From 4da31bf2f99704a99ac9455eb0ffc83b8d08a6df Mon Sep 17 00:00:00 2001
From: Xynnn007 <xynnn@linux.alibaba.com>
Date: Tue, 15 Jul 2025 16:32:31 +0800
Subject: [PATCH] agent: deliver initdata toml to attestation agent

Now AA supports to receive initdata toml plaintext and deliver it in the
attestation. This patch creates a file under
'/run/confidential-containers/initdata'
to store the initdata toml and give it to AA process.

When we have a separate component to handle initdata, we will move the
logic to that component.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
---
 src/agent/src/initdata.rs | 15 +++++++++++----
 src/agent/src/main.rs     | 10 +++-------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/src/agent/src/initdata.rs b/src/agent/src/initdata.rs
index f7d4b7774e..cd4efa6be2 100644
--- a/src/agent/src/initdata.rs
+++ b/src/agent/src/initdata.rs
@@ -27,6 +27,9 @@ const AA_CONFIG_KEY: &str = "aa.toml";
 const CDH_CONFIG_KEY: &str = "cdh.toml";
 const POLICY_KEY: &str = "policy.rego";
 
+/// The path of initdata toml
+pub const INITDATA_TOML_PATH: &str = concatcp!(INITDATA_PATH, "/initdata.toml");
+
 /// The path of AA's config file
 pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml");
 
@@ -95,7 +98,7 @@ pub async fn read_initdata(device_path: &str) -> Result<Vec<u8>> {
 }
 
 pub struct InitdataReturnValue {
-    pub digest: Vec<u8>,
+    pub _digest: Vec<u8>,
     pub _policy: Option<String>,
 }
 
@@ -122,7 +125,11 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
     info!(logger, "Initdata version: {}", initdata.version());
     initdata.validate()?;
 
-    let digest = match initdata.algorithm() {
+    tokio::fs::write(INITDATA_TOML_PATH, &initdata_content)
+        .await
+        .context("write initdata toml failed")?;
+
+    let _digest = match initdata.algorithm() {
         "sha256" => Sha256::digest(&initdata_content).to_vec(),
         "sha384" => Sha384::digest(&initdata_content).to_vec(),
         "sha512" => Sha512::digest(&initdata_content).to_vec(),
@@ -143,10 +150,10 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
         info!(logger, "write CDH config from initdata");
     }
 
-    debug!(logger, "Initdata digest: {}", STANDARD.encode(&digest));
+    debug!(logger, "Initdata digest: {}", STANDARD.encode(&_digest));
 
     let res = InitdataReturnValue {
-        digest,
+        _digest,
         _policy: initdata.get_coco_data(POLICY_KEY).cloned(),
     };
 
diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs
index 82d9798d3b..288c9a0d79 100644
--- a/src/agent/src/main.rs
+++ b/src/agent/src/main.rs
@@ -19,7 +19,6 @@ extern crate scopeguard;
 extern crate slog;
 
 use anyhow::{anyhow, bail, Context, Result};
-use base64::Engine;
 use cfg_if::cfg_if;
 use clap::Parser;
 use const_format::concatcp;
@@ -485,12 +484,9 @@ async fn launch_guest_component_procs(
 
     debug!(logger, "spawning attestation-agent process {}", AA_PATH);
     let mut aa_args = vec!["--attestation_sock", AA_ATTESTATION_URI];
-    let initdata_parameter;
-    if let Some(initdata_return_value) = initdata_return_value {
-        initdata_parameter =
-            base64::engine::general_purpose::STANDARD.encode(&initdata_return_value.digest);
-        aa_args.push("--initdata");
-        aa_args.push(&initdata_parameter);
+    if initdata_return_value.is_some() {
+        aa_args.push("--initdata-toml");
+        aa_args.push(initdata::INITDATA_TOML_PATH);
     }
 
     launch_process(