agent: cdh: Update CDH and API

With the new CDH version, the secure_mount API changes. Further, the new CDH version no longer uses the luks-encrypt-storage script but utilizes libcryptsetup as well as mkfs.ext4 and dd. Hence, adapt some of the CDH and Kata components build steps Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-03-17 18:22:14 +00:00 · 2026-02-05 11:58:46 -08:00
parent ef5db0a01f
commit 169f92ff09
7 changed files with 24 additions and 11 deletions
--- a/src/agent/src/rpc.rs
+++ b/src/agent/src/rpc.rs
@@ -2317,8 +2317,13 @@ async fn cdh_handler_trusted_storage(oci: &mut Spec) -> Result<()> {
        for specdev in devices.iter() {
            if specdev.path().as_path().to_str() == Some(TRUSTED_IMAGE_STORAGE_DEVICE) {
                let dev_major_minor = format!("{}:{}", specdev.major(), specdev.minor());
-                cdh_secure_mount("BlockDevice", &dev_major_minor, "LUKS", KATA_IMAGE_WORK_DIR)
-                    .await?;
+                cdh_secure_mount(
+                    "block-device",
+                    &dev_major_minor,
+                    "luks2",
+                    KATA_IMAGE_WORK_DIR,
+                )
+                .await?;
                break;
            }
        }
@@ -2349,10 +2354,21 @@ pub(crate) async fn cdh_secure_mount(

    let options = std::collections::HashMap::from([
        ("deviceId".to_string(), device_id.to_string()),
-        ("encryptType".to_string(), encrypt_type.to_string()),
+        ("sourceType".to_string(), "empty".to_string()),
+        ("targetType".to_string(), "fileSystem".to_string()),
+        ("filesystemType".to_string(), "ext4".to_string()),
+        ("mkfsOpts".to_string(), "-E lazy_journal_init".to_string()),
+        ("encryptionType".to_string(), encrypt_type.to_string()),
        ("dataIntegrity".to_string(), integrity),
    ]);

+    std::fs::create_dir_all(mount_point).inspect_err(|e| {
+        error!(
+            sl(),
+            "Failed to create mount point directory {}: {:?}", mount_point, e
+        );
+    })?;
+
    confidential_data_hub::secure_mount(device_type, &options, vec![], mount_point).await?;

    Ok(())
--- a/src/agent/src/storage/block_handler.rs
+++ b/src/agent/src/storage/block_handler.rs
@@ -59,7 +59,8 @@ async fn handle_block_storage(
        .contains(&"encryption_key=ephemeral".to_string());

    if has_ephemeral_encryption {
-        crate::rpc::cdh_secure_mount("BlockDevice", dev_num, "LUKS", &storage.mount_point).await?;
+        crate::rpc::cdh_secure_mount("block-device", dev_num, "luks2", &storage.mount_point)
+            .await?;
        set_ownership(logger, storage)?;
        new_device(storage.mount_point.clone())
    } else {
--- a/src/libs/protocols/protos/confidential_data_hub.proto
+++ b/src/libs/protocols/protos/confidential_data_hub.proto
@@ -24,9 +24,7 @@ message SecureMountRequest {
    string mount_point = 4;
 }

-message SecureMountResponse {
-    string mount_path = 1;
-}
+message SecureMountResponse {}

 message ImagePullRequest {
    // - `image_url`: The reference of the image to pull
--- a/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/nvidia/nvidia_rootfs.sh
@@ -329,8 +329,6 @@ coco_guest_components() {
 	mkdir -p "${pause_dir}/rootfs"
 	cp -a "${stage_one}/${pause_dir}"/config.json  "${pause_dir}/."
 	cp -a "${stage_one}/${pause_dir}"/rootfs/pause "${pause_dir}/rootfs/."
-
-	info "TODO: nvidia: luks-encrypt-storage is a bash script, we do not have a shell!"
 }

 setup_nvidia_gpu_rootfs_stage_two() {
--- a/tools/packaging/static-build/coco-guest-components/Dockerfile
+++ b/tools/packaging/static-build/coco-guest-components/Dockerfile
@@ -25,6 +25,7 @@ RUN apt-get update && \
 	g++ \
 	gcc \
 	git \
+	libcryptsetup-dev \
 	libssl-dev \
 	libtss2-dev \
 	make \
--- a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
+++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
@@ -34,7 +34,6 @@ build_coco_guest_components_from_source() {
 	strip "target/${RUST_ARCH}-unknown-linux-${LIBC}/release/api-server-rest"
 	DESTDIR="${DESTDIR}/usr/local/bin" TEE_PLATFORM=${TEE_PLATFORM} make install

-	install -D -m0755 "confidential-data-hub/hub/src/storage/scripts/luks-encrypt-storage" "${DESTDIR}/usr/local/bin/luks-encrypt-storage"
 	install -D -m0644 "confidential-data-hub/hub/src/image/ocicrypt_config.json" "${DESTDIR}/etc/ocicrypt_config.json"
 	popd
 }
--- a/versions.yaml
+++ b/versions.yaml
@@ -288,7 +288,7 @@ externals:
  coco-guest-components:
    description: "Provides attested key unwrapping for image decryption"
    url: "https://github.com/confidential-containers/guest-components/"
-    version: "9aae2eae6a03ab97d6561bbe74f8b99843836bba"
+    version: "ab95914ac84c32a43102463cc0ae330710af47be"
    toolchain: "1.90.0"

  coco-trustee: