node-installer: fix debug runtime measurement on bare metal snp

Signed-off-by: Paul Meyer <[email protected]>

nodeinstaller/internal/constants/constants.go

@@ -70,7 +70,6 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer
 		kernelParams := qemuExtraKernelParams
 		if debug {
 			config.Hypervisor["qemu"]["enable_debug"] = true
-			kernelParams += " agent.log=debug initcall_debug"
 		}
 		// Replace the kernel params entirely (and don't append) since that's
 		// also what we do when calculating the launch measurement.
@@ -91,7 +90,6 @@ func KataRuntimeConfig(baseDir string, platform platforms.Platform, qemuExtraKer
 		kernelParams := qemuExtraKernelParams
 		if debug {
 			config.Hypervisor["qemu"]["enable_debug"] = true
-			kernelParams += " agent.log=debug initcall_debug"
 		}
 		// Replace the kernel params entirely (and don't append) since that's
 		// also what we do when calculating the launch measurement.

packages/by-name/contrast/package.nix

@@ -73,18 +73,18 @@ let
       };
 
       snpRefVals = {
-        snp = [
-          {
-            trustedMeasurement = lib.removeSuffix "\n" (
-              builtins.readFile "${kata.snp-launch-digest}/milan.hex"
-            );
-          }
-          {
-            trustedMeasurement = lib.removeSuffix "\n" (
-              builtins.readFile "${kata.snp-launch-digest}/genoa.hex"
-            );
-          }
-        ];
+        snp =
+          let
+            launch-digest =
+              if kata.contrast-node-installer-image.debugRuntime then
+                kata.snp-launch-digest.override { debug = true; }
+              else
+                kata.snp-launch-digest;
+          in
+          [
+            { trustedMeasurement = lib.removeSuffix "\n" (builtins.readFile "${launch-digest}/milan.hex"); }
+            { trustedMeasurement = lib.removeSuffix "\n" (builtins.readFile "${launch-digest}/genoa.hex"); }
+          ];
       };
 
       tdxRefVals = {

packages/by-name/kata/contrast-node-installer-image/package.nix

@@ -226,8 +226,11 @@ in
 
 ociImageLayout {
   manifests = [ manifest ];
-  passthru.runtimeHash = hashDirs {
-    dirs = layers; # Layers without node-installer, or we have a circular dependency!
-    name = "runtime-hash-kata";
+  passthru = {
+    inherit debugRuntime;
+    runtimeHash = hashDirs {
+      dirs = layers; # Layers without node-installer, or we have a circular dependency!
+      name = "runtime-hash-kata";
+    };
   };
 }

packages/by-name/kata/snp-launch-digest/package.nix

@@ -2,11 +2,13 @@
 # SPDX-License-Identifier: AGPL-3.0-only
 
 {
+  lib,
   stdenvNoCC,
   kata,
   OVMF-SNP,
   python3Packages,
-  lib,
+
+  debug ? false,
 }:
 
 let
@@ -21,31 +23,34 @@ let
   dataSectorsPerBlock = (lib.strings.toInt dataBlockSize) / 512;
   dataSectors = (lib.strings.toInt dataBlocks) * dataSectorsPerBlock;
   dmVerityArgs = "dm-mod.create=\"dm-verity,,,ro,0 ${toString dataSectors} verity 1 /dev/vda1 /dev/vda2 ${dataBlockSize} ${hashBlockSize} ${dataBlocks} 0 sha256 ${rootHash} ${salt}\" root=/dev/dm-0";
+  cmdlineBase = "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none";
+  cmdlineBaseDebug = "tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 debug systemd.show_status=true systemd.log_level=debug panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none agent.log=debug agent.debug_console agent.debug_console_vport=1026";
+  cmdline = "${if debug then cmdlineBaseDebug else cmdlineBase} ${dmVerityArgs}";
 in
 
 stdenvNoCC.mkDerivation {
-  name = "snp-launch-digest";
+  name = "snp-launch-digest${lib.optionalString debug "-debug"}";
   inherit (image) version;
 
   dontUnpack = true;
 
   buildPhase = ''
     mkdir $out
-    ${python3Packages.sev-snp-measure}/bin/sev-snp-measure \
+    ${lib.getExe python3Packages.sev-snp-measure} \
       --mode snp \
       --ovmf ${ovmf-snp} \
       --vcpus 1 \
       --vcpu-type EPYC-Milan \
       --kernel ${kernel} \
-      --append 'tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none ${dmVerityArgs}' \
+      --append '${cmdline}' \
       --output-format hex > $out/milan.hex
-    ${python3Packages.sev-snp-measure}/bin/sev-snp-measure \
+    ${lib.getExe python3Packages.sev-snp-measure} \
       --mode snp \
       --ovmf ${ovmf-snp} \
       --vcpus 1 \
       --vcpu-type EPYC-Genoa \
       --kernel ${kernel} \
-      --append 'tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/vda1 rootflags=ro rootfstype=erofs console=hvc0 console=hvc1 quiet systemd.show_status=false panic=1 nr_cpus=1 selinux=0 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none ${dmVerityArgs}' \
+      --append '${cmdline}' \
       --output-format hex > $out/genoa.hex
   '';