microsoft · Camelron · Jun 12, 2024 · Jun 13, 2024
@@ -13,8 +13,15 @@ igvmgen_py_file="${igvm_extract_folder}/src/igvm/igvmgen.py"
 
 igvm_vars="-kernel ${bzimage_bin} -boot_mode x64 -vtl 0 -svme 1 -encrypted_page 1 -pvalidate_opt 1 -acpi ${clh_acpi_tables_dir}"
 
+# root_hash=85b2e9101c51173834f911eaa22e24a41427c806f794585f2fa7a4d26f9470d5
+# salt=9476eed0d13d80032e38905c849ea00417d64f62b5819d9bc1379e7f2bba6dbb
+
+
 igvm_kernel_params_common="dm-mod.create=\"dm-verity,,,ro,0 ${data_sectors} verity 1 /dev/vda1 /dev/vda2 ${data_block_size} ${hash_block_size} ${data_blocks} 0 sha256 ${root_hash} ${salt}\" \
 	root=/dev/dm-0 rootflags=data=ordered,errors=remount-ro ro rootfstype=ext4 panic=1 no_timer_check noreplace-smp systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service \
 	systemd.mask=systemd-networkd.socket agent.enable_signature_verification=false"
+echo "FOOBY!!!"
+echo "igvm_kernel_params_common: $igvm_kernel_params_common"
+
 igvm_kernel_prod_params="${igvm_kernel_params_common} quiet"
 igvm_kernel_debug_params="${igvm_kernel_params_common} console=hvc0 systemd.log_target=console agent.log=debug agent.debug_console agent.debug_console_vport=1026"
@@ -498,7 +498,10 @@ create_rootfs_image() {
 
 	info "Setup systemd"
 	setup_systemd "${mount_dir}"
-
+	echo "FOOBY: mount_dir: ${mount_dir}"
+	find "${mount_dir}" -type f | xargs touch -d "Sun, 29 Feb 2004 16:21:42 -0800"
+	find "${mount_dir}" -type d | xargs touch -d "Sun, 29 Feb 2004 16:21:42 -0800"
+	sudo chroot /
 	info "Unmounting root partition"
 	umount "${mount_dir}"
 	OK "Root partition unmounted"
@@ -528,7 +531,11 @@ create_rootfs_image() {
 
 		info "${setup_cmd}"
 		local image_dir=$(dirname "${image}")
-		eval "${setup_cmd}" > "${image_dir}"/root_hash.txt 2>&1
+		echo "FOOBY!!!"
+		set -x
+		echo "setup_cmd: $setup_cmd"
+		eval "${setup_cmd} -v --uuid "bddba635-5269-45dc-8a64-e5abc5b7b1df" -s \"deadbeef\"" > "${image_dir}"/root_hash.txt 2>&1
+		set +x
 	fi
 
 	losetup -d "${device}"

@@ -27,7 +27,7 @@ if [ "${CONF_PODS}" == "yes" ]; then
 	# AGENT_POLICY_FILE=allow-all.rego would build a UVM with permissive security policy.
 	# The current variable assignment builds a UVM with prohibitive security policy which is the default on
 	# Confidential Containers on AKS
-	rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=allow-set-policy.rego"
+	rootfs_make_flags+=" AGENT_POLICY=yes CONF_GUEST=yes AGENT_POLICY_FILE=allow-all.rego"
 fi
 
 if [ "${CONF_PODS}" == "yes" ]; then

@@ -2,6 +2,14 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+temp_upgrade_cacerts()
+{
+        rpm -Uhv ca-certificates-tools-2.0.0-17.cm2.noarch.rpm --replacepkgs
+	rm ca-certificates-tools-2.0.0-17.cm2.noarch.rpm
+	rm /etc/pki/ca-trust/extracted/java/cacerts
+	update-ca-trust
+}
+
 build_rootfs()
 {
 	# Mandatory
@@ -18,9 +26,15 @@ build_rootfs()
 	PKG_MANAGER="tdnf"
 
 	DNF="${PKG_MANAGER} -y --installroot=${ROOTFS_DIR} --noplugins --releasever=${OS_VERSION}"
-
+	set -x
 	info "install packages for rootfs"
-	$DNF install ${EXTRA_PKGS} ${PACKAGES}
-
+	$DNF install ${EXTRA_PKGS} ${PACKAGES} rpm wget
+	wget https://cameronbairdstorage.blob.core.windows.net/public/ca-certificates-tools-2.0.0-17.cm2.noarch.rpm
+	cp ca-certificates-tools-2.0.0-17.cm2.noarch.rpm "${ROOTFS_DIR}"
+	export -f temp_upgrade_cacerts
+	chroot "${ROOTFS_DIR}" /bin/bash -c "temp_upgrade_cacerts"
+	echo "chroot done"
+	set +x
 	rm -rf ${ROOTFS_DIR}/usr/share/{bash-completion,cracklib,doc,info,locale,man,misc,pixmaps,terminfo,zoneinfo,zsh}
 }
+
@@ -45,6 +45,11 @@ ARCH=${ARCH:-$(uname -m)}
 TARGET_OS=${TARGET_OS:-linux}
 [ "${CROSS_BUILD}" == "true" ] && BUILDX=buildx && PLATFORM="--platform=${TARGET_OS}/${TARGET_ARCH}"
 
+
+echo "FOOBY rootfs!!!"
+echo "CONF_PODS tag: $CONF_PODS"
+
+
 handle_error() {
 	local exit_code="${?}"
 	local line_number="${1:-}"
@@ -685,6 +690,14 @@ EOF
 	create_summary_file "${ROOTFS_DIR}"
 }
 
+cleanup_rootfs()
+{
+	echo "FOOBY cleanup_rootfs!!!"
+	rm "${ROOTFS_DIR}/lib/sysimage/tdnf/history.db"
+	rm "${ROOTFS_DIR}/var/lib/osbuilder/osbuilder.yaml"
+	rm -r "${ROOTFS_DIR}/lib/debug/.build-id"
+}
+
 parse_arguments()
 {
 	[ "$#" -eq 0 ] && usage && return 0
@@ -742,6 +755,10 @@ main()
 
 	init="${ROOTFS_DIR}/sbin/init"
 	setup_rootfs
+	set -x
+	if [ ! -z "$CONF_PODS" ]; then
+		cleanup_rootfs
+	fi
 }
 
 main $*