build: add CoCo addon image build and remove CoCo deps from confidential image

Add install_image_coco_addon() to kata-deploy-binaries.sh which: - Unpacks the CoCo guest components and pause image tarballs into a temporary rootfs directory (under the repo root so Docker-in-Docker volume mounts resolve correctly) - Calls image_builder.sh with USE_DOCKER=1, FS_TYPE=erofs, MEASURED_ROOTFS=yes, SKIP_DAX_HEADER=yes, and SKIP_ROOTFS_CHECK=yes to produce kata-containers-coco-addon.img + root_hash_coco-addon.txt Add the rootfs-image-coco-addon-tarball Makefile target with dependencies on pause-image-tarball and coco-guest-components-tarball. Remove pause-image-tarball and coco-guest-components-tarball from the standard confidential image dependencies -- those components now live exclusively in the CoCo addon image. NVIDIA confidential images retain them until the NVIDIA addon split lands. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com> Assisted-by: Cursor <cursoragent@cursor.com>
2026-05-18 05:36:24 +00:00 · 2026-05-10 19:05:04 +02:00
parent b30b2e0ab5
commit 664c47abe5
3 changed files with 89 additions and 14 deletions
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -11,11 +11,11 @@ OS_NAME=ubuntu
 # This should be Ubuntu's code name, e.g. "focal" (Focal Fossa) for 20.04
 OS_VERSION=${OS_VERSION:-""}
 [[ -z "${OS_VERSION}" ]] && echo "OS_VERSION is required, but was not set" && exit 1
-PACKAGES="chrony iptables dbus"
+PACKAGES="chrony iptables dbus cryptsetup-bin"
 # shellcheck disable=SC2154
 [[ "${AGENT_INIT}" = no ]] && PACKAGES+=" init"
 # CDH secure storage feature requires these tools in the guest
-[[ "${CONFIDENTIAL_GUEST:-no}" = "yes" ]] && PACKAGES+=" cryptsetup-bin e2fsprogs"
+[[ "${CONFIDENTIAL_GUEST:-no}" = "yes" ]] && PACKAGES+=" e2fsprogs"
 # shellcheck disable=SC2154
 [[ "${SECCOMP}" = yes ]] && PACKAGES+=" libseccomp2"
 [[ "$(uname -m)" = "s390x" ]] && PACKAGES+=" libcurl4 libnghttp2-14"
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -36,6 +36,7 @@ BASE_TARBALLS = serial-targets \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
 	rootfs-image-confidential-tarball \
+	rootfs-image-coco-addon-tarball \
 	rootfs-image-mariner-tarball \
 	rootfs-initrd-confidential-tarball \
 	rootfs-initrd-tarball \
@@ -49,6 +50,7 @@ BASE_TARBALLS = serial-targets \
 	shim-v2-tarball \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-image-coco-addon-tarball \
 	rootfs-initrd-tarball
 else ifeq ($(ARCH), aarch64)
 BASE_TARBALLS = serial-targets \
@@ -61,6 +63,7 @@ BASE_TARBALLS = serial-targets \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
 	rootfs-image-confidential-tarball \
+	rootfs-image-coco-addon-tarball \
 	rootfs-cca-confidential-image-tarball \
 	rootfs-cca-confidential-initrd-tarball \
 	rootfs-initrd-tarball
@@ -187,10 +190,14 @@ DEPS := agent-tarball
 rootfs-image-tarball: $(DEPS)
 	${MAKE} $@-build

-DEPS := agent-tarball pause-image-tarball coco-guest-components-tarball kernel-tarball
+DEPS := agent-tarball kernel-tarball
 rootfs-image-confidential-tarball: $(DEPS)
 	${MAKE} $@-build

+DEPS := pause-image-tarball coco-guest-components-tarball
+rootfs-image-coco-addon-tarball: $(DEPS)
+	${MAKE} $@-build
+
 DEPS := agent-tarball
 rootfs-image-mariner-tarball: $(DEPS)
 	${MAKE} $@-build
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -136,6 +136,7 @@ options:
 	stratovirt
 	rootfs-image
 	rootfs-image-confidential
+	rootfs-image-coco-addon
 	rootfs-image-mariner
 	rootfs-initrd
 	rootfs-initrd-confidential
@@ -182,7 +183,7 @@ get_kernel_modules_dir() {
 }

 cleanup_and_fail_shim_v2_specifics() {
-	for variant in confidential nvidia-gpu nvidia-gpu-confidential; do
+	for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do
 		local root_hash_file="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/shim-v2-root_hash_${variant}.txt"
 		[[ -f "${root_hash_file}" ]] && rm -f "${root_hash_file}"
 	done
@@ -212,7 +213,7 @@ install_cached_shim_v2_tarball_get_root_hash() {
 	local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
 	local root_hash_basedir="./opt/kata/share/kata-containers/"

-	for variant in confidential nvidia-gpu nvidia-gpu-confidential; do
+	for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do
 		local image_conf_tarball="kata-static-rootfs-image-${variant}.tar.zst"
 		local tarball_path="${tarball_dir}/${image_conf_tarball}"
 		local root_hash_path="${root_hash_basedir}root_hash_${variant}.txt"
@@ -232,7 +233,7 @@ install_cached_shim_v2_tarball_compare_root_hashes() {
 	local found_any=""
 	local tarball_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"

-	for variant in confidential nvidia-gpu nvidia-gpu-confidential; do
+	for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do
 		# Skip if one or the other does not exist.
 		[[ ! -f "${tarball_dir}/root_hash_${variant}.txt" ]] && continue

@@ -433,12 +434,11 @@ install_image() {
 			latest_artefact+="-$(get_latest_nvidia_ctk_version)"
 			latest_artefact+="-$(get_latest_nvidia_nvrc_version)"
 			latest_artefact+="-$(get_latest_nvidia_nvat_version)"
+			latest_artefact+="-$(get_latest_coco_guest_components_artefact_and_builder_image_version)"
+			latest_artefact+="-$(get_latest_pause_image_artefact_and_builder_image_version)"
 		else
 			latest_artefact+="-$(get_latest_kernel_artefact_and_builder_image_version)"
 		fi
-
-		latest_artefact+="-$(get_latest_coco_guest_components_artefact_and_builder_image_version)"
-		latest_artefact+="-$(get_latest_pause_image_artefact_and_builder_image_version)"
 	fi

 	if [[ "${variant}" == "nvidia-gpu" ]]; then
@@ -462,7 +462,11 @@ install_image() {
 	info "Create image"

 	if [[ -n "${variant}" ]]; then
-		if [[ "${variant}" == *confidential ]]; then
+		# NVIDIA confidential images still bake CoCo components into the
+		# rootfs (until the NVIDIA addon split lands).  Standard
+		# confidential images no longer need them -- CoCo components are
+		# built as a separate addon image (rootfs-image-coco-addon).
+		if [[ "${variant}" == "nvidia-gpu-confidential" ]]; then
 			COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
 			export COCO_GUEST_COMPONENTS_TARBALL
 			PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
@@ -499,6 +503,10 @@ install_image() {
 }

 #Install guest image for confidential guests
+#
+# CoCo guest components are no longer baked into this image.
+# They are built separately as a CoCo addon image
+# (rootfs-image-coco-addon) and attached as an extra block device.
 install_image_confidential() {
 	export CONFIDENTIAL_GUEST="yes"
 	if [[ "${ARCH}" == "s390x" ]]; then
@@ -509,6 +517,64 @@ install_image_confidential() {
 	install_image "confidential"
 }

+#Install CoCo addon image (erofs+verity, contains CoCo guest components + pause)
+install_image_coco_addon() {
+	local component="rootfs-image-coco-addon"
+
+	local coco_last_commit
+	coco_last_commit="$(get_latest_coco_guest_components_artefact_and_builder_image_version)"
+	local pause_last_commit
+	pause_last_commit="$(get_latest_pause_image_artefact_and_builder_image_version)"
+
+	latest_artefact="$(get_kata_version)-coco-addon-${coco_last_commit}-${pause_last_commit}"
+	latest_builder_image=""
+
+	install_cached_tarball_component \
+		"${component}" \
+		"${latest_artefact}" \
+		"${latest_builder_image}" \
+		"${final_tarball_name}" \
+		"${final_tarball_path}" \
+		&& return 0
+
+	info "Create CoCo addon image"
+
+	# Use a temp dir under the repo root so the path is valid both inside
+	# the outer build-kata-deploy container and in the nested image-builder
+	# container (Docker-in-Docker mounts use host paths).
+	local addon_rootfs
+	addon_rootfs="$(mktemp -d "${repo_root_dir}/.coco-addon-rootfs.XXXX")"
+
+	COCO_GUEST_COMPONENTS_TARBALL="$(get_coco_guest_components_tarball_path)"
+	PAUSE_IMAGE_TARBALL="$(get_pause_image_tarball_path)"
+
+	info "Unpacking CoCo guest components into addon rootfs"
+	tar --zstd -xvf "${COCO_GUEST_COMPONENTS_TARBALL}" -C "${addon_rootfs}"
+
+	info "Unpacking pause image into addon rootfs"
+	tar --zstd -xvf "${PAUSE_IMAGE_TARBALL}" -C "${addon_rootfs}"
+
+	local install_dir="${destdir}/${prefix}/share/kata-containers/"
+	mkdir -p "${install_dir}"
+
+	local image_builder="${repo_root_dir}/tools/osbuilder/image-builder/image_builder.sh"
+
+	export USE_DOCKER="1"
+	export BUILD_VARIANT="coco-addon"
+	export FS_TYPE="erofs"
+	export MEASURED_ROOTFS="yes"
+	export SKIP_DAX_HEADER="yes"
+	export SKIP_ROOTFS_CHECK="yes"
+
+	"${image_builder}" -o "${install_dir}/kata-containers-coco-addon.img" "${addon_rootfs}"
+
+	if [[ -e "${install_dir}/root_hash_coco-addon.txt" ]]; then
+		info "Root hash file: ${install_dir}/root_hash_coco-addon.txt"
+	fi
+
+	rm -rf "${addon_rootfs}"
+}
+
 #Install cbl-mariner guest image
 install_image_mariner() {
 	export IMAGE_SIZE_ALIGNMENT_MB=2
@@ -1071,7 +1137,7 @@ install_shimv2() {
 	export MEASURED_ROOTFS
 	export RUNTIME_CHOICE

-	for variant in confidential nvidia-gpu nvidia-gpu-confidential; do
+	for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do
 		local image_conf_tarball
 		image_conf_tarball="$(find "${workdir}" -maxdepth 1 -name "kata-static-rootfs-image-${variant}.tar.zst" 2>/dev/null | head -n 1)"
 		# Only one variant may be built at a time so we need to
@@ -1459,6 +1525,8 @@ handle_build() {

 	rootfs-image-confidential) install_image_confidential ;;

+	rootfs-image-coco-addon) install_image_coco_addon ;;
+
 	rootfs-image-mariner) install_image_mariner ;;

 	rootfs-initrd) install_initrd ;;
@@ -1526,7 +1594,7 @@ handle_build() {
 			;;
 		shim-v2)
 			if [[ "${MEASURED_ROOTFS}" == "yes" ]]; then
-				for variant in confidential nvidia-gpu nvidia-gpu-confidential; do
+				for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do
 					[[ -f "${workdir}/root_hash_${variant}.txt" ]] && mv "${workdir}/root_hash_${variant}.txt" "${workdir}/shim-v2-root_hash_${variant}.txt"
 				done
 			fi
@@ -1588,10 +1656,10 @@ handle_build() {
 			shim-v2)
 				if [[ "${MEASURED_ROOTFS}" == "yes" ]]; then
 					local found_any=""
-					for variant in confidential nvidia-gpu nvidia-gpu-confidential; do
+					for variant in confidential coco-addon nvidia-gpu nvidia-gpu-confidential; do
 						# The variants could be built independently we need to check if
 						# they exist and then push them to the registry
-					[[ -f "${workdir}/shim-v2-root_hash_${variant}.txt" ]] && files_to_push+=("shim-v2-root_hash_${variant}.txt")
+						[[ -f "${workdir}/shim-v2-root_hash_${variant}.txt" ]] && files_to_push+=("shim-v2-root_hash_${variant}.txt")
 						found_any="yes"
 					done
 					[[ -z "${found_any}" ]] && die "No files to push for shim-v2 with MEASURED_ROOTFS support"