From eb0eb423a3fda2a8cdcbc0a82e79e27323cc4017 Mon Sep 17 00:00:00 2001
From: Mahati Chamarthy <mahati.chamarthy@gmail.com>
Date: Wed, 4 Mar 2026 17:09:26 +0000
Subject: [PATCH 1/2] CWCOW: Include merged layer hash

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
---
 internal/gcs-sidecar/handlers.go |  4 ----
 pkg/ociwclayer/cim/import.go     | 23 ++++++++++++++++++++---
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/internal/gcs-sidecar/handlers.go b/internal/gcs-sidecar/handlers.go
index 2eee764569..946f6c664a 100644
--- a/internal/gcs-sidecar/handlers.go
+++ b/internal/gcs-sidecar/handlers.go
@@ -641,11 +641,7 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 					log.G(ctx).Debugf("block CIM layer digest %s, path: %s\n", layerHashes[i], physicalDevPath)
 				}
 
-				// skip the merged cim and verify individual layer hashes
 				hashesToVerify := layerHashes
-				if len(layerHashes) > 1 {
-					hashesToVerify = layerHashes[1:]
-				}
 
 				err := b.hostState.securityOptions.PolicyEnforcer.EnforceVerifiedCIMsPolicy(req.ctx, containerID, hashesToVerify)
 				if err != nil {
diff --git a/pkg/ociwclayer/cim/import.go b/pkg/ociwclayer/cim/import.go
index e217aa694b..cf96d6e419 100644
--- a/pkg/ociwclayer/cim/import.go
+++ b/pkg/ociwclayer/cim/import.go
@@ -96,7 +96,7 @@ func WithParentLayers(parentLayers []*cimfs.BlockCIM) BlockCIMLayerImportOpt {
 	}
 }
 
-func writeIntegrityChecksumInfoFile(ctx context.Context, blockPath string) error {
+func writeIntegrityChecksumInfoFile(ctx context.Context, blockPath string, pathName string) error {
 	log.G(ctx).Debugf("writing integrity checksum file for block CIM `%s`", blockPath)
 	// for convenience write a file that has the hex encoded root digest of the generated verified CIM.
 	// this same hex string can be used in the confidential policy.
@@ -105,7 +105,7 @@ func writeIntegrityChecksumInfoFile(ctx context.Context, blockPath string) error
 		return fmt.Errorf("failed to query verified info of the CIM layer: %w", err)
 	}
 
-	digestFile, err := os.Create(filepath.Join(filepath.Dir(blockPath), "integrity_checksum"))
+	digestFile, err := os.Create(filepath.Join(filepath.Dir(blockPath), pathName))
 	if err != nil {
 		return fmt.Errorf("failed to create verification info file: %w", err)
 	}
@@ -120,6 +120,18 @@ func writeIntegrityChecksumInfoFile(ctx context.Context, blockPath string) error
 	return nil
 }
 
+func GetIntegrityChecksum(ctx context.Context, blockPath string) (string, error) {
+	log.G(ctx).Debugf("Getting integrity checksum for block CIM `%s`", blockPath)
+	digest, err := cimfs.GetVerificationInfo(blockPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to query verified info of the CIM layer: %w", err)
+	}
+
+	digestStr := hex.EncodeToString(digest)
+
+	return digestStr, nil
+}
+
 func ImportBlockCIMLayerWithOpts(ctx context.Context, r io.Reader, layer *cimfs.BlockCIM, opts ...BlockCIMLayerImportOpt) (_ int64, err error) {
 	log.G(ctx).WithField("layer", layer).Debug("Importing block CIM layer from tar")
 
@@ -164,7 +176,7 @@ func ImportBlockCIMLayerWithOpts(ctx context.Context, r io.Reader, layer *cimfs.
 	}
 
 	if config.dataIntegrity {
-		if err = writeIntegrityChecksumInfoFile(ctx, layer.BlockPath); err != nil {
+		if err = writeIntegrityChecksumInfoFile(ctx, layer.BlockPath, "integrity_checksum"); err != nil {
 			return 0, err
 		}
 	}
@@ -358,5 +370,10 @@ func MergeBlockCIMLayersWithOpts(ctx context.Context, sourceCIMs []*cimfs.BlockC
 			return fmt.Errorf("append VHD footer to block CIM: %w", err)
 		}
 	}
+	if config.dataIntegrity {
+		if err = writeIntegrityChecksumInfoFile(ctx, mergedCIM.BlockPath, "merged_integrity_checksum"); err != nil {
+			return err
+		}
+	}
 	return nil
 }

From a463e324571acad9b963cec2a4749b7ebf45ac19 Mon Sep 17 00:00:00 2001
From: Mahati Chamarthy <mahati.chamarthy@gmail.com>
Date: Thu, 5 Mar 2026 14:32:55 +0000
Subject: [PATCH 2/2] CWCOW: Reuse API

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>
---
 pkg/ociwclayer/cim/import.go | 27 ++++++++-------------------
 1 file changed, 8 insertions(+), 19 deletions(-)

diff --git a/pkg/ociwclayer/cim/import.go b/pkg/ociwclayer/cim/import.go
index cf96d6e419..d2b7306bdc 100644
--- a/pkg/ociwclayer/cim/import.go
+++ b/pkg/ociwclayer/cim/import.go
@@ -96,39 +96,28 @@ func WithParentLayers(parentLayers []*cimfs.BlockCIM) BlockCIMLayerImportOpt {
 	}
 }
 
-func writeIntegrityChecksumInfoFile(ctx context.Context, blockPath string, pathName string) error {
+func GetIntegrityChecksum(ctx context.Context, blockPath string, pathName string) (string, error) {
 	log.G(ctx).Debugf("writing integrity checksum file for block CIM `%s`", blockPath)
 	// for convenience write a file that has the hex encoded root digest of the generated verified CIM.
 	// this same hex string can be used in the confidential policy.
+	// also return the integrity checksum as a string for integrity-vhd tooling
 	digest, err := cimfs.GetVerificationInfo(blockPath)
 	if err != nil {
-		return fmt.Errorf("failed to query verified info of the CIM layer: %w", err)
+		return "", fmt.Errorf("failed to query verified info of the CIM layer: %w", err)
 	}
 
 	digestFile, err := os.Create(filepath.Join(filepath.Dir(blockPath), pathName))
 	if err != nil {
-		return fmt.Errorf("failed to create verification info file: %w", err)
+		return "", fmt.Errorf("failed to create verification info file: %w", err)
 	}
 	defer digestFile.Close()
 
 	digestStr := hex.EncodeToString(digest)
 	if wn, err := digestFile.WriteString(digestStr); err != nil {
-		return fmt.Errorf("failed to write verification info: %w", err)
+		return "", fmt.Errorf("failed to write verification info: %w", err)
 	} else if wn != len(digestStr) {
-		return fmt.Errorf("incomplete write of verification info: %w", err)
+		return "", fmt.Errorf("incomplete write of verification info: %w", err)
 	}
-	return nil
-}
-
-func GetIntegrityChecksum(ctx context.Context, blockPath string) (string, error) {
-	log.G(ctx).Debugf("Getting integrity checksum for block CIM `%s`", blockPath)
-	digest, err := cimfs.GetVerificationInfo(blockPath)
-	if err != nil {
-		return "", fmt.Errorf("failed to query verified info of the CIM layer: %w", err)
-	}
-
-	digestStr := hex.EncodeToString(digest)
-
 	return digestStr, nil
 }
 
@@ -176,7 +165,7 @@ func ImportBlockCIMLayerWithOpts(ctx context.Context, r io.Reader, layer *cimfs.
 	}
 
 	if config.dataIntegrity {
-		if err = writeIntegrityChecksumInfoFile(ctx, layer.BlockPath, "integrity_checksum"); err != nil {
+		if _, err = GetIntegrityChecksum(ctx, layer.BlockPath, "integrity_checksum"); err != nil {
 			return 0, err
 		}
 	}
@@ -371,7 +360,7 @@ func MergeBlockCIMLayersWithOpts(ctx context.Context, sourceCIMs []*cimfs.BlockC
 		}
 	}
 	if config.dataIntegrity {
-		if err = writeIntegrityChecksumInfoFile(ctx, mergedCIM.BlockPath, "merged_integrity_checksum"); err != nil {
+		if _, err = GetIntegrityChecksum(ctx, mergedCIM.BlockPath, "merged_integrity_checksum"); err != nil {
 			return err
 		}
 	}