rootfs: deprecate initramfs dm-verity mode

Remove the initramfs folder, its build steps, and use the kernel
based dm-verity enforcement for the handlers which used the
initramfs mode. Also, remove the initramfs verity mode
capability from the shims and their configs.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>

Author: manuelh-dev

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -312,7 +312,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
-          MEASURED_ROOTFS_MODE: initramfs
+          MEASURED_ROOTFS: yes
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -307,6 +307,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          MEASURED_ROOTFS: no
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

src/libs/kata-types/src/config/hypervisor/mod.rs

@@ -78,16 +78,9 @@ const MAX_BRIDGE_SIZE: u32 = 5;
 const KERNEL_PARAM_DELIMITER: &str = " ";
 /// Block size (in bytes) used by dm-verity block size validation.
 pub const VERITY_BLOCK_SIZE_BYTES: u64 = 512;
-/// Kernel dm-verity mode handled by the initramfs.
-pub const VERITY_MODE_INITRAMFS: &str = "initramfs";
-/// Kernel dm-verity mode handled directly by the kernel.
-pub const VERITY_MODE_KERNELINIT: &str = "kernelinit";
-
 /// Parsed kernel dm-verity parameters.
 #[derive(Clone, Debug, Default, Deserialize, Serialize)]
 pub struct KernelVerityParams {
-    /// Verity mode ("kernelinit" or "initramfs").
-    pub mode: String,
     /// Root hash value.
     pub root_hash: String,
     /// Salt used to generate verity hash tree.
@@ -129,22 +122,6 @@ pub fn parse_kernel_verity_params(params: &str) -> Result<Option<KernelVerityPar
         values.insert(key.to_string(), value.to_string());
     }
 
-    let mode = values
-        .get("mode")
-        .ok_or_else(|| {
-            io::Error::new(
-                io::ErrorKind::InvalidData,
-                "Missing kernel_verity_params mode",
-            )
-        })?
-        .to_string();
-    if mode != VERITY_MODE_KERNELINIT && mode != VERITY_MODE_INITRAMFS {
-        return Err(io::Error::new(
-            io::ErrorKind::InvalidData,
-            format!("Invalid kernel_verity_params mode: {mode}"),
-        ));
-    }
-
     let root_hash = values
         .get("root_hash")
         .ok_or_else(|| {
@@ -172,61 +149,54 @@ pub fn parse_kernel_verity_params(params: &str) -> Result<Option<KernelVerityPar
         }
     };
 
-    let (data_blocks, data_block_size, hash_block_size) = if mode == VERITY_MODE_KERNELINIT {
-        let data_blocks = parse_uint_field("data_blocks")?;
-        let data_block_size = parse_uint_field("data_block_size")?;
-        let hash_block_size = parse_uint_field("hash_block_size")?;
-
-        if salt.is_empty() {
-            return Err(io::Error::new(
-                io::ErrorKind::InvalidData,
-                "Missing kernel_verity_params salt",
-            ));
-        }
-        if data_blocks == 0 {
-            return Err(io::Error::new(
-                io::ErrorKind::InvalidData,
-                "Invalid kernel_verity_params data_blocks: must be non-zero",
-            ));
-        }
-        if data_block_size == 0 {
-            return Err(io::Error::new(
-                io::ErrorKind::InvalidData,
-                "Invalid kernel_verity_params data_block_size: must be non-zero",
-            ));
-        }
-        if hash_block_size == 0 {
-            return Err(io::Error::new(
-                io::ErrorKind::InvalidData,
-                "Invalid kernel_verity_params hash_block_size: must be non-zero",
-            ));
-        }
-        if data_block_size % VERITY_BLOCK_SIZE_BYTES != 0 {
-            return Err(io::Error::new(
-                io::ErrorKind::InvalidData,
-                format!(
-                    "Invalid kernel_verity_params data_block_size: must be multiple of {}",
-                    VERITY_BLOCK_SIZE_BYTES
-                ),
-            ));
-        }
-        if hash_block_size % VERITY_BLOCK_SIZE_BYTES != 0 {
-            return Err(io::Error::new(
-                io::ErrorKind::InvalidData,
-                format!(
-                    "Invalid kernel_verity_params hash_block_size: must be multiple of {}",
-                    VERITY_BLOCK_SIZE_BYTES
-                ),
-            ));
-        }
+    let data_blocks = parse_uint_field("data_blocks")?;
+    let data_block_size = parse_uint_field("data_block_size")?;
+    let hash_block_size = parse_uint_field("hash_block_size")?;
 
-        (data_blocks, data_block_size, hash_block_size)
-    } else {
-        (0, 0, 0)
-    };
+    if salt.is_empty() {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "Missing kernel_verity_params salt",
+        ));
+    }
+    if data_blocks == 0 {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "Invalid kernel_verity_params data_blocks: must be non-zero",
+        ));
+    }
+    if data_block_size == 0 {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "Invalid kernel_verity_params data_block_size: must be non-zero",
+        ));
+    }
+    if hash_block_size == 0 {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            "Invalid kernel_verity_params hash_block_size: must be non-zero",
+        ));
+    }
+    if data_block_size % VERITY_BLOCK_SIZE_BYTES != 0 {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            format!(
+                "Invalid kernel_verity_params data_block_size: must be multiple of {}",
+                VERITY_BLOCK_SIZE_BYTES
+            ),
+        ));
+    }
+    if hash_block_size % VERITY_BLOCK_SIZE_BYTES != 0 {
+        return Err(io::Error::new(
+            io::ErrorKind::InvalidData,
+            format!(
+                "Invalid kernel_verity_params hash_block_size: must be multiple of {}",
+                VERITY_BLOCK_SIZE_BYTES
+            ),
+        ));
+    }
 
     Ok(Some(KernelVerityParams {
-        mode,
         root_hash,
         salt,
         data_blocks,

src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in

@@ -75,7 +75,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 kernel_params = "@KERNELTDXPARAMS@"
 
 # Optional dm-verity parameters (comma-separated key=value list):
-# mode=kernelinit|initramfs,root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
+# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
 # These are used by the runtime to assemble dm-verity kernel params.
 kernel_verity_params = "@KERNELVERITYPARAMS@"
 

src/runtime-rs/crates/hypervisor/src/kernel_param.rs

@@ -11,9 +11,7 @@ use crate::{
     VM_ROOTFS_ROOT_BLK, VM_ROOTFS_ROOT_PMEM,
 };
 use kata_types::config::LOG_VPORT_OPTION;
-use kata_types::config::hypervisor::{
-    parse_kernel_verity_params, VERITY_BLOCK_SIZE_BYTES, VERITY_MODE_INITRAMFS,
-};
+use kata_types::config::hypervisor::{parse_kernel_verity_params, VERITY_BLOCK_SIZE_BYTES};
 use kata_types::fs::{
     VM_ROOTFS_FILESYSTEM_EROFS, VM_ROOTFS_FILESYSTEM_EXT4, VM_ROOTFS_FILESYSTEM_XFS,
 };
@@ -60,7 +58,6 @@ fn split_kernel_params(params_string: &str) -> Vec<String> {
 }
 
 struct KernelVerityConfig {
-    mode: String,
     root_hash: String,
     salt: String,
     data_blocks: u64,
@@ -73,7 +70,6 @@ fn new_kernel_verity_params(params_string: &str) -> Result<Option<KernelVerityCo
         .map_err(|err| anyhow!(err.to_string()))?;
 
     Ok(cfg.map(|params| KernelVerityConfig {
-        mode: params.mode,
         root_hash: params.root_hash,
         salt: params.salt,
         data_blocks: params.data_blocks,
@@ -203,14 +199,6 @@ impl KernelParams {
             None => return Ok(params),
         };
 
-        if cfg.mode == VERITY_MODE_INITRAMFS {
-            params.append(&mut KernelParams::from_string(&format!(
-                "rootfs_verity.scheme=dm-verity rootfs_verity.hash={}",
-                cfg.root_hash
-            )));
-            return Ok(params);
-        }
-
         let (root_device, hash_device) = match rootfs_driver {
             VM_ROOTFS_DRIVER_PMEM => ("/dev/pmem0p1", "/dev/pmem0p2"),
             VM_ROOTFS_DRIVER_BLK | VM_ROOTFS_DRIVER_BLK_CCW | VM_ROOTFS_DRIVER_MMIO => {
@@ -495,18 +483,7 @@ mod tests {
     #[test]
     fn test_kernel_verity_params() -> Result<()> {
         let params = KernelParams::new_rootfs_kernel_params(
-            "mode=initramfs,root_hash=abc",
-            VM_ROOTFS_DRIVER_PMEM,
-            VM_ROOTFS_FILESYSTEM_EXT4,
-        )?;
-        assert!(params
-            .to_string()?
-            .contains("rootfs_verity.scheme=dm-verity"));
-        assert!(params.to_string()?.contains("rootfs_verity.hash=abc"));
-        assert!(params.to_string()?.contains("root="));
-
-        let params = KernelParams::new_rootfs_kernel_params(
-            "mode=kernelinit,root_hash=abc,salt=def,data_blocks=1,data_block_size=4096,hash_block_size=4096",
+            "root_hash=abc,salt=def,data_blocks=1,data_block_size=4096,hash_block_size=4096",
             VM_ROOTFS_DRIVER_BLK,
             VM_ROOTFS_FILESYSTEM_EXT4,
         )?;
@@ -516,14 +493,41 @@ mod tests {
         assert!(params_string.contains("rootfstype=ext4"));
 
         let err = KernelParams::new_rootfs_kernel_params(
-            "mode=kernelinit,root_hash=abc,data_blocks=1,data_block_size=4096,hash_block_size=4096",
+            "root_hash=abc,data_blocks=1,data_block_size=4096,hash_block_size=4096",
             VM_ROOTFS_DRIVER_BLK,
             VM_ROOTFS_FILESYSTEM_EXT4,
         )
         .err()
         .expect("expected missing salt error");
         assert!(format!("{err}").contains("Missing kernel_verity_params salt"));
 
+        let err = KernelParams::new_rootfs_kernel_params(
+            "root_hash=abc,salt=def,data_block_size=4096,hash_block_size=4096",
+            VM_ROOTFS_DRIVER_BLK,
+            VM_ROOTFS_FILESYSTEM_EXT4,
+        )
+        .err()
+        .expect("expected missing data_blocks error");
+        assert!(format!("{err}").contains("Missing kernel_verity_params data_blocks"));
+
+        let err = KernelParams::new_rootfs_kernel_params(
+            "root_hash=abc,salt=def,data_blocks=foo,data_block_size=4096,hash_block_size=4096",
+            VM_ROOTFS_DRIVER_BLK,
+            VM_ROOTFS_FILESYSTEM_EXT4,
+        )
+        .err()
+        .expect("expected invalid data_blocks error");
+        assert!(format!("{err}").contains("Invalid kernel_verity_params data_blocks"));
+
+        let err = KernelParams::new_rootfs_kernel_params(
+            "root_hash=abc,salt=def,data_blocks=1,data_block_size=4096,hash_block_size=4096,badfield",
+            VM_ROOTFS_DRIVER_BLK,
+            VM_ROOTFS_FILESYSTEM_EXT4,
+        )
+        .err()
+        .expect("expected invalid entry error");
+        assert!(format!("{err}").contains("Invalid kernel_verity_params entry"));
+
         Ok(())
     }
 }

src/runtime/config/configuration-qemu-coco-dev.toml.in

@@ -53,7 +53,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 kernel_params = "@KERNELQEMUCOCODEVPARAMS@"
 
 # Optional dm-verity parameters (comma-separated key=value list):
-# mode=kernelinit|initramfs,root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
+# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
 # These are used by the runtime to assemble dm-verity kernel params.
 kernel_verity_params = "@KERNELVERITYPARAMS@"
 

src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in

@@ -93,7 +93,7 @@ snp_guest_policy = 196608
 kernel_params = "@KERNELPARAMS_NV@"
 
 # Optional dm-verity parameters (comma-separated key=value list):
-# mode=kernelinit|initramfs,root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
+# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
 # These are used by the runtime to assemble dm-verity kernel params.
 kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 

src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in

@@ -70,7 +70,7 @@ valid_hypervisor_paths = @QEMUTDXEXPERIMENTALVALIDHYPERVISORPATHS@
 kernel_params = "@KERNELPARAMS_NV@"
 
 # Optional dm-verity parameters (comma-separated key=value list):
-# mode=kernelinit|initramfs,root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
+# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
 # These are used by the runtime to assemble dm-verity kernel params.
 kernel_verity_params = "@KERNELVERITYPARAMS_CONFIDENTIAL_NV@"
 

src/runtime/config/configuration-qemu-nvidia-gpu.toml.in

@@ -52,7 +52,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 kernel_params = "@KERNELPARAMS_NV@"
 
 # Optional dm-verity parameters (comma-separated key=value list):
-# mode=kernelinit|initramfs,root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
+# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
 # These are used by the runtime to assemble dm-verity kernel params.
 kernel_verity_params = "@KERNELVERITYPARAMS_NV@"
 

src/runtime/config/configuration-qemu-tdx.toml.in

@@ -69,7 +69,7 @@ valid_hypervisor_paths = @QEMUVALIDHYPERVISORPATHS@
 kernel_params = "@KERNELTDXPARAMS@"
 
 # Optional dm-verity parameters (comma-separated key=value list):
-# mode=kernelinit|initramfs,root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
+# root_hash=...,salt=...,data_blocks=...,data_block_size=...,hash_block_size=...
 # These are used by the runtime to assemble dm-verity kernel params.
 kernel_verity_params = "@KERNELVERITYPARAMS@"