From 2cd0fe974713ae854b8e6e9e084b2e6dc2443d02 Mon Sep 17 00:00:00 2001
From: ANJANA-A-R-K <anjana.a.r.k1@ibm.com>
Date: Tue, 8 Apr 2025 14:18:49 +0530
Subject: [PATCH] podvm: Enable se image build for rhel with and without
 --no-verify

Made changes to build RHEL SE enabled podvm image with an extra Arg of SE_VERIFY=true

Signed-off-by: ANJANA-A-R-K <anjana.a.r.k1@ibm.com>
---
 config/peerpods/podvm/lib.sh                     | 16 ++++++++++++++++
 .../peerpods/podvm/libvirt-podvm-image-cm.yaml   |  6 ++++++
 2 files changed, 22 insertions(+)

diff --git a/config/peerpods/podvm/lib.sh b/config/peerpods/podvm/lib.sh
index d8022cb13..901d10e6f 100644
--- a/config/peerpods/podvm/lib.sh
+++ b/config/peerpods/podvm/lib.sh
@@ -247,6 +247,22 @@ to edit policy.conf"
             error_exit "Error: HKD is not present."
         else
             echo "$HOST_KEY_CERTS" >>"${podvm_dir}/files/HKD.crt"
+            if [[ "$SE_VERIFY" == "true" ]]; then
+               curl -o "${podvm_dir}/files/ibm-z-host-key-signing-gen2.crt" "https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-signing-gen2.crt"
+               if [[ $? -ne 0 ]]; then
+                       error_exit "Error: Failed to download ibm-z-host-key-signing-gen2.crt."
+               fi
+
+               curl -o "${podvm_dir}/files/DigiCertCA.crt" "https://www.ibm.com/support/resourcelink/api/content/public/DigiCertCA.crt"
+               if [[ $? -ne 0 ]]; then
+                       error_exit "Error: Failed to download DigiCertCA.crt."
+               fi
+
+               curl -o "${podvm_dir}/files/ibm-z-host-key-gen2.crl" "https://www.ibm.com/support/resourcelink/api/content/public/ibm-z-host-key-gen2.crl"
+               if [[ $? -ne 0 ]]; then
+                       error_exit "Error: Failed to download ibm-z-host-key-gen2.crl."
+               fi
+           fi
         fi
     fi
 
diff --git a/config/peerpods/podvm/libvirt-podvm-image-cm.yaml b/config/peerpods/podvm/libvirt-podvm-image-cm.yaml
index fe794a45a..35d71397d 100644
--- a/config/peerpods/podvm/libvirt-podvm-image-cm.yaml
+++ b/config/peerpods/podvm/libvirt-podvm-image-cm.yaml
@@ -25,6 +25,12 @@ data:
 
   # To Enable SE for IBM Z
   SE_BOOT: "true"
+  
+  # To enable SE verification on IBM Z
+  SE_VERIFY: "true"
 
   # For Pre-built PodVM images.
   PODVM_IMAGE_URI: "" # eg: oci::quay.io/openshift_sandboxed_containers/libvirt-podvm-image:latest::/image/podvm.qcow2
+
+  # Name of PodVM qcow2 to be built.
+  IMAGE_NAME: "podvm-image"