diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index f7e992e930..eceb4f0316 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -674,7 +674,7 @@ EOF pushd attestation-agent git fetch --depth=1 origin "${attestation_agent_version}" git checkout FETCH_HEAD - [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ] && LIBC="gnu" + ( [ "${AA_KBC}" == "eaa_kbc" ] || [ "${AA_KBC}" == "cc_kbc_tdx" ] ) && [ "${ARCH}" == "x86_64" ] && LIBC="gnu" make KBC=${AA_KBC} ttrpc=true && make install DESTDIR="${ROOTFS_DIR}/usr/local/bin/" popd fi diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh index e66bb137be..5356dfdca0 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh @@ -37,6 +37,23 @@ RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubu fi fi +if [ "${AA_KBC}" == "cc_kbc_tdx" ] && [ "${ARCH}" == "x86_64" ]; then + source /etc/os-release + + if [ "${OS_VERSION}" == "focal" ] || [ "${OS_VERSION}" == "20.04" ]; then + PACKAGES+=" apt gnupg" + AA_KBC_EXTRAS=" + RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${OS_VERSION} main' \| tee /etc/apt/sources.list.d/intel-sgx.list; \ + curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \| apt-key add -; \ + apt-get update; \ + apt-get install -y libtdx-attest=1.15\* libtdx-attest-dev=1.15\* clang + " + else + echo "libtdx-attest-dev is only provided for Ubuntu 20.04; not for ${OS_VERSION}" + exit 1 + fi +fi + if [ "$(uname -m)" != "$ARCH" ]; then case "$ARCH" in ppc64le) cc_arch=powerpc64le;; diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh index bae240fa71..cb13c6ba3a 100644 --- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh +++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh @@ -58,6 +58,21 @@ EOF fi fi + if [ "${AA_KBC}" == "cc_kbc_tdx" ] && [ "${ARCH}" == "x86_64" ]; then + source /etc/os-release + if [ "${VERSION_ID}" == "20.04" ]; then + curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | chroot "${rootfs_dir}" apt-key add - + + echo 'deb [arch=amd64] http://security.ubuntu.com/ubuntu focal-security main universe' | tee ${rootfs_dir}/etc/apt/sources.list.d/universe.list + echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee ${rootfs_dir}/etc/apt/sources.list.d/intel-sgx.list + chroot "${rootfs_dir}" apt-get update && chroot "${rootfs_dir}" apt-get install -y libtdx-attest=1.15\* libtdx-attest-dev=1.15\* + echo 'port=4050' | chroot "${rootfs_dir}" tee /etc/tdx-attest.conf + else + echo "libtdx-attest is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}" + exit 1 + fi + fi + # Reduce image size and memory footprint by removing unnecessary files and directories. rm -rf $rootfs_dir/usr/share/{bash-completion,bug,doc,info,lintian,locale,man,menu,misc,pixmaps,terminfo,zsh} diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index 18ac9aed93..92a0152450 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -301,7 +301,7 @@ install_cc_se_image() { } install_cc_tdx_image() { - AA_KBC="eaa_kbc" + AA_KBC="cc_kbc_tdx" image_type="image" image_suffix="tdx" root_hash_suffix="tdx" diff --git a/tools/packaging/static-build/cache_components.sh b/tools/packaging/static-build/cache_components.sh index ef223b1c2a..5d7f292556 100755 --- a/tools/packaging/static-build/cache_components.sh +++ b/tools/packaging/static-build/cache_components.sh @@ -110,7 +110,7 @@ cache_rootfs_artifacts() { if [ -n "${TEE}" ]; then if [ "${TEE}" == "tdx" ]; then rootfs_tarball_name="kata-static-cc-tdx-rootfs-image.tar.xz" - aa_kbc="eaa_kbc" + aa_kbc="cc_kbc_tdx" image_type="image" root_hash_vanilla="" root_hash_tdx="${repo_root_dir}/tools/osbuilder/root_hash_tdx.txt"