osbuilder: Switch to online_sev_kbc

Adds AA_KBC option in rootfs builder to specify online_sev_kbc into the initrd. Guid and secret type for sev updated in shim makefile to generate default config KBC URI will be specified via kernel_params Also changing the default option for sev in the local build scipts Making sure sev guest kernel module is copied into the initrd. Will also eventually be needed for SNP Fixes: #5650 Signed-off-by: Alex Carter <Alex.Carter@ibm.com>
2025-08-31 08:28:34 +00:00 · 2022-11-11 15:53:19 +00:00
parent 715fd0c933
commit 1b86be65f2
4 changed files with 10 additions and 5 deletions
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -256,8 +256,8 @@ DEFSERVICEOFFLOAD ?= false
 DEFGUESTPREATTESTATION ?= false
 DEFGUESTPREATTESTATIONPROXY ?= localhost:44444
 DEFGUESTPREATTESTATIONKEYSET ?= KEYSET-1
-DEFGUESTPREATTESTATIONSECRETGUID ?= e6f5a162-d67f-4750-a67c-5d065f2a9910
-DEFGUESTPREATTESTATIONSECRETTYPE ?= bundle
+DEFGUESTPREATTESTATIONSECRETGUID ?= 1ee27366-0c87-43a6-af48-28543eaf7cb0
+DEFGUESTPREATTESTATIONSECRETTYPE ?= connection
 DEFSEVCERTCHAIN ?= /opt/sev/cert_chain.cert
 DEFSEVGUESTPOLICY ?= 0

--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -685,6 +685,11 @@ EOF
 			info "Adding agent config for ${AA_KBC}"
 			AA_KBC_PARAMS="offline_sev_kbc::null" envsubst < "${script_dir}/agent-config.toml.in" | tee "${ROOTFS_DIR}/etc/agent-config.toml"
 		fi
+		if [ "${AA_KBC}" == "online_sev_kbc" ]; then
+			info "Adding agent config for ${AA_KBC}"
+			#KBC URI will be specified in the config file via kernel params
+			AA_KBC_PARAMS="online_sev_kbc::123.123.123.123:44444" envsubst < "${script_dir}/agent-config.toml.in" | tee "${ROOTFS_DIR}/etc/agent-config.toml"
+		fi
 		attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)"
 		attestation_agent_version="$(get_package_version_from_kata_yaml externals.attestation-agent.version)"
 		info "Install attestation-agent with KBC ${AA_KBC}"
--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@@ -40,8 +40,8 @@ build_initrd() {
 	export USE_DOCKER=1
 	export AGENT_INIT="yes"
 	# ROOTFS_BUILD_DEST is a Make variable
-
-	if [ "${AA_KBC:-}" == "offline_sev_kbc" ]; then
+	# SNP will also use the SEV guest module
+	if [ "${AA_KBC:-}" == "offline_sev_kbc" | "${AA_KBC:-}" == "online_sev_kbc"]; then
 		config_version=$(get_config_version)
 		kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")"
 		kernel_version=${kernel_version#v}
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -278,7 +278,7 @@ install_cc_image() {
 }

 install_cc_sev_image() {
-	AA_KBC="offline_sev_kbc"
+	AA_KBC="online_sev_kbc"
 	image_type="initrd"
 	install_cc_image "${AA_KBC}" "${image_type}" "sev"
 }