packaging: coco-guest-components: Allow building the project

The Confidential Containers guest-components will, in the very short future, be part of the Kata Containers rootfs that's used by the Confidential Containers usecase. This commit introduces the ability to, standalone, build the component locally and as part of our CI, and this can be done by calling: `make coco-guest-components-tarball` Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com> Signed-off-by: Linda Yu <linda.yu@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Jakob Naucke <jakob.naucke@ibm.com> Co-authored-by: Wang, Arron <arron.wang@intel.com> Co-authored-by: zhouliang121 <liang.a.zhou@linux.alibaba.com> Co-authored-by: Alex Carter <alex.carter@ibm.com> Co-authored-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com> Co-authored-by: Xynnn007 <xynnn@linux.alibaba.com>
2025-08-29 21:03:03 +00:00 · 2024-01-26 14:30:07 +01:00 · 2024-01-26 14:30:07 +01:00 · 644abde35c
commit 644abde35c
parent ee072e8a06
11 changed files with 177 additions and 1 deletions
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@ -32,6 +32,7 @@ jobs:
          - agent-ctl
          - cloud-hypervisor
          - cloud-hypervisor-glibc
+          - coco-guest-components
          - firecracker
          - genpolicy
          - kata-ctl
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@ -28,6 +28,7 @@ jobs:
      matrix:
        asset:
          - agent
+          - coco-guest-components
          - kernel
          - qemu
          - rootfs-image
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@ -88,6 +88,9 @@ agent-opa-tarball: copy-scripts-for-the-agent-build
 agent-ctl-tarball:
 	${MAKE} $@-build

+coco-guest-components-tarball:
+	${MAKE} $@-build
+
 cloud-hypervisor-tarball:
 	${MAKE} $@-build

--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@ -86,6 +86,7 @@ TARGET_BRANCH="${TARGET_BRANCH:-}"
 BUILDER_REGISTRY="${BUILDER_REGISTRY:-}"
 PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}"
 AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}"
+COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-}"
 INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}"
 KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}"
 OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}"
@ -110,6 +111,7 @@ docker run \
 	--env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
 	--env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
 	--env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
+	--env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \
 	--env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER}" \
 	--env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER}" \
 	--env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER}" \
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -23,6 +23,7 @@ readonly version_file="${repo_root_dir}/VERSION"
 readonly versions_yaml="${repo_root_dir}/versions.yaml"

 readonly agent_builder="${static_build_dir}/agent/build.sh"
+readonly coco_guest_components_builder="${static_build_dir}/coco-guest-components/build.sh"
 readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
 readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
 readonly kernel_builder="${static_build_dir}/kernel/build.sh"
@ -87,6 +88,7 @@ options:
 	agent-opa
 	agent-ctl
 	boot-image-se
+	coco-guest-components
 	cloud-hypervisor
 	cloud-hypervisor-glibc
 	firecracker
@ -710,6 +712,22 @@ install_agent_opa() {
 	install_agent_helper "yes"
 }

+install_coco_guest_components() {
+	latest_artefact="$(get_from_kata_deps "externals.coco-guest-components.version")-$(get_from_kata_deps "externals.coco-guest-components.toolchain")"
+	latest_builder_image="$(get_coco_guest_components_image_name)"
+
+	install_cached_tarball_component \
+		"${build_target}" \
+		"${latest_artefact}" \
+		"${latest_builder_image}" \
+		"${final_tarball_name}" \
+		"${final_tarball_path}" \
+		&& return 0
+
+	info "build static coco-guest-components"
+	"${coco_guest_components_builder}"
+}
+
 install_tools_helper() {
 	tool=${1}

@ -821,9 +839,11 @@ handle_build() {
 	agent-opa) install_agent_opa ;;

 	agent-ctl) install_agent_ctl ;;
-	
+
 	boot-image-se) install_se_image ;;

+	coco-guest-components) install_coco_guest_components ;;
+
 	cloud-hypervisor) install_clh ;;

 	cloud-hypervisor-glibc) install_clh_glibc ;;
@ -941,6 +961,7 @@ main() {
 		agent-opa
 		agent-ctl
 		cloud-hypervisor
+		coco-guest-components
 		firecracker
 		genpolicy
 		kata-ctl
--- a/tools/packaging/release/release-notes.sh
+++ b/tools/packaging/release/release-notes.sh
@ -151,6 +151,7 @@ used to build the release artefacts.
 The users who want to rebuild the tarballs using exactly the same images can simply use the following environment
 variables:
 * \`AGENT_CONTAINER_BUILDER\`
+* \`COCO_GUEST_COMPONENTS_CONTAINER_BUILDER\`
 * \`KERNEL_CONTAINER_BUILDER\`
 * \`OVMF_CONTAINER_BUILDER\`
 * \`QEMU_CONTAINER_BUILDER\`
--- a/tools/packaging/scripts/lib.sh
+++ b/tools/packaging/scripts/lib.sh
@ -216,3 +216,8 @@ get_agent_image_name() {

 	echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)"
 }
+
+get_coco_guest_components_image_name() {
+	coco_guest_components_script_dir="${repo_root_dir}/tools/packaging/static-build/coco-guest-components"
+	echo "${BUILDER_REGISTRY}:coco-guest-components-$(get_from_kata_deps "externals.coco-guest-components.toolchain")-$(get_last_modification ${coco_guest_components_script_dir})-$(uname -m)"
+}
--- a/tools/packaging/static-build/coco-guest-components/Dockerfile
+++ b/tools/packaging/static-build/coco-guest-components/Dockerfile
@ -0,0 +1,28 @@
+# Copyright (c) 2024 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+FROM ubuntu:22.04
+ARG RUST_TOOLCHAIN
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN apt-get update && \
+	apt-get --no-install-recommends -y install \
+		binutils \
+		ca-certificates \
+		clang \
+		curl \
+		g++ \
+		gcc \
+		git \
+		gnupg \
+		libssl-dev \
+		make \
+		musl-tools \
+		openssl \
+		perl \
+		protobuf-compiler && \
+	apt-get clean && rm -rf /var/lib/apt/lists/ && \
+    	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}
--- a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
+++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2024 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+[ -n "$coco_guest_components_repo" ] || die "failed to get coco-guest-components repo"
+[ -n "$coco_guest_components_version" ] || die "failed to get coco-guest-components version"
+
+[ -d "guest-components" ] && rm -rf  guest-components
+
+init_env() {
+	source "$HOME/.cargo/env"
+
+	export LIBC=gnu
+
+	ARCH=$(uname -m)
+	rust_arch=""
+	case ${ARCH} in
+		"aarch64")
+			rust_arch=${ARCH}
+			;;
+		"ppc64le")
+			rust_arch="powerpc64le"
+			;;
+		"x86_64")
+			rust_arch=${ARCH}
+			;;
+		"s390x")
+			rust_arch=${ARCH}
+			;;
+	esac
+	rustup target add ${rust_arch}-unknown-linux-${LIBC}
+}
+
+build_coco_guest_components_from_source() {
+	echo "build coco-guest-components from source"
+
+	init_env
+
+	git clone --depth 1 ${coco_guest_components_repo} guest-components
+	pushd guest-components
+
+	git fetch --depth=1 origin "${coco_guest_components_version}"
+	git checkout FETCH_HEAD
+
+	TEE_PLATFORM=${TEE_PLATFORM} make build
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/confidential-data-hub
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/attestation-agent
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/api-server-rest
+	TEE_PLATFORM=${TEE_PLATFORM} make install
+	popd
+}
+
+build_coco_guest_components_from_source $@
--- a/tools/packaging/static-build/coco-guest-components/build.sh
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2024 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly coco_guest_components_builder="${script_dir}/build-static-coco-guest-components.sh"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+coco_guest_components_repo="${coco_guest_components_repo:-}"
+coco_guest_components_version="${coco_guest_components_version:-}"
+coco_guest_components_toolchain="${coco_guest_components_toolchain:-}"
+package_output_dir="${package_output_dir:-}"
+
+[ -n "${coco_guest_components_repo}" ] || coco_guest_components_repo=$(get_from_kata_deps "externals.coco-guest-components.url")
+[ -n "${coco_guest_components_version}" ] || coco_guest_components_version=$(get_from_kata_deps "externals.coco-guest-components.version")
+[ -n "${coco_guest_components_toolchain}" ] || coco_guest_components_toolchain=$(get_from_kata_deps "externals.coco-guest-components.toolchain")
+
+[ -n "${coco_guest_components_repo}" ] || die "Failed to get coco-guest-components repo"
+[ -n "${coco_guest_components_version}" ] || die "Failed to get coco-guest-components version or commit"
+[ -n "${coco_guest_components_toolchain}" ] || die "Failed to get the rust toolchain to build coco-guest-components"
+
+container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_components_image_name)}"
+[ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build"
+
+sudo docker pull ${container_image} || \
+	(sudo docker $BUILDX build $PLATFORM \
+	    	--build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \
+		-t "${container_image}" "${script_dir}" && \
+	 # No-op unless PUSH_TO_REGISTRY is exported as "yes"
+	 push_to_registry "${container_image}")
+
+sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
+	-w "${PWD}" \
+	--env TEE_PLATFORM=${TEE_PLATFORM:-all} \
+	--env coco_guest_components_repo="${coco_guest_components_repo}" \
+	--env coco_guest_components_version="${coco_guest_components_version}" \
+	"${container_image}" \
+	bash -c "${coco_guest_components_builder}"
--- a/versions.yaml
+++ b/versions.yaml
@ -207,6 +207,12 @@ externals:
    url: "https://github.com/containernetworking/plugins"
    version: "v1.2.0"

+  coco-guest-components:
+    description: "Provides attested key unwrapping for image decryption"
+    url: "https://github.com/confidential-containers/guest-components/"
+    version: "42b7c9687ecd0907ef70da31cf290a60ee8432cd"
+    toolchain: "1.72.0"
+
  conmon:
    description: "An OCI container runtime monitor"
    url: "https://github.com/containers/conmon"