Merge pull request kata-containers#6756 from arronwy/measured_rootfs

Port Measured rootfs feature from CCv0 branch to main
microsoft · Jun 9, 2023 · b50f62c · b50f62c
2 parents c7c4562 + f6afae9
commit b50f62c
Show file tree

Hide file tree

Showing 23 changed files with 346 additions and 9 deletions.
diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -32,6 +32,7 @@ jobs:
           - qemu-snp-experimental
           - qemu-tdx-experimental
           - rootfs-image
+          - rootfs-image-tdx
           - rootfs-initrd
           - rootfs-initrd-sev
           - shim-v2

diff --git a/src/runtime/Makefile b/src/runtime/Makefile
@@ -133,6 +133,10 @@ FIRMWARETDVFVOLUMEPATH :=
 FIRMWARESEVPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/OVMF.fd
 
+ROOTMEASURECONFIG ?= ""
+KERNELPARAMS += $(ROOTMEASURECONFIG)
+KERNELTDXPARAMS += $(ROOTMEASURECONFIG)
+
 # Name of default configuration file the runtime will use.
 CONFIG_FILE = configuration.toml
 

diff --git a/tools/osbuilder/image-builder/Dockerfile b/tools/osbuilder/image-builder/Dockerfile
@@ -14,5 +14,6 @@ RUN ([ -n "$http_proxy" ] && \
         gdisk \
         parted \
         qemu-img \
+        veritysetup \
         xfsprogs && \
     dnf clean all
diff --git a/tools/osbuilder/image-builder/image_builder.sh b/tools/osbuilder/image-builder/image_builder.sh
@@ -11,6 +11,7 @@ set -o errexit
 set -o pipefail
 
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
 
 readonly script_name="${0##*/}"
 readonly script_dir=$(dirname "$(readlink -f "$0")")
@@ -185,6 +186,7 @@ build_with_container() {
 		   --env BLOCK_SIZE="${block_size}" \
 		   --env ROOT_FREE_SPACE="${root_free_space}" \
 		   --env NSDAX_BIN="${nsdax_bin}" \
+		   --env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \
 		   --env SELINUX="${SELINUX}" \
 		   --env DEBUG="${DEBUG}" \
 		   -v /dev:/dev \
@@ -391,9 +393,21 @@ create_disk() {
 	# Kata runtime expect an image with just one partition
 	# The partition is the rootfs content
 	info "Creating partitions"
+
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+		info "Creating partitions with hash device"
+		# The hash data will take less than one percent disk space to store
+		hash_start=$(echo $img_size | awk '{print $1 * 0.99}' |cut -d $(locale decimal_point) -f 1)
+		partition_param="mkpart primary ${fs_type} ${part_start}M ${hash_start}M "
+		partition_param+="mkpart primary ${fs_type} ${hash_start}M ${rootfs_end}M "
+		partition_param+="set 1 boot on"
+	else
+		partition_param="mkpart primary ${fs_type} ${part_start}M ${rootfs_end}M"
+	fi
+
 	parted -s -a optimal "${image}" -- \
 		   mklabel msdos \
-		   mkpart primary "${fs_type}" "${part_start}"M "${rootfs_end}"M
+		   "${partition_param}"
 
 	OK "Partitions created"
 }
@@ -490,6 +504,12 @@ create_rootfs_image() {
 		fsck.ext4 -D -y "${device}p1"
 	fi
 
+	if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -b "${device}p2" ]; then
+		info "veritysetup format rootfs device: ${device}p1, hash device: ${device}p2"
+		local image_dir=$(dirname "${image}")
+		veritysetup format "${device}p1" "${device}p2" > "${image_dir}"/root_hash.txt 2>&1
+	fi
+
 	losetup -d "${device}"
 	rm -rf "${mount_dir}"
 }

diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -16,6 +16,7 @@ AGENT_VERSION=${AGENT_VERSION:-}
 RUST_VERSION="null"
 AGENT_BIN=${AGENT_BIN:-kata-agent}
 AGENT_INIT=${AGENT_INIT:-no}
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
 KERNEL_MODULES_DIR=${KERNEL_MODULES_DIR:-""}
 OSBUILDER_VERSION="unknown"
 DOCKER_RUNTIME=${DOCKER_RUNTIME:-runc}
@@ -434,6 +435,7 @@ build_rootfs_distro()
 			--env AGENT_INIT="${AGENT_INIT}" \
 			--env ARCH="${ARCH}" \
 			--env CI="${CI}" \
+			--env MEASURED_ROOTFS="${MEASURED_ROOTFS}" \
 			--env KERNEL_MODULES_DIR="${KERNEL_MODULES_DIR}" \
 			--env LIBC="${LIBC}" \
 			--env EXTRA_PKGS="${EXTRA_PKGS}" \

diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -7,6 +7,7 @@ OS_NAME=ubuntu
 OS_VERSION=${OS_VERSION:-focal}
 PACKAGES="chrony iptables dbus"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
+[ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"
 [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp2"
 REPO_URL=http://ports.ubuntu.com
 

diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh
@@ -22,6 +22,7 @@ readonly osbuilder_dir="$(cd "${repo_root_dir}/tools/osbuilder" && pwd)"
 export GOPATH=${GOPATH:-${HOME}/go}
 
 arch_target="$(uname -m)"
+final_image_name="kata-containers"
 final_initrd_name="kata-containers-initrd"
 image_initrd_extension=".img"
 
@@ -54,9 +55,12 @@ build_image() {
 		IMG_OS_VERSION="${img_os_version}" \
 		ROOTFS_BUILD_DEST="${builddir}/rootfs-image"
 	mv -f "kata-containers.img" "${install_dir}/${image_name}"
+	if [ -e "root_hash.txt" ]; then
+	    cp root_hash.txt "${install_dir}/"
+	fi
 	(
 		cd "${install_dir}"
-		ln -sf "${image_name}" kata-containers.img
+		ln -sf "${image_name}" "${final_image_name}${image_initrd_extension}"
 	)
 }
 
@@ -83,6 +87,7 @@ main() {
 	image_type=image
 	destdir="$PWD"
 	prefix="/opt/kata"
+	image_suffix=""
 	image_initrd_suffix=""
 	builddir="${PWD}"
 	while getopts "h-:" opt; do
@@ -110,6 +115,11 @@ main() {
 					initrd_os_version=$(get_from_kata_deps "assets.initrd.architecture.${arch_target}.sev.version")
 					initrd_name="kata-${initrd_distro}-${initrd_os_version}-${image_initrd_suffix}.${image_type}"
 					final_initrd_name="${final_initrd_name}-${image_initrd_suffix}"
+				elif [ "${image_initrd_suffix}" == "tdx" ]; then
+					img_distro=$(get_from_kata_deps "assets.image.architecture.${arch_target}.name")
+					img_os_version=$(get_from_kata_deps "assets.image.architecture.${arch_target}.version")
+					image_name="kata-${img_distro}-${img_os_version}-${image_initrd_suffix}.${image_type}"
+					final_image_name="${final_image_name}-${image_initrd_suffix}"
 				fi
 				;;
 			prefix=*)

diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
@@ -42,6 +42,7 @@ all: serial-targets \
 serial-targets:
 	${MAKE} -f $(MK_PATH) -j 1 V= \
 	rootfs-image-tarball \
+	rootfs-image-tdx-tarball \
 	rootfs-initrd-sev-tarball \
 	rootfs-initrd-tarball \
 	cloud-hypervisor-tarball
@@ -100,6 +101,9 @@ qemu-tdx-experimental-tarball:
 rootfs-image-tarball:
 	${MAKE} $@-build
 
+rootfs-image-tdx-tarball: kernel-tdx-experimental-tarball
+	${MAKE} $@-build
+
 rootfs-initrd-sev-tarball: kernel-sev-tarball
 	${MAKE} $@-build
 

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@@ -64,6 +64,7 @@ docker run \
 	--env SHIM_V2_CONTAINER_BUILDER="${SHIM_V2_CONTAINER_BUILDER:-}" \
 	--env TDSHIM_CONTAINER_BUILDER="${TDSHIM_CONTAINER_BUILDER:-}" \
 	--env VIRTIOFSD_CONTAINER_BUILDER="${VIRTIOFSD_CONTAINER_BUILDER:-}" \
+	--env MEASURED_ROOTFS="${MEASURED_ROOTFS:-}" \
 	--rm \
 	-w ${script_dir} \
 	build-kata-deploy "${kata_deploy_create}" $@

