diff --git a/nodeinstaller/internal/constants/constants.go b/nodeinstaller/internal/constants/constants.go index c8febefe28..1d782b00b5 100644 --- a/nodeinstaller/internal/constants/constants.go +++ b/nodeinstaller/internal/constants/constants.go @@ -70,7 +70,6 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer kernelParams := qemuExtraKernelParams if debug { config.Hypervisor["qemu"]["enable_debug"] = true - kernelParams += " agent.log=debug initcall_debug" } // Replace the kernel params entirely (and don't append) since that's // also what we do when calculating the launch measurement. @@ -91,7 +90,6 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer kernelParams := qemuExtraKernelParams if debug { config.Hypervisor["qemu"]["enable_debug"] = true - kernelParams += " agent.log=debug initcall_debug" } // Replace the kernel params entirely (and don't append) since that's // also what we do when calculating the launch measurement. diff --git a/packages/by-name/contrast/package.nix b/packages/by-name/contrast/package.nix index ad3a6e08eb..d2af7d5a97 100644 --- a/packages/by-name/contrast/package.nix +++ b/packages/by-name/contrast/package.nix @@ -73,18 +73,18 @@ let }; snpRefVals = { - snp = [ - { - trustedMeasurement = lib.removeSuffix "\n" ( - builtins.readFile "${kata.snp-launch-digest}/milan.hex" - ); - } - { - trustedMeasurement = lib.removeSuffix "\n" ( - builtins.readFile "${kata.snp-launch-digest}/genoa.hex" - ); - } - ]; + snp = + let + launch-digest = + if kata.contrast-node-installer-image.debugRuntime then + kata.snp-launch-digest.override { debug = true; } + else + kata.snp-launch-digest; + in + [ + { trustedMeasurement = lib.removeSuffix "\n" (builtins.readFile "${launch-digest}/milan.hex"); } + { trustedMeasurement = lib.removeSuffix "\n" (builtins.readFile "${launch-digest}/genoa.hex"); } + ]; }; tdxRefVals = { diff --git a/packages/by-name/kata/contrast-node-installer-image/package.nix b/packages/by-name/kata/contrast-node-installer-image/package.nix index e44d3fabaa..ff83bef606 100644 --- a/packages/by-name/kata/contrast-node-installer-image/package.nix +++ b/packages/by-name/kata/contrast-node-installer-image/package.nix @@ -226,8 +226,11 @@ in ociImageLayout { manifests = [ manifest ]; - passthru.runtimeHash = hashDirs { - dirs = layers; # Layers without node-installer, or we have a circular dependency! - name = "runtime-hash-kata"; + passthru = { + inherit debugRuntime; + runtimeHash = hashDirs { + dirs = layers; # Layers without node-installer, or we have a circular dependency! + name = "runtime-hash-kata"; + }; }; } diff --git a/packages/by-name/kata/snp-launch-digest/package.nix b/packages/by-name/kata/snp-launch-digest/package.nix index 1e8d3ec753..b23120a1d7 100644 --- a/packages/by-name/kata/snp-launch-digest/package.nix +++ b/packages/by-name/kata/snp-launch-digest/package.nix @@ -2,11 +2,13 @@ # SPDX-License-Identifier: AGPL-3.0-only { + lib, stdenvNoCC, kata, OVMF-SNP, python3Packages, - lib, + + debug ? false, }: let @@ -21,31 +23,34 @@ let dataSectorsPerBlock = (lib.strings.toInt dataBlockSize) / 512; dataSectors = (lib.strings.toInt dataBlocks) * dataSectorsPerBlock; dmVerityArgs = "dm-mod.create=\"dm-verity,,,ro,0 ${toString dataSectors} verity 1 /dev/vda1 /dev/vda2 ${dataBlockSize} ${hashBlockSize} ${dataBlocks} 0 sha256 ${rootHash} ${salt}\" root=/dev/dm-0"; + cmdlineBase = "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none"; + cmdlineBaseDebug = "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 debug systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none agent.log=debug agent.debug_console agent.debug_console_vport=1026"; + cmdline = "${if debug then cmdlineBaseDebug else cmdlineBase} ${dmVerityArgs}"; in stdenvNoCC.mkDerivation { - name = "snp-launch-digest"; + name = "snp-launch-digest${lib.optionalString debug "-debug"}"; inherit (image) version; dontUnpack = true; buildPhase = '' mkdir $out - ${python3Packages.sev-snp-measure}/bin/sev-snp-measure \ + ${lib.getExe python3Packages.sev-snp-measure} \ --mode snp \ --ovmf ${ovmf-snp} \ --vcpus 1 \ --vcpu-type EPYC-Milan \ --kernel ${kernel} \ - --append 'tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none ${dmVerityArgs}' \ + --append '${cmdline}' \ --output-format hex > $out/milan.hex - ${python3Packages.sev-snp-measure}/bin/sev-snp-measure \ + ${lib.getExe python3Packages.sev-snp-measure} \ --mode snp \ --ovmf ${ovmf-snp} \ --vcpus 1 \ --vcpu-type EPYC-Genoa \ --kernel ${kernel} \ - --append 'tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none ${dmVerityArgs}' \ + --append '${cmdline}' \ --output-format hex > $out/genoa.hex '';