From 30990872f149e4f68d071624f0e5d68f0d5932d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Mon, 24 Oct 2022 13:12:44 +0200
Subject: [PATCH 1/3] ubuntu: Ensure RATS-TLS is only installed on 20.04
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We're currently using Ubuntu 20.04 as the base for the Ubuntu rootfs,
meaning that right now there's no issue with the approach currently
taken.  However, if we do a bump of an Ubuntu version, we could face
issues as the rats-tls package is only provided for Ubuntu 20.04.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/osbuilder/rootfs-builder/ubuntu/config.sh    | 14 ++++++++++----
 .../osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh  | 12 +++++++++---
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
index 4311660a69..40692c9c00 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -21,13 +21,19 @@ case "$ARCH" in
 esac
 
 if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
-	PACKAGES+=" apt gnupg"
-	AA_KBC_EXTRAS="
-RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04 bionic main' \| tee /etc/apt/sources.list.d/inclavare-containers.list; \
-    curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04/DEB-GPG-KEY.key \| apt-key add -; \
+	source /etc/os-release
+
+	if [ "${VERSION_ID}" == "20.04" ]; then
+		PACKAGES+=" apt gnupg"
+		AA_KBC_EXTRAS="
+RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} bionic main' \| tee /etc/apt/sources.list.d/inclavare-containers.list; \
+    curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID}/DEB-GPG-KEY.key \| apt-key add -; \
     apt-get update; \
     apt-get install -y rats-tls
 "
+	else
+		echo "rats-tls is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
+	fi
 fi
 
 if [ "$(uname -m)" != "$ARCH" ]; then
diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
index 90c13dd0a0..8c617cd4b5 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
@@ -34,11 +34,17 @@ EOF
 	rm -rf $rootfs_dir/usr/share/{bash-completion,bug,doc,info,lintian,locale,man,menu,misc,pixmaps,terminfo,zsh}
 
 	if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
-		curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04/DEB-GPG-KEY.key | chroot "$rootfs_dir" apt-key add -
-		cat << EOF | chroot "$rootfs_dir"
-echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu20.04 bionic main' | tee /etc/apt/sources.list.d/inclavare-containers.list
+		source /etc/os-release
+
+		if [ "${VERSION_ID}" == "20.04" ]; then
+			curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID}/DEB-GPG-KEY.key | chroot "$rootfs_dir" apt-key add -
+			cat << EOF | chroot "$rootfs_dir"
+echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} bionic main' | tee /etc/apt/sources.list.d/inclavare-containers.list
 apt-get update
 apt-get install -y rats-tls
 EOF
+		else
+			echo "rats-tls is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
+		fi
 	fi
 }

From 5885f005f106ea1769ec34c450a89d107b0ac427 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Mon, 31 Oct 2022 10:46:41 +0100
Subject: [PATCH 2/3] ubuntu: 20.04 is focal, not bionic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Let's use the correct OS version name for Ubuntu 20.04.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/osbuilder/rootfs-builder/ubuntu/config.sh     | 2 +-
 tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
index 40692c9c00..4375cdf63a 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -26,7 +26,7 @@ if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
 	if [ "${VERSION_ID}" == "20.04" ]; then
 		PACKAGES+=" apt gnupg"
 		AA_KBC_EXTRAS="
-RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} bionic main' \| tee /etc/apt/sources.list.d/inclavare-containers.list; \
+RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} ${OS_VERSION} main' \| tee /etc/apt/sources.list.d/inclavare-containers.list; \
     curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID}/DEB-GPG-KEY.key \| apt-key add -; \
     apt-get update; \
     apt-get install -y rats-tls
diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
index 8c617cd4b5..c32660431b 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
@@ -39,7 +39,7 @@ EOF
 		if [ "${VERSION_ID}" == "20.04" ]; then
 			curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID}/DEB-GPG-KEY.key | chroot "$rootfs_dir" apt-key add -
 			cat << EOF | chroot "$rootfs_dir"
-echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} bionic main' | tee /etc/apt/sources.list.d/inclavare-containers.list
+echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} focal main' | tee /etc/apt/sources.list.d/inclavare-containers.list
 apt-get update
 apt-get install -y rats-tls
 EOF

From a1571721ddc847d654d24c8ce6a13c5b4f70d203 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Mon, 31 Oct 2022 09:27:05 +0100
Subject: [PATCH 3/3] osbuilder: Install rats-tls-tdx
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Inclavare released a rats-tls-tdx package, which we depend on for using
verdictd.

Let's install it when using EAA_KBC, as already done for the rats-tls
package.

One thin to note here is that rats-tls-tdx depends on libtdx-attest,
which depends on libprotobuf-c1, thus we had to add the intel-sgx repo
together with enabling the universe channel.

Fixes: #5543

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/osbuilder/rootfs-builder/ubuntu/config.sh     | 6 ++++--
 tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh | 9 +++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
index 4375cdf63a..b8f52d4891 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -28,11 +28,13 @@ if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
 		AA_KBC_EXTRAS="
 RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} ${OS_VERSION} main' \| tee /etc/apt/sources.list.d/inclavare-containers.list; \
     curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID}/DEB-GPG-KEY.key \| apt-key add -; \
+    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${OS_VERSION} main' \| tee /etc/apt/sources.list.d/intel-sgx.list; \
+    curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \| apt-key add -; \
     apt-get update; \
-    apt-get install -y rats-tls
+    apt-get install -y rats-tls-tdx
 "
 	else
-		echo "rats-tls is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
+		echo "rats-tls-tdx is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
 	fi
 fi
 
diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
index c32660431b..d9a08b754a 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
@@ -38,13 +38,18 @@ EOF
 
 		if [ "${VERSION_ID}" == "20.04" ]; then
 			curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID}/DEB-GPG-KEY.key | chroot "$rootfs_dir" apt-key add -
+    			curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | chroot "${rootfs_dir}" apt-key add -
 			cat << EOF | chroot "$rootfs_dir"
+apt-get update
+apt-get install -y software-properties-common
+add-apt-repository universe
+echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list
 echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} focal main' | tee /etc/apt/sources.list.d/inclavare-containers.list
 apt-get update
-apt-get install -y rats-tls
+apt-get install -y rats-tls-tdx
 EOF
 		else
-			echo "rats-tls is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
+			echo "rats-tls-tdx is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
 		fi
 	fi
 }