agent: rootfs: add sealed-secret in Makefile

When set SEALED_SECRET to "yes", the kata-agent is built with sealed-secret capability, default value is "no". Fixes: #7544 Signed-off-by: Biao Lu <biao.lu@intel.com>
2025-08-21 17:34:31 +00:00 · 2023-08-10 14:08:31 +08:00 · 2023-08-10 14:08:31 +08:00 · acd0a75efd
commit acd0a75efd
parent 4e3a1ebcaf
3 changed files with 16 additions and 1 deletions
--- a/src/agent/Makefile
+++ b/src/agent/Makefile
@ -33,6 +33,13 @@ ifeq ($(SECCOMP),yes)
    override EXTRA_RUSTFEATURES += seccomp
 endif

+SEALED_SECRET ?= no
+
+# Enable sealed-secret feature of rust build
+ifeq ($(SEALED_SECRET),yes)
+    override EXTRA_RUSTFEATURES += sealed-secret
+endif
+
 include ../../utils.mk

 ifeq ($(ARCH), ppc64le)
--- a/tools/osbuilder/rootfs-builder/rootfs.sh
+++ b/tools/osbuilder/rootfs-builder/rootfs.sh
@ -28,6 +28,8 @@ LIBC=${LIBC:-musl}
 # The kata agent enables seccomp feature.
 # However, it is not enforced by default: you need to enable that in the main configuration file.
 SECCOMP=${SECCOMP:-"yes"}
+# The kata agent enables sealed-secret feature.
+SEALED_SECRET=${SEALED_SECRET:-"no"}
 SELINUX=${SELINUX:-"no"}

 lib_file="${script_dir}/../scripts/lib.sh"
@ -156,6 +158,10 @@ ROOTFS_DIR          Path to the directory that is populated with the rootfs.
 SECCOMP             When set to "no", the kata-agent is built without seccomp capability.
                    Default value: "yes"

+SEALED_SECRET       When set to "yes", the kata-agent is built with sealed-secret
+                    capability.
+                    Default value: "no"
+
 SELINUX             When set to "yes", build the rootfs with the required packages to
                    enable SELinux in the VM.
                    Make sure the guest kernel is compiled with SELinux enabled.
@ -469,6 +475,7 @@ build_rootfs_distro()
 			--env INSIDE_CONTAINER=1 \
 			--env AA_KBC="${AA_KBC}" \
 			--env SECCOMP="${SECCOMP}" \
+			--env SEALED_SECRET="${SEALED_SECRET}" \
 			--env SELINUX="${SELINUX}" \
 			--env DEBUG="${DEBUG}" \
 			--env HOME="/root" \
@ -630,7 +637,7 @@ EOF
 			git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!"
 		fi
 		make clean
-		make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP}
+		make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} SEALED_SECRET=${SEALED_SECRET}
 		make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT}
 		if [ "${SECCOMP}" == "yes" ]; then
 			rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}"
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@ -228,6 +228,7 @@ install_cc_image() {
 	export KATA_BUILD_CC=yes
 	export MEASURED_ROOTFS=yes
 	export DM_VERITY=yes
+	export SEALED_SECRET=yes
 	variant="${1:-}"

 	install_image "${variant}"