Merge pull request #5651 from Alex-Carter01/online-sev-kbc

osbuilder: Switch to online_sev_kbc
2025-08-14 06:06:12 +00:00 · 2023-01-04 14:41:59 +01:00 · 2023-01-04 14:41:59 +01:00 · 3db9100a5c
commit 3db9100a5c
parent de999429ce 1b86be65f2
4 changed files with 10 additions and 5 deletions
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@ -256,8 +256,8 @@ DEFSERVICEOFFLOAD ?= false
 DEFGUESTPREATTESTATION ?= false
 DEFGUESTPREATTESTATIONPROXY ?= localhost:44444
 DEFGUESTPREATTESTATIONKEYSET ?= KEYSET-1
-DEFGUESTPREATTESTATIONSECRETGUID ?= e6f5a162-d67f-4750-a67c-5d065f2a9910
-DEFGUESTPREATTESTATIONSECRETTYPE ?= bundle
+DEFGUESTPREATTESTATIONSECRETGUID ?= 1ee27366-0c87-43a6-af48-28543eaf7cb0
+DEFGUESTPREATTESTATIONSECRETTYPE ?= connection
 DEFSEVCERTCHAIN ?= /opt/sev/cert_chain.cert
 DEFSEVGUESTPOLICY ?= 0

--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -685,6 +685,11 @@ EOF
 			info "Adding agent config for ${AA_KBC}"
 			AA_KBC_PARAMS="offline_sev_kbc::null" envsubst < "${script_dir}/agent-config.toml.in" | tee "${ROOTFS_DIR}/etc/agent-config.toml"
 		fi
+		if [ "${AA_KBC}" == "online_sev_kbc" ]; then
+			info "Adding agent config for ${AA_KBC}"
+			#KBC URI will be specified in the config file via kernel params
+			AA_KBC_PARAMS="online_sev_kbc::123.123.123.123:44444" envsubst < "${script_dir}/agent-config.toml.in" | tee "${ROOTFS_DIR}/etc/agent-config.toml"
+		fi
 		attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)"
 		attestation_agent_version="$(get_package_version_from_kata_yaml externals.attestation-agent.version)"
 		info "Install attestation-agent with KBC ${AA_KBC}"
--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@ -40,8 +40,8 @@ build_initrd() {
 	export USE_DOCKER=1
 	export AGENT_INIT="yes"
 	# ROOTFS_BUILD_DEST is a Make variable
-
-	if [ "${AA_KBC:-}" == "offline_sev_kbc" ]; then
+	# SNP will also use the SEV guest module
+	if [ "${AA_KBC:-}" == "offline_sev_kbc" | "${AA_KBC:-}" == "online_sev_kbc"]; then
 		config_version=$(get_config_version)
 		kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")"
 		kernel_version=${kernel_version#v}
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -278,7 +278,7 @@ install_cc_image() {
 }

 install_cc_sev_image() {
-	AA_KBC="offline_sev_kbc"
+	AA_KBC="online_sev_kbc"
 	image_type="initrd"
 	install_cc_image "${AA_KBC}" "${image_type}" "sev"
 }