diff --git a/tools/packaging/static-build/coco-guest-components/Dockerfile b/tools/packaging/static-build/coco-guest-components/Dockerfile
index cc80da32e7..57a3ce6c60 100644
--- a/tools/packaging/static-build/coco-guest-components/Dockerfile
+++ b/tools/packaging/static-build/coco-guest-components/Dockerfile
@@ -2,27 +2,40 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-FROM ubuntu:22.04
+FROM ubuntu:20.04
 ARG RUST_TOOLCHAIN
 
 ENV DEBIAN_FRONTEND=noninteractive
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN apt-get update && \
+	apt-get --no-install-recommends install -y \
+		ca-certificates \
+		curl \
+		gnupg && \
+		apt-get clean && rm -rf /var/lib/apt/lists/
+RUN if [ "$(uname -m)" == "x86_64" ]; then curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
+		echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+		apt-get update && \
+		apt-get --no-install-recommends -y install libtdx-attest-dev && \
+		apt-get clean && rm -rf /var/lib/apt/lists/; fi
 RUN apt-get update && \
 	apt-get --no-install-recommends -y install \
 		binutils \
-		ca-certificates \
 		clang \
-		curl \
 		g++ \
 		gcc \
 		git \
-		gnupg \
 		libssl-dev \
+		libtss2-dev \
 		make \
 		musl-tools \
 		openssl \
 		perl \
+		pkg-config \
 		protobuf-compiler && \
 	apt-get clean && rm -rf /var/lib/apt/lists/ && \
     	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}
+
+# aarch64 requires this name -- link for all
+RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"