mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-05-18 05:36:24 +00:00
8516029270
Add build-modules-volume.sh to package signed kernel modules into a standalone ext4 disk image that can be attached to a kata guest VM as a secondary block device. This allows loading out-of-tree modules without modifying the dm-verity measured rootfs. The rootfs image and its root hash remain unchanged. The script optionally supports dm-verity on the modules volume itself (-V flag), providing defense-in-depth alongside kernel module signing. Security risks documented in the script header: - Without dm-verity, the volume relies solely on kernel module signing (CONFIG_MODULE_SIG_FORCE) for integrity. - With dm-verity, the hash must be verified during attestation to provide actual security benefit. - Host-side file permissions on the volume image must prevent unauthorized modification. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>