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -24,6 +24,7 @@ readonly versions_yaml="${repo_root_dir}/versions.yaml"
 
 readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
 readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
+readonly initramfs_builder="${static_build_dir}/initramfs/build.sh"
 readonly kernel_builder="${static_build_dir}/kernel/build.sh"
 readonly ovmf_builder="${static_build_dir}/ovmf/build.sh"
 readonly qemu_builder="${static_build_dir}/qemu/build-static-qemu.sh"
@@ -38,6 +39,7 @@ readonly jenkins_url="http://jenkins.katacontainers.io"
 readonly cached_artifacts_path="lastSuccessfulBuild/artifact/artifacts"
 
 ARCH=$(uname -m)
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
 
 workdir="${WORKDIR:-$PWD}"
 
@@ -93,6 +95,7 @@ options:
 	qemu-snp-experimental
 	qemu-tdx-experimental
 	rootfs-image
+	rootfs-image-tdx
 	rootfs-initrd
 	rootfs-initrd-sev
 	shim-v2
@@ -133,8 +136,10 @@ install_cached_tarball_component() {
 
 #Install guest image
 install_image() {
-	local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-image-$(uname -m)/${cached_artifacts_path}"
-	local component="rootfs-image"
+	local image_type="${1:-"image"}"
+	local initrd_suffix="${2:-""}"
+	local jenkins="${jenkins_url}/job/kata-containers-main-rootfs-${image_type}-$(uname -m)/${cached_artifacts_path}"
+	local component="rootfs-${image_type}"
 
 	local osbuilder_last_commit="$(get_last_modification "${repo_root_dir}/tools/osbuilder")"
 	local guest_image_last_commit="$(get_last_modification "${repo_root_dir}/tools/packaging/guest-image")"
@@ -154,7 +159,12 @@ install_image() {
 		&& return 0
 
 	info "Create image"
-	"${rootfs_builder}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}"
+	"${rootfs_builder}" --imagetype=image --prefix="${prefix}" --destdir="${destdir}" --image_initrd_suffix="${initrd_suffix}"
+}
+
+#Install guest image for tdx
+install_image_tdx() {
+	install_image "image-tdx" "tdx"
 }
 
 #Install guest initrd
@@ -241,6 +251,11 @@ install_kernel_helper() {
 
 	install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
 
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+		info "build initramfs for cc kernel"
+		"${initramfs_builder}"
+	fi
+
 	info "build ${kernel_name}"
 	info "Kernel version ${kernel_version}"
 	DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" ${extra_cmd}
@@ -303,6 +318,8 @@ install_kernel_experimental() {
 install_kernel_tdx_experimental() {
 	local kernel_url="$(get_from_kata_deps assets.kernel-tdx-experimental.url)"
 
+	export MEASURED_ROOTFS=yes
+
 	install_kernel_helper \
 		"assets.kernel-tdx-experimental.version" \
 		"kernel-tdx-experimental" \
@@ -478,7 +495,19 @@ install_shimv2() {
 
 	export GO_VERSION
 	export RUST_VERSION
-	DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
+
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+	        extra_opts="DEFSERVICEOFFLOAD=true"
+		if [ -f "${repo_root_dir}/tools/osbuilder/root_hash.txt" ]; then
+			root_hash=$(sudo sed -e 's/Root hash:\s*//g;t;d' "${repo_root_dir}/tools/osbuilder//root_hash.txt")
+			root_measure_config="rootfs_verity.scheme=dm-verity rootfs_verity.hash=${root_hash}"
+			extra_opts+=" ROOTMEASURECONFIG=\"${root_measure_config}\""
+		fi
+
+		DESTDIR="${destdir}" PREFIX="${prefix}" EXTRA_OPTS="${extra_opts}" "${shimv2_builder}"
+	else
+		DESTDIR="${destdir}" PREFIX="${prefix}" "${shimv2_builder}"
+	fi
 }
 
 install_ovmf() {
@@ -581,6 +610,8 @@ handle_build() {
 
 	rootfs-image) install_image ;;
 
+	rootfs-image-tdx) install_image_tdx ;;
+
 	rootfs-initrd) install_initrd ;;
 
 	rootfs-initrd-sev) install_initrd_sev ;;

diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
@@ -31,6 +31,7 @@ readonly default_kernel_config_dir="${script_dir}/configs"
 # Default path to search for kernel config fragments
 readonly default_config_frags_dir="${script_dir}/configs/fragments"
 readonly default_config_whitelist="${script_dir}/configs/fragments/whitelist.conf"
+readonly default_initramfs="${script_dir}/initramfs.cpio.gz"
 # GPU vendor
 readonly GV_INTEL="intel"
 readonly GV_NVIDIA="nvidia"
@@ -64,6 +65,8 @@ kernel_url=""
 #Linux headers for GPU guest fs module building
 linux_headers=""
 
