osbuilder: Support attestation-agent[cc_kbc] TDX dependencies

attestation-agent depends on tdx-attest-rs when cc_kbc is enabled, which
depends on libtdx-attest.so. Include the dev package in build container,
and the runtime package in the built rootfs.

The build of tdx-attest-sys (which is a dep of tdx-attest-rs) uses
bindgen, which requires libclang so install that in the build container
as well.

We specify the tdx stack DCAP v1.15

Fixes: #6519

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -674,7 +674,7 @@ EOF
 		pushd attestation-agent
 		git fetch --depth=1 origin "${attestation_agent_version}"
 		git checkout FETCH_HEAD
-		[ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ] && LIBC="gnu"
+		( [ "${AA_KBC}" == "eaa_kbc" ] || [ "${AA_KBC}" == "cc_kbc_tdx" ] ) && [ "${ARCH}" == "x86_64" ] && LIBC="gnu"
 		make KBC=${AA_KBC} ttrpc=true && make install DESTDIR="${ROOTFS_DIR}/usr/local/bin/"
 		popd
 	fi

tools/osbuilder/rootfs-builder/ubuntu/config.sh

@@ -37,6 +37,23 @@ RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubu
 	fi
 fi
 
+if [ "${AA_KBC}" == "cc_kbc_tdx" ] && [ "${ARCH}" == "x86_64" ]; then
+	source /etc/os-release
+
+	if [ "${OS_VERSION}" == "focal" ] || [ "${OS_VERSION}" == "20.04" ]; then
+		PACKAGES+=" apt gnupg"
+		AA_KBC_EXTRAS="
+	RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${OS_VERSION} main' \| tee /etc/apt/sources.list.d/intel-sgx.list; \
+		curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \| apt-key add -; \
+		apt-get update; \
+		apt-get install -y libtdx-attest=1.15\* libtdx-attest-dev=1.15\* clang
+	"
+	else
+		echo "libtdx-attest-dev is only provided for Ubuntu 20.04; not for ${OS_VERSION}"
+		exit 1
+	fi
+fi
+
 if [ "$(uname -m)" != "$ARCH" ]; then
 	case "$ARCH" in
 		ppc64le) cc_arch=powerpc64le;;

tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh

@@ -58,6 +58,21 @@ EOF
 		fi
 	fi
 
+	if [ "${AA_KBC}" == "cc_kbc_tdx" ] && [ "${ARCH}" == "x86_64" ]; then
+		source /etc/os-release
+		if [ "${VERSION_ID}" == "20.04" ]; then
+			curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key |  chroot "${rootfs_dir}" apt-key add -
+
+			echo 'deb [arch=amd64] http://security.ubuntu.com/ubuntu focal-security main universe' | tee ${rootfs_dir}/etc/apt/sources.list.d/universe.list
+			echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee ${rootfs_dir}/etc/apt/sources.list.d/intel-sgx.list
+			chroot "${rootfs_dir}" apt-get update && chroot "${rootfs_dir}" apt-get install -y libtdx-attest=1.15\* libtdx-attest-dev=1.15\*
+			echo 'port=4050' | chroot "${rootfs_dir}" tee /etc/tdx-attest.conf
+		else
+			echo "libtdx-attest is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
+			exit 1
+		fi
+	fi
+	
 	# Reduce image size and memory footprint by removing unnecessary files and directories.
 	rm -rf $rootfs_dir/usr/share/{bash-completion,bug,doc,info,lintian,locale,man,menu,misc,pixmaps,terminfo,zsh}
 

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -301,7 +301,7 @@ install_cc_se_image() {
 }
 
 install_cc_tdx_image() {
-	AA_KBC="eaa_kbc"
+	AA_KBC="cc_kbc_tdx"
 	image_type="image"
 	image_suffix="tdx"
 	root_hash_suffix="tdx"

tools/packaging/static-build/cache_components.sh

@@ -110,7 +110,7 @@ cache_rootfs_artifacts() {
 	if [ -n "${TEE}" ]; then
 		if [ "${TEE}" == "tdx" ]; then
 			rootfs_tarball_name="kata-static-cc-tdx-rootfs-image.tar.xz"
-			aa_kbc="eaa_kbc"
+			aa_kbc="cc_kbc_tdx"
 			image_type="image"
 			root_hash_vanilla=""
 			root_hash_tdx="${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt"