From 1b86be65f2205590943bbbe52b912abd818e9604 Mon Sep 17 00:00:00 2001
From: Alex Carter <alex.carter@ibm.com>
Date: Fri, 11 Nov 2022 15:53:19 +0000
Subject: [PATCH] osbuilder: Switch to online_sev_kbc Adds AA_KBC option in
 rootfs builder to specify online_sev_kbc into the initrd. Guid and secret
 type for sev updated in shim makefile to generate default config KBC URI will
 be specified via kernel_params Also changing the default option for sev in
 the local build scipts Making sure sev guest kernel module is copied into the
 initrd. Will also eventually be needed for SNP

Fixes: #5650
Signed-off-by: Alex Carter <Alex.Carter@ibm.com>
---
 src/runtime/Makefile                                         | 4 ++--
 tools/osbuilder/rootfs-builder/rootfs.sh                     | 5 +++++
 tools/packaging/guest-image/build_image.sh                   | 4 ++--
 .../kata-deploy/local-build/kata-deploy-binaries.sh          | 2 +-
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/src/runtime/Makefile b/src/runtime/Makefile
index 8b73e797ca..c04ef8a037 100644
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -256,8 +256,8 @@ DEFSERVICEOFFLOAD ?= false
 DEFGUESTPREATTESTATION ?= false
 DEFGUESTPREATTESTATIONPROXY ?= localhost:44444
 DEFGUESTPREATTESTATIONKEYSET ?= KEYSET-1
-DEFGUESTPREATTESTATIONSECRETGUID ?= e6f5a162-d67f-4750-a67c-5d065f2a9910
-DEFGUESTPREATTESTATIONSECRETTYPE ?= bundle
+DEFGUESTPREATTESTATIONSECRETGUID ?= 1ee27366-0c87-43a6-af48-28543eaf7cb0
+DEFGUESTPREATTESTATIONSECRETTYPE ?= connection
 DEFSEVCERTCHAIN ?= /opt/sev/cert_chain.cert
 DEFSEVGUESTPOLICY ?= 0
 
diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh
index 7d40c29d93..cb318fda56 100755
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@@ -685,6 +685,11 @@ EOF
 			info "Adding agent config for ${AA_KBC}"
 			AA_KBC_PARAMS="offline_sev_kbc::null" envsubst < "${script_dir}/agent-config.toml.in" | tee "${ROOTFS_DIR}/etc/agent-config.toml"
 		fi
+		if [ "${AA_KBC}" == "online_sev_kbc" ]; then
+			info "Adding agent config for ${AA_KBC}"
+			#KBC URI will be specified in the config file via kernel params
+			AA_KBC_PARAMS="online_sev_kbc::123.123.123.123:44444" envsubst < "${script_dir}/agent-config.toml.in" | tee "${ROOTFS_DIR}/etc/agent-config.toml"
+		fi
 		attestation_agent_url="$(get_package_version_from_kata_yaml externals.attestation-agent.url)"
 		attestation_agent_version="$(get_package_version_from_kata_yaml externals.attestation-agent.version)"
 		info "Install attestation-agent with KBC ${AA_KBC}"
diff --git a/tools/packaging/guest-image/build_image.sh b/tools/packaging/guest-image/build_image.sh
index 73cae72adf..ae4548e2eb 100755
--- a/tools/packaging/guest-image/build_image.sh
+++ b/tools/packaging/guest-image/build_image.sh
@@ -40,8 +40,8 @@ build_initrd() {
 	export USE_DOCKER=1
 	export AGENT_INIT="yes"
 	# ROOTFS_BUILD_DEST is a Make variable
-
-	if [ "${AA_KBC:-}" == "offline_sev_kbc" ]; then
+	# SNP will also use the SEV guest module
+	if [ "${AA_KBC:-}" == "offline_sev_kbc" | "${AA_KBC:-}" == "online_sev_kbc"]; then
 		config_version=$(get_config_version)
 		kernel_version="$(get_from_kata_deps "assets.kernel.sev.version")"
 		kernel_version=${kernel_version#v}
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 21294aa109..608631912a 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -278,7 +278,7 @@ install_cc_image() {
 }
 
 install_cc_sev_image() {
-	AA_KBC="offline_sev_kbc"
+	AA_KBC="online_sev_kbc"
 	image_type="initrd"
 	install_cc_image "${AA_KBC}" "${image_type}" "sev"
 }