packaging: guest-components, set new environment variables

- Set KBC_PROVIDER and ATTESTER rather than TEE_PLATFORM to avoid tss build issues for vTPM attester(s) - There are future plans to make a matching TEE_PLATFORM, so this can be simplified once that is available Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-26 07:22:20 +00:00 · 2024-03-18 17:49:16 +00:00 · 2024-03-18 17:49:16 +00:00 · 29a5652e31
commit 29a5652e31
parent a284a20a14
2 changed files with 33 additions and 25 deletions
--- a/tools/packaging/static-build/coco-guest-components/Dockerfile
+++ b/tools/packaging/static-build/coco-guest-components/Dockerfile
@ -1,4 +1,5 @@
 # Copyright (c) 2024 Intel
+# Copyright (c) 2024 IBM Corporation
 #
 # SPDX-License-Identifier: Apache-2.0

@ -7,35 +8,33 @@ ARG RUST_TOOLCHAIN

 ENV DEBIAN_FRONTEND=noninteractive

+# Note - the TDX lib is only available on x86, so there is an arch check in the package install
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update && \
 	apt-get --no-install-recommends install -y \
-		ca-certificates \
-		curl \
-		gnupg && \
-		apt-get clean && rm -rf /var/lib/apt/lists/
-RUN if [ "$(uname -m)" == "x86_64" ]; then curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-		echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-		apt-get update && \
-		apt-get --no-install-recommends -y install libtdx-attest-dev && \
-		apt-get clean && rm -rf /var/lib/apt/lists/; fi
-RUN apt-get update && \
+	ca-certificates \
+	curl \
+	gnupg && \
+	if [ "$(uname -m)" == "x86_64" ]; then curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
+	echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+	apt-get update && \
+	apt-get --no-install-recommends -y install libtdx-attest-dev; fi && \
 	apt-get --no-install-recommends -y install \
-		binutils \
-		clang \
-		g++ \
-		gcc \
-		git \
-		libssl-dev \
-		libtss2-dev \
-		make \
-		musl-tools \
-		openssl \
-		perl \
-		pkg-config \
-		protobuf-compiler && \
+	binutils \
+	clang \
+	g++ \
+	gcc \
+	git \
+	libssl-dev \
+	libtss2-dev \
+	make \
+	musl-tools \
+	openssl \
+	perl \
+	pkg-config \
+	protobuf-compiler && \
 	apt-get clean && rm -rf /var/lib/apt/lists/ && \
-    	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}
+	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}

 # aarch64 requires this name -- link for all
 RUN ln -s /usr/bin/musl-gcc "/usr/bin/$(uname -m)-linux-musl-gcc"
--- a/tools/packaging/static-build/coco-guest-components/build.sh
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@ -38,10 +38,19 @@ sudo docker pull ${container_image} || \
 	 # No-op unless PUSH_TO_REGISTRY is exported as "yes"
 	 push_to_registry "${container_image}")

+# Temp settings until we have a matching TEE_PLATFORM
+TEE_PLATFORM=""
+RESOURCE_PROVIDER="kbs,sev"
+ATTESTER="none"
+# snp-attester and tdx-attester crates require packages only available on x86
+[ "$(uname -m)" == "x86_64" ] && ATTESTER="snp-attester,tdx-attester"
+
 sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	-w "${PWD}" \
 	--env DESTDIR="${DESTDIR}" \
-	--env TEE_PLATFORM=${TEE_PLATFORM:-all} \
+	--env TEE_PLATFORM=${TEE_PLATFORM:+"all"} \
+	--env RESOURCE_PROVIDER=${RESOURCE_PROVIDER:-} \
+	--env ATTESTER=${ATTESTER:-} \
 	--env coco_guest_components_repo="${coco_guest_components_repo}" \
 	--env coco_guest_components_version="${coco_guest_components_version}" \
 	"${container_image}" \