From af919686abaaac9844fe90d945401b29380c061e Mon Sep 17 00:00:00 2001
From: Kevin Zhao <kevin.zhao@linaro.org>
Date: Tue, 19 Aug 2025 23:46:49 +0800
Subject: [PATCH] Kata-deploy: Add CCA firmware build support

runtime: pass firmware to CCA Realm

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
---
 src/runtime/pkg/govmm/qemu/qemu.go             |  1 +
 .../packaging/kata-deploy/local-build/Makefile |  3 +++
 .../local-build/kata-deploy-binaries.sh        | 18 ++++++++++++++----
 .../packaging/static-build/ovmf/build-ovmf.sh  | 12 +++++++-----
 tools/packaging/static-build/ovmf/build.sh     |  8 +++++++-
 versions.yaml                                  |  6 ++++++
 6 files changed, 38 insertions(+), 10 deletions(-)

diff --git a/src/runtime/pkg/govmm/qemu/qemu.go b/src/runtime/pkg/govmm/qemu/qemu.go
index 87cedf56ea..fa82e9966d 100644
--- a/src/runtime/pkg/govmm/qemu/qemu.go
+++ b/src/runtime/pkg/govmm/qemu/qemu.go
@@ -458,6 +458,7 @@ func (object Object) QemuParams(config *Config) []string {
 			personalizationValue := base64.StdEncoding.EncodeToString(personalizationValueSlice)
 			objectParams = append(objectParams, fmt.Sprintf("personalization-value=%s", personalizationValue))
 		}
+		config.Bios = object.File
 	}
 
 	if len(deviceParams) > 0 {
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index a9252e6c95..ad29db2d9f 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -156,6 +156,9 @@ nydus-tarball:
 ovmf-sev-tarball:
 	${MAKE} $@-build
 
+ovmf-cca-tarball:
+	${MAKE} $@-build
+
 ovmf-tarball:
 	${MAKE} $@-build
 
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 10139221ac..58d6d56a2a 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -123,6 +123,7 @@ options:
 	pause-image
 	ovmf
 	ovmf-sev
+	ovmf-cca
 	qemu
 	qemu-cca-experimental
 	qemu-snp-experimental
@@ -162,7 +163,7 @@ get_kernel_modules_dir() {
 	local version=${kernel_version#v}
 	local numeric_final_version=${version}
 
-	if [ -z "${kernel_ref}" ]; then
+	if [[ -z "${kernel_ref}" ]]; then
 		# Every first release of a kernel is x.y, while the resulting folder would be x.y.0
 		local rc=$(echo ${version} | grep -oE "\-rc[0-9]+$")
 		if [ -n "${rc}" ]; then
@@ -1001,9 +1002,11 @@ install_shimv2() {
 install_ovmf() {
 	ovmf_type="${1:-x86_64}"
 	tarball_name="${2:-edk2-x86_64.tar.gz}"
-	if [ "${ARCH}" == "aarch64" ]; then
-		ovmf_type="arm64"
-		tarball_name="edk2-arm64.tar.gz"
+	if [[ "${ARCH}" == "aarch64" ]]; then
+	  if [[ "${ovmf_type}" != "cca" ]]; then
+		  ovmf_type="arm64"
+		  tarball_name="edk2-arm64.tar.gz"
+		fi
 	fi
 
 	local component_name="ovmf"
@@ -1029,6 +1032,11 @@ install_ovmf_sev() {
 	install_ovmf "sev" "edk2-sev.tar.gz"
 }
 
+# Install OVMF CCA
+install_ovmf_cca() {
+	install_ovmf "cca" "edk2-cca.tar.gz"
+}
+
 install_busybox() {
 	latest_artefact="$(get_from_kata_deps ".externals.busybox.version")"
 	latest_builder_image="$(get_busybox_image_name)"
@@ -1319,6 +1327,8 @@ handle_build() {
 
 	ovmf-sev) install_ovmf_sev ;;
 
+	ovmf-cca) install_ovmf_cca ;;
+
 	pause-image) install_pause_image ;;
 
 	qemu) install_qemu ;;
diff --git a/tools/packaging/static-build/ovmf/build-ovