node-installer: add kernel_params for setting up dm-verity

The calculation of the launch measurement has been adjusted accordingly.
edgelesssys · Aug 2, 2024 · 08d9004 · 08d9004
1 parent 1bc322d
commit 08d9004
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 7 deletions.
diff --git a/nodeinstaller/internal/config/config.go b/nodeinstaller/internal/config/config.go
@@ -14,6 +14,8 @@ import (
 type Config struct {
 	// Files is a list of files to download.
 	Files []File `json:"files"`
+	// QemuExtraKernelParams is an additional set of kernel parameters to pass kernels started with QEMU.
+	QemuExtraKernelParams string `json:"QemuExtraKernelParams"`
 	// DebugRuntime enables the debug mode of the runtime.
 	// This only works if the igvm file has shell access enabled
 	// and has no effect on production images.

diff --git a/nodeinstaller/internal/constants/constants.go b/nodeinstaller/internal/constants/constants.go
@@ -42,7 +42,7 @@ var (
 const CRIFQDN = "io.containerd.grpc.v1.cri"
 
 // KataRuntimeConfig returns the Kata runtime configuration.
-func KataRuntimeConfig(baseDir string, platform platforms.Platform, debug bool) (*config.KataRuntimeConfig, error) {
+func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKernelParams string, debug bool) (*config.KataRuntimeConfig, error) {
 	var config config.KataRuntimeConfig
 	switch platform {
 	case platforms.AKSCloudHypervisorSNP:
@@ -64,13 +64,17 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, debug bool)
 		config.Hypervisor["qemu"]["image"] = filepath.Join(baseDir, "share", "kata-containers.img")
 		config.Hypervisor["qemu"]["kernel"] = filepath.Join(baseDir, "share", "kata-kernel")
 		config.Hypervisor["qemu"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "tdx", "bin", "qemu-system-x86_64")}
+		kernelParams := qemuExtraKernelParams
 		if debug {
 			config.Hypervisor["qemu"]["enable_debug"] = true
-			config.Hypervisor["qemu"]["kernel_params"] = " agent.log=debug initcall_debug"
 			config.Agent["kata"]["enable_debug"] = true
 			config.Agent["kata"]["debug_console_enabled"] = true
 			config.Runtime["enable_debug"] = true
+			kernelParams += " agent.log=debug initcall_debug"
 		}
+		// Replace the kernel params entirely (and don't append) since that's
+		// also what we do when calculating the launch measurement.
+		config.Hypervisor["qemu"]["kernel_params"] = kernelParams
 		return &config, nil
 	case platforms.K3sQEMUSNP:
 		if err := toml.Unmarshal([]byte(kataBareMetalQEMUSNPBaseConfig), &config); err != nil {
@@ -85,13 +89,17 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, debug bool)
 		config.Hypervisor["qemu"]["shared_fs"] = "virtio-9p"
 		config.Hypervisor["qemu"]["valid_hypervisor_paths"] = []string{filepath.Join(baseDir, "snp", "bin", "qemu-system-x86_64")}
 		config.Hypervisor["qemu"]["rootfs_type"] = "erofs"
+		kernelParams := qemuExtraKernelParams
 		if debug {
 			config.Hypervisor["qemu"]["enable_debug"] = true
-			config.Hypervisor["qemu"]["kernel_params"] = " agent.log=debug initcall_debug"
 			config.Agent["kata"]["enable_debug"] = true
 			config.Agent["kata"]["debug_console_enabled"] = true
 			config.Runtime["enable_debug"] = true
+			kernelParams += " agent.log=debug initcall_debug"
 		}
+		// Replace the kernel params entirely (and don't append) since that's
+		// also what we do when calculating the launch measurement.
+		config.Hypervisor["qemu"]["kernel_params"] = kernelParams
 		return &config, nil
 	default:
 		return nil, fmt.Errorf("unsupported platform: %s", platform)

diff --git a/nodeinstaller/node-installer.go b/nodeinstaller/node-installer.go
@@ -141,7 +141,7 @@ func run(ctx context.Context, fetcher assetFetcher, platform platforms.Platform,
 		return fmt.Errorf("unsupported platform %q", platform)
 	}
 
-	if err := containerdRuntimeConfig(runtimeBase, kataConfigPath, platform, config.DebugRuntime); err != nil {
+	if err := containerdRuntimeConfig(runtimeBase, kataConfigPath, platform, config.QemuExtraKernelParams, config.DebugRuntime); err != nil {
 		return fmt.Errorf("generating kata runtime configuration: %w", err)
 	}
 
@@ -201,8 +201,8 @@ func envWithDefault(key, dflt string) string {
 	return value
 }
 
-func containerdRuntimeConfig(basePath, configPath string, platform platforms.Platform, debugRuntime bool) error {
-	kataRuntimeConfig, err := constants.KataRuntimeConfig(basePath, platform, debugRuntime)
+func containerdRuntimeConfig(basePath, configPath string, platform platforms.Platform, qemuExtraKernelParams string, debugRuntime bool) error {
+	kataRuntimeConfig, err := constants.KataRuntimeConfig(basePath, platform, qemuExtraKernelParams, debugRuntime)
 	if err != nil {
 		return fmt.Errorf("generating kata runtime config: %w", err)
 	}

diff --git a/packages/by-name/kata/contrast-node-installer-image/package.nix b/packages/by-name/kata/contrast-node-installer-image/package.nix
@@ -92,6 +92,7 @@ let
               path = "/tdx/share/qemu/efi-virtio.rom";
             }
           ];
+          qemuExtraKernelParams = kata.runtime-class-files.dmVerityArgs;
           inherit (kata.runtime-class-files) debugRuntime;
         };
         destination = "/config/contrast-node-install.json";

diff --git a/packages/by-name/kata/runtime-class-files/package.nix b/packages/by-name/kata/runtime-class-files/package.nix
@@ -10,6 +10,7 @@
   qemu-static,
   fetchzip,
   python3Packages,
+  lib,
 }:
 
 let
@@ -44,6 +45,15 @@ let
   containerd-shim-contrast-cc-v2 = "${kata.kata-runtime}/bin/containerd-shim-kata-v2";
 
   kata-runtime = "${kata.kata-runtime}/bin/kata-runtime";
+
+  dataBlockSize = builtins.readFile "${image.verity}/data_block_size";
+  hashBlockSize = builtins.readFile "${image.verity}/hash_block_size";
+  dataBlocks = builtins.readFile "${image.verity}/data_blocks";
+  rootHash = builtins.readFile "${image.verity}/roothash";
+  salt = builtins.readFile "${image.verity}/salt";
+  dataSectorsPerBlock = (lib.strings.toInt dataBlockSize) / 512;
+  dataSectors = (lib.strings.toInt dataBlocks) * dataSectorsPerBlock;
+  dmVerityArgs = "dm-mod.create=\"dm-verity,,,ro,0 ${toString dataSectors} verity 1 /dev/vda1 /dev/vda2 ${dataBlockSize} ${hashBlockSize} ${dataBlocks} 0 sha256 ${rootHash} ${salt}\" root=/dev/dm-0";
 in
 
 stdenvNoCC.mkDerivation {
@@ -63,7 +73,7 @@ stdenvNoCC.mkDerivation {
       --vcpus 1 \
       --vcpu-type EPYC-Genoa \
       --kernel ${kernel} \
-      --append "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none" \
+      --append 'tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none ${dmVerityArgs}' \
       --output-format hex > $out/launch-digest-snp.hex
     sha256sum ${image} ${kernel} ${qemu-snp.bin} ${containerd-shim-contrast-cc-v2} ${ovmf-snp} | sha256sum | cut -d " " -f 1 > $out/runtime-hash-snp.hex
   '';
@@ -79,6 +89,7 @@ stdenvNoCC.mkDerivation {
       ovmf-snp
       kata-runtime
       debugRuntime
+      dmVerityArgs
       ;
   };
 }