From a1571721ddc847d654d24c8ce6a13c5b4f70d203 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano.fidencio@intel.com>
Date: Mon, 31 Oct 2022 09:27:05 +0100
Subject: [PATCH] osbuilder: Install rats-tls-tdx
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Inclavare released a rats-tls-tdx package, which we depend on for using
verdictd.

Let's install it when using EAA_KBC, as already done for the rats-tls
package.

One thin to note here is that rats-tls-tdx depends on libtdx-attest,
which depends on libprotobuf-c1, thus we had to add the intel-sgx repo
together with enabling the universe channel.

Fixes: #5543

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
---
 tools/osbuilder/rootfs-builder/ubuntu/config.sh     | 6 ++++--
 tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh | 9 +++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/tools/osbuilder/rootfs-builder/ubuntu/config.sh b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
index 4375cdf63a..b8f52d4891 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/config.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/config.sh
@@ -28,11 +28,13 @@ if [ "${AA_KBC}" == "eaa_kbc" ] && [ "${ARCH}" == "x86_64" ]; then
 		AA_KBC_EXTRAS="
 RUN echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} ${OS_VERSION} main' \| tee /etc/apt/sources.list.d/inclavare-containers.list; \
     curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID}/DEB-GPG-KEY.key \| apt-key add -; \
+    echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${OS_VERSION} main' \| tee /etc/apt/sources.list.d/intel-sgx.list; \
+    curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key \| apt-key add -; \
     apt-get update; \
-    apt-get install -y rats-tls
+    apt-get install -y rats-tls-tdx
 "
 	else
-		echo "rats-tls is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
+		echo "rats-tls-tdx is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
 	fi
 fi
 
diff --git a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
index c32660431b..d9a08b754a 100644
--- a/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
+++ b/tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh
@@ -38,13 +38,18 @@ EOF
 
 		if [ "${VERSION_ID}" == "20.04" ]; then
 			curl -L http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID}/DEB-GPG-KEY.key | chroot "$rootfs_dir" apt-key add -
+    			curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | chroot "${rootfs_dir}" apt-key add -
 			cat << EOF | chroot "$rootfs_dir"
+apt-get update
+apt-get install -y software-properties-common
+add-apt-repository universe
+echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list
 echo 'deb [arch=amd64] http://mirrors.openanolis.cn/inclavare-containers/ubuntu${VERSION_ID} focal main' | tee /etc/apt/sources.list.d/inclavare-containers.list
 apt-get update
-apt-get install -y rats-tls
+apt-get install -y rats-tls-tdx
 EOF
 		else
-			echo "rats-tls is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
+			echo "rats-tls-tdx is only provided for Ubuntu 20.04, there's yet no packages for Ubuntu ${VERSION_ID}"
 		fi
 	fi
 }