CWCOW: Include merged layer hash

internal/gcs-sidecar/handlers.go

@@ -641,11 +641,7 @@ func (b *Bridge) modifySettings(req *request) (err error) {
 					log.G(ctx).Debugf("block CIM layer digest %s, path: %s\n", layerHashes[i], physicalDevPath)
 				}
 
-				// skip the merged cim and verify individual layer hashes
 				hashesToVerify := layerHashes
-				if len(layerHashes) > 1 {
-					hashesToVerify = layerHashes[1:]
-				}
 
 				err := b.hostState.securityOptions.PolicyEnforcer.EnforceVerifiedCIMsPolicy(req.ctx, containerID, hashesToVerify)
 				if err != nil {

pkg/ociwclayer/cim/import.go

@@ -96,28 +96,29 @@ func WithParentLayers(parentLayers []*cimfs.BlockCIM) BlockCIMLayerImportOpt {
 	}
 }
 
-func writeIntegrityChecksumInfoFile(ctx context.Context, blockPath string) error {
+func GetIntegrityChecksum(ctx context.Context, blockPath string, pathName string) (string, error) {
 	log.G(ctx).Debugf("writing integrity checksum file for block CIM `%s`", blockPath)
 	// for convenience write a file that has the hex encoded root digest of the generated verified CIM.
 	// this same hex string can be used in the confidential policy.
+	// also return the integrity checksum as a string for integrity-vhd tooling
 	digest, err := cimfs.GetVerificationInfo(blockPath)
 	if err != nil {
-		return fmt.Errorf("failed to query verified info of the CIM layer: %w", err)
+		return "", fmt.Errorf("failed to query verified info of the CIM layer: %w", err)
 	}
 
-	digestFile, err := os.Create(filepath.Join(filepath.Dir(blockPath), "integrity_checksum"))
+	digestFile, err := os.Create(filepath.Join(filepath.Dir(blockPath), pathName))
 	if err != nil {
-		return fmt.Errorf("failed to create verification info file: %w", err)
+		return "", fmt.Errorf("failed to create verification info file: %w", err)
 	}
 	defer digestFile.Close()
 
 	digestStr := hex.EncodeToString(digest)
 	if wn, err := digestFile.WriteString(digestStr); err != nil {
-		return fmt.Errorf("failed to write verification info: %w", err)
+		return "", fmt.Errorf("failed to write verification info: %w", err)
 	} else if wn != len(digestStr) {
-		return fmt.Errorf("incomplete write of verification info: %w", err)
+		return "", fmt.Errorf("incomplete write of verification info: %w", err)
 	}
-	return nil
+	return digestStr, nil
 }
 
 func ImportBlockCIMLayerWithOpts(ctx context.Context, r io.Reader, layer *cimfs.BlockCIM, opts ...BlockCIMLayerImportOpt) (_ int64, err error) {
@@ -164,7 +165,7 @@ func ImportBlockCIMLayerWithOpts(ctx context.Context, r io.Reader, layer *cimfs.
 	}
 
 	if config.dataIntegrity {
-		if err = writeIntegrityChecksumInfoFile(ctx, layer.BlockPath); err != nil {
+		if _, err = GetIntegrityChecksum(ctx, layer.BlockPath, "integrity_checksum"); err != nil {
 			return 0, err
 		}
 	}
@@ -358,5 +359,10 @@ func MergeBlockCIMLayersWithOpts(ctx context.Context, sourceCIMs []*cimfs.BlockC
 			return fmt.Errorf("append VHD footer to block CIM: %w", err)
 		}
 	}
+	if config.dataIntegrity {
+		if _, err = GetIntegrityChecksum(ctx, mergedCIM.BlockPath, "merged_integrity_checksum"); err != nil {
+			return err
+		}
+	}
 	return nil
 }