+MEASURED_ROOTFS=${MEASURED_ROOTFS:-no}
+
 packaging_scripts_dir="${script_dir}/../scripts"
 source "${packaging_scripts_dir}/lib.sh"
 
@@ -269,6 +272,18 @@ get_kernel_frag_path() {
 		fi
 	fi
 
+	if [ "${MEASURED_ROOTFS}" == "yes" ]; then
+		info "Enabling config for confidential guest trust storage protection"
+		local cryptsetup_configs="$(ls ${common_path}/confidential_containers/cryptsetup.conf)"
+		all_configs="${all_configs} ${cryptsetup_configs}"
+
+		if [ -f "${default_initramfs}" ]; then
+			info "Enabling config for confidential guest measured boot"
+			local initramfs_configs="$(ls ${common_path}/confidential_containers/initramfs.conf)"
+			all_configs="${all_configs} ${initramfs_configs}"
+		fi
+	fi
+
 	if [[ "${conf_guest}" != "" ]];then
 		info "Enabling config for '${conf_guest}' confidential guest protection"
 		local conf_configs="$(ls ${arch_path}/${conf_guest}/*.conf)"
@@ -418,6 +433,11 @@ setup_kernel() {
 	[ -n "${hypervisor_target}" ] || hypervisor_target="kvm"
 	[ -n "${kernel_config_path}" ] || kernel_config_path=$(get_default_kernel_config "${kernel_version}" "${hypervisor_target}" "${arch_target}" "${kernel_path}")
 
+	if [ "${MEASURED_ROOTFS}" == "yes" ] && [ -f "${default_initramfs}" ]; then
+		info "Copying initramfs from: ${default_initramfs}"
+		cp "${default_initramfs}" ./
+	fi
+
 	info "Copying config file from: ${kernel_config_path}"
 	cp "${kernel_config_path}" ./.config
 	make oldconfig

diff --git a/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf b/tools/packaging/kernel/configs/fragments/common/confidential_containers/cryptsetup.conf
@@ -0,0 +1,21 @@
+CONFIG_MD=y
+CONFIG_BLK_DEV_DM_BUILTIN=y
+CONFIG_BLK_DEV_DM=y
+CONFIG_DM_CRYPT=y
+CONFIG_DM_VERITY=y
+CONFIG_DM_INTEGRITY=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_ESSIV=y
+CONFIG_CRYPTO_XTS=y
+CONFIG_CRYPTO_HMAC=y
diff --git a/tools/packaging/kernel/configs/fragments/common/confidential_containers/initramfs.conf b/tools/packaging/kernel/configs/fragments/common/confidential_containers/initramfs.conf
@@ -0,0 +1 @@
+CONFIG_INITRAMFS_SOURCE="initramfs.cpio.gz"
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf b/tools/packaging/kernel/configs/fragments/x86_64/crypto.conf
@@ -0,0 +1,3 @@
+# x86 cryptographic instructions to improve AES encryption and SHA256 hashing.
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-107
+108
diff --git a/tools/packaging/static-build/initramfs/Dockerfile b/tools/packaging/static-build/initramfs/Dockerfile
@@ -0,0 +1,38 @@
+# Copyright (c) 2022 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+from ubuntu:20.04
+
+ARG DEBIAN_FRONTEND=noninteractive
+ENV TZ=UTC
+RUN apt-get update &&\
+    apt-get --no-install-recommends install -y software-properties-common &&\
+    add-apt-repository ppa:git-core/ppa -y &&\
+    apt-get update && apt-get upgrade -y && \
+    apt-get --no-install-recommends install -y \
+	    apt-utils \
+	    asciidoctor \
+	    autoconf \
+	    autopoint \
+	    automake \
+	    busybox-static \
+	    ca-certificates \
+	    curl \
+	    gcc \
+	    gettext \
+	    git \
+	    libaio-dev \
+	    libblkid-dev \
+	    libselinux1-dev \
+	    libtool \
+	    libpopt-dev \
+	    libjson-c-dev \
+	    libssl-dev \
+	    make \
+	    ninja-build \
+	    pkg-config \
+	    uuid-dev \
+	    libseccomp-dev \
+	    libseccomp2 \
+	    zlib1g-dev &&\
+    apt-get clean && rm -rf /var/lib/apt/lists/