS += $(ROOTMEASURECONFIG)
+KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
+
 # Name of default configuration file the runtime will use.
 CONFIG_FILE = configuration.toml

--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@ -54,6 +54,9 @@ build_image() {
 		IMG_OS_VERSION="${img_os_version}" \
 		ROOTFS_BUILD_DEST="${builddir}/rootfs-image"
 	mv -f "kata-containers.img" "${install_dir}/${image_name}"
+	if [ -e "root_hash.txt" ]; then
+	    cp root_hash.txt "${install_dir}/"
+	fi
 	(
 		cd "${install_dir}"
 		ln -sf "${image_name}" kata-containers.img
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -485,7 +485,19 @@ install_shimv2() {

 	export GO_VERSION
 	export RUST_VERSION
+
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+	        extra_opts="DEFSERVICEOFFLOAD=true"
+		if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then
+			root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt")
+			root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}"
+			extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\""
+		fi
+
+		DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}"
+	else
 		DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
+	fi
 }

 install_ovmf() {
--- a/tools/packaging/static-build/shim-v2/build.sh
+++ b/tools/packaging/static-build/shim-v2/build.sh
@ -21,6 +21,8 @@ DESTDIR=${DESTDIR:-${PWD}}
 PREFIX=${PREFIX:-/opt/kata}
 container_image="${SHIM_V2_CONTAINER_BUILDER:-$(get_shim_v2_image_name)}"

+EXTRA_OPTS="${EXTRA_OPTS:-""}"
+
 sudo docker pull ${container_image} || \
       	(sudo docker build  \
 		--build-arg GO_VERSION="${GO_VERSION}" \
@ -47,12 +49,12 @@ sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${repo_root_dir}/src/runtime" \
 	"${container_image}" \
-	bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch}"
+	bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX=${PREFIX} QEMUCMD=qemu-system-${arch} ${EXTRA_OPTS}"

 sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${repo_root_dir}/src/runtime" \
 	"${container_image}" \
-	bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" install"
+	bash -c "git config --global --add safe.directory ${repo_root_dir} && make PREFIX="${PREFIX}" DESTDIR="${DESTDIR}" ${EXTRA_OPTS} install"

 for vmm in ${VMM_CONFIGS}; do
 	config_file="${DESTDIR}/${PREFIX}/share/defaults/kata-containers/configuration-${vmm}.toml"