diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index a7bfc7a022..7427ad2bb1 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -32,6 +32,7 @@ jobs:
           - agent-ctl
           - cloud-hypervisor
           - cloud-hypervisor-glibc
+          - coco-guest-components
           - firecracker
           - genpolicy
           - kata-ctl
diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml
index 4d0386e052..a735b6aa28 100644
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@@ -28,6 +28,7 @@ jobs:
       matrix:
         asset:
           - agent
+          - coco-guest-components
           - kernel
           - qemu
           - rootfs-image
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index 289cb06d23..a1d5fa5d8c 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -88,6 +88,9 @@ agent-opa-tarball: copy-scripts-for-the-agent-build
 agent-ctl-tarball:
 	${MAKE} $@-build
 
+coco-guest-components-tarball:
+	${MAKE} $@-build
+
 cloud-hypervisor-tarball:
 	${MAKE} $@-build
 
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
index 7e7a6d65b7..165c107c6f 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@@ -86,6 +86,7 @@ TARGET_BRANCH="${TARGET_BRANCH:-}"
 BUILDER_REGISTRY="${BUILDER_REGISTRY:-}"
 PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}"
 AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}"
+COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-}"
 INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}"
 KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}"
 OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}"
@@ -110,6 +111,7 @@ docker run \
 	--env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
 	--env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
 	--env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
+	--env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \
 	--env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER}" \
 	--env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER}" \
 	--env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER}" \
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index aa3f397a6d..589711d5c6 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -23,6 +23,7 @@ readonly version_file="${repo_root_dir}/VERSION"
 readonly versions_yaml="${repo_root_dir}/versions.yaml"
 
 readonly agent_builder="${static_build_dir}/agent/build.sh"
+readonly coco_guest_components_builder="${static_build_dir}/coco-guest-components/build.sh"
 readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
 readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
 readonly kernel_builder="${static_build_dir}/kernel/build.sh"
@@ -87,6 +88,7 @@ options:
 	agent-opa
 	agent-ctl
 	boot-image-se
+	coco-guest-components
 	cloud-hypervisor
 	cloud-hypervisor-glibc
 	firecracker
@@ -710,6 +712,22 @@ install_agent_opa() {
 	install_agent_helper "yes"
 }
 
+install_coco_guest_components() {
+	latest_artefact="$(get_from_kata_deps "externals.coco-guest-components.version")-$(get_from_kata_deps "externals.coco-guest-components.toolchain")"
+	latest_builder_image="$(get_coco_guest_components_image_name)"
+
+	install_cached_tarball_component \
+		"${build_target}" \
+		"${latest_artefact}" \
+		"${latest_builder_image}" \
+		"${final_tarball_name}" \
+		"${final_tarball_path}" \
+		&& return 0
+
+	info "build static coco-guest-components"
+	"${coco_guest_components_builder}"
+}
+
 install_tools_helper() {
 	tool=${1}
 
@@ -821,9 +839,11 @@ handle_build() {
 	agent-opa) install_agent_opa ;;
 
 	agent-ctl) install_agent_ctl ;;
-	
+
 	boot-image-se) install_se_image ;;
 
+	coco-guest-components) install_coco_guest_components ;;
+
 	cloud-hypervisor) install_clh ;;
 
 	cloud-hypervisor-glibc) install_clh_glibc ;;
@@ -941,6 +961,7 @@ main() {
 		agent-opa
 		agent-ctl
 		cloud-hypervisor
+		coco-guest-components
 		firecracker
 		genpolicy
 		kata-ctl
diff --git a/tools/packaging/release/release-notes.sh b/tools/packaging/release/release-notes.sh
index 734028dc07..13b594cbb5 100755
--- a/tools/packaging/release/release-notes.sh
+++ b/tools/packaging/release/release-notes.sh
@@ -151,6 +151,7 @@ used to build the release artefacts.
 The users who want to rebuild the tarballs using exactly the same images can simply use the following environment
 variables:
 * \`AGENT_CONTAINER_BUILDER\`
+* \`COCO_GUEST_COMPONENTS_CONTAINER_BUILDER\`
 * \`KERNEL_CONTAINER_BUILDER\`
 * \`OVMF_CONTAINER_BUILDER\`
 * \`QEMU_CONTAINER_BUILDER\`
diff --git a/tools/packaging/scripts/lib.sh b/tools/packaging/scripts/lib.sh
index 7311fb9a0b..5815b7e023 100644
--- a/tools/packaging/scripts/lib.sh
+++ b/tools/packaging/scripts/lib.sh
@@ -216,3 +216,8 @@ get_agent_image_name() {
 
 	echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)"
 }
+
+get_coco_guest_components_image_name() {
+	coco_guest_components_script_dir="${repo_root_dir}/tools/packaging/static-build/coco-guest-components"
+	echo "${BUILDER_REGISTRY}:coco-guest-components-$(get_from_kata_deps "externals.coco-guest-components.toolchain")-$(get_last_modification ${coco_guest_components_script_dir})-$(uname -m)"
+}
diff --git a/tools/packaging/static-build/coco-guest-components/Dockerfile b/tools/packaging/static-build/coco-guest-components/Dockerfile
new file mode 100644
index 0000000000..cc80da32e7
--- /dev/null
+++ b/tools/packaging/static-build/coco-guest-components/Dockerfile
@@ -0,0 +1,28 @@
+# Copyright (c) 2024 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+FROM ubuntu:22.04
+ARG RUST_TOOLCHAIN
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN apt-get update && \
+	apt-get --no-install-recommends -y install \
+		binutils \
+		ca-certificates \
+		clang \
+		curl \
+		g++ \
+		gcc \
+		git \
+		gnupg \
+		libssl-dev \
+		make \
+		musl-tools \
+		openssl \
+		perl \
+		protobuf-compiler && \
+	apt-get clean && rm -rf /var/lib/apt/lists/ && \
+    	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}
diff --git a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
new file mode 100755
index 0000000000..09afb2c2b0
--- /dev/null
+++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2024 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+[ -n "$coco_guest_components_repo" ] || die "failed to get coco-guest-components repo"
+[ -n "$coco_guest_components_version" ] || die "failed to get coco-guest-components version"
+
+[ -d "guest-components" ] && rm -rf  guest-components
+
+init_env() {
+	source "$HOME/.cargo/env"
+
+	export LIBC=gnu
+
+	ARCH=$(uname -m)
+	rust_arch=""
+	case ${ARCH} in
+		"aarch64")
+			rust_arch=${ARCH}
+			;;
+		"ppc64le")
+			rust_arch="powerpc64le"
+			;;
+		"x86_64")
+			rust_arch=${ARCH}
+			;;
+		"s390x")
+			rust_arch=${ARCH}
+			;;
+	esac
+	rustup target add ${rust_arch}-unknown-linux-${LIBC}
+}
+
+build_coco_guest_components_from_source() {
+	echo "build coco-guest-components from source"
+
+	init_env
+
+	git clone --depth 1 ${coco_guest_components_repo} guest-components
+	pushd guest-components
+
+	git fetch --depth=1 origin "${coco_guest_components_version}"
+	git checkout FETCH_HEAD
+
+	TEE_PLATFORM=${TEE_PLATFORM} make build
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/confidential-data-hub
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/attestation-agent
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/api-server-rest
+	TEE_PLATFORM=${TEE_PLATFORM} make install
+	popd
+}
+
+build_coco_guest_components_from_source $@
diff --git a/tools/packaging/static-build/coco-guest-components/build.sh b/tools/packaging/static-build/coco-guest-components/build.sh
new file mode 100755
index 0000000000..60ede9623b
--- /dev/null
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2024 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly coco_guest_components_builder="${script_dir}/build-static-coco-guest-components.sh"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+coco_guest_components_repo="${coco_guest_components_repo:-}"
+coco_guest_components_version="${coco_guest_components_version:-}"
+coco_guest_components_toolchain="${coco_guest_components_toolchain:-}"
+package_output_dir="${package_output_dir:-}"
+
+[ -n "${coco_guest_components_repo}" ] || coco_guest_components_repo=$(get_from_kata_deps "externals.coco-guest-components.url")
+[ -n "${coco_guest_components_version}" ] || coco_guest_components_version=$(get_from_kata_deps "externals.coco-guest-components.version")
+[ -n "${coco_guest_components_toolchain}" ] || coco_guest_components_toolchain=$(get_from_kata_deps "externals.coco-guest-components.toolchain")
+
+[ -n "${coco_guest_components_repo}" ] || die "Failed to get coco-guest-components repo"
+[ -n "${coco_guest_components_version}" ] || die "Failed to get coco-guest-components version or commit"
+[ -n "${coco_guest_components_toolchain}" ] || die "Failed to get the rust toolchain to build coco-guest-components"
+
+container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_components_image_name)}"
+[ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build"
+
+sudo docker pull ${container_image} || \
+	(sudo docker $BUILDX build $PLATFORM \
+	    	--build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \
+		-t "${container_image}" "${script_dir}" && \
+	 # No-op unless PUSH_TO_REGISTRY is exported as "yes"
+	 push_to_registry "${container_image}")
+
+sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
+	-w "${PWD}" \
+	--env TEE_PLATFORM=${TEE_PLATFORM:-all} \
+	--env coco_guest_components_repo="${coco_guest_components_repo}" \
+	--env coco_guest_components_version="${coco_guest_components_version}" \
+	"${container_image}" \
+	bash -c "${coco_guest_components_builder}"
diff --git a/versions.yaml b/versions.yaml
index d888613f2a..38f408386f 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -207,6 +207,12 @@ externals:
     url: "https://github.com/containernetworking/plugins"
     version: "v1.2.0"
 
+  coco-guest-components:
+    description: "Provides attested key unwrapping for image decryption"
+    url: "https://github.com/confidential-containers/guest-components/"
+    version: "42b7c9687ecd0907ef70da31cf290a60ee8432cd"
+    toolchain: "1.72.0"
+
   conmon:
     description: "An OCI container runtime monitor"
     url: "https://github.com/containers/conmon"