packaging: add built-time support for NVAT

The attestation agent will soon rely on the NVAT rust bindings, which have some built-time dependencies. There is currently no nvattest-dev package, so we need to build from source to get the headers and .so file. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>
2026-05-08 15:50:34 +00:00 · 2026-03-31 21:15:32 +00:00
parent 8944058a5b
commit 78c61459f8
3 changed files with 38 additions and 2 deletions
--- a/tools/packaging/static-build/coco-guest-components/Dockerfile
+++ b/tools/packaging/static-build/coco-guest-components/Dockerfile
@@ -14,7 +14,7 @@ ENV PATH="/opt/cargo/bin/:${PATH}"

 SHELL ["/bin/bash", "-o", "pipefail", "-c"]

-RUN mkdir ${RUSTUP_HOME} ${CARGO_HOME} && chmod -R a+rwX ${RUSTUP_HOME} ${CARGO_HOME}
+RUN mkdir ${RUSTUP_HOME} ${CARGO_HOME}

 RUN apt-get update && \
 	apt-get --no-install-recommends install -y \
@@ -38,6 +38,18 @@ RUN apt-get update && \
 	apt-get clean && rm -rf /var/lib/apt/lists/ && \
 	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}

+ARG NVAT_VERSION
+RUN if [ "$(uname -m)" = "x86_64" ] && [ -n "${NVAT_VERSION}" ]; then \
+	apt-get update && apt-get --no-install-recommends install -y \
+	build-essential libxml2-dev zlib1g-dev && \
+	tmpdir=$(mktemp -d) && pushd "$tmpdir" && \
+	git clone https://github.com/NVIDIA/attestation-sdk && \
+	pushd attestation-sdk && git fetch --depth=1 origin "${NVAT_VERSION}" && \
+	git checkout FETCH_HEAD && pushd nv-attestation-sdk-cpp && cmake . && make install && \
+	mkdir -p /usr/include && ln -sf /usr/local/include/nvat.h /usr/include/nvat.h && ldconfig && \
+	popd && popd && popd && rm -rf "$tmpdir" && \
+	apt-get clean && rm -rf /var/lib/apt/lists/; fi
+
 ENV LIBC="gnu"
 RUN ARCH=$(uname -m); \
 	rust_arch=""; \
@@ -50,3 +62,5 @@ RUN ARCH=$(uname -m); \
    	esac; \
    	echo "RUST_ARCH=${rust_arch}" > /etc/profile.d/rust.sh; \
 	rustup target add "${rust_arch}-unknown-linux-${LIBC}"
+
+RUN chmod -R a+rwX ${RUSTUP_HOME} ${CARGO_HOME}
--- a/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
+++ b/tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh
@@ -35,6 +35,22 @@ build_coco_guest_components_from_source() {
 	DESTDIR="${DESTDIR}/usr/local/bin" TEE_PLATFORM=${TEE_PLATFORM} make install

 	install -D -m0644 "confidential-data-hub/hub/src/image/ocicrypt_config.json" "${DESTDIR}/etc/ocicrypt_config.json"
+
+	if [ -n "${NV_ATTESTER:-}" ]; then
+		echo "build attestation-agent-nv with nvidia-attester support"
+
+		rm "target/${RUST_ARCH}-unknown-linux-${LIBC}/release/attestation-agent"
+
+		ATTESTER="${NV_ATTESTER}" NVAT_USE_SYSTEM_LIB=1 RUSTFLAGS="-L /usr/local/lib" \
+			DESTDIR="${DESTDIR}/usr/local/bin" TEE_PLATFORM=${TEE_PLATFORM} make build
+		strip "target/${RUST_ARCH}-unknown-linux-${LIBC}/release/attestation-agent"
+		install -D -m0755 "target/${RUST_ARCH}-unknown-linux-${LIBC}/release/attestation-agent" \
+			"${DESTDIR}/usr/local/bin/attestation-agent-nv"
+
+		mkdir -p "${DESTDIR}/usr/local/lib"
+		cp -a /usr/local/lib/libnvat.so* "${DESTDIR}/usr/local/lib/"
+	fi
+
 	popd
 }

--- a/tools/packaging/static-build/coco-guest-components/build.sh
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@@ -28,12 +28,16 @@ package_output_dir="${package_output_dir:-}"
 [ -n "${coco_guest_components_version}" ] || die "Failed to get coco-guest-components version or commit"
 [ -n "${coco_guest_components_toolchain}" ] || die "Failed to get the rust toolchain to build coco-guest-components"

+nvat_version="${nvat_version:-}"
+[ -n "${nvat_version}" ] || nvat_version=$(get_from_kata_deps ".externals.nvidia.nvat.version" 2>/dev/null || true)
+
 container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_components_image_name)}"
 [ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build"

 docker pull ${container_image} || \
 	(docker $BUILDX build $PLATFORM \
 	    	--build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \
+		--build-arg NVAT_VERSION="${nvat_version}" \
 		-t "${container_image}" "${script_dir}" && \
 	 # No-op unless PUSH_TO_REGISTRY is exported as "yes"
 	 push_to_registry "${container_image}")
@@ -44,7 +48,8 @@ RESOURCE_PROVIDER="kbs,sev"
 # snp-attester and tdx-attester crates require packages only available on x86
 # se-attester crate requires packages only available on s390x
 case "$(uname -m)" in
-	x86_64) ATTESTER="snp-attester,tdx-attester,nvidia-attester" ;;
+	x86_64) ATTESTER="snp-attester,tdx-attester"
+		NV_ATTESTER="snp-attester,tdx-attester,nvidia-attester" ;;
 	s390x) ATTESTER="se-attester" ;;
 	aarch64) ATTESTER="cca-attester" ;;
 	*) ATTESTER="none" ;;
@@ -56,6 +61,7 @@ docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
 	--env TEE_PLATFORM=${TEE_PLATFORM:+"all"} \
 	--env RESOURCE_PROVIDER=${RESOURCE_PROVIDER:-} \
 	--env ATTESTER=${ATTESTER:-} \
+	--env NV_ATTESTER=${NV_ATTESTER:-} \
 	--env coco_guest_components_repo="${coco_guest_components_repo}" \
 	--env coco_guest_components_version="${coco_guest_components_version}" \
 	--user "$(id -u)":"$(id -g)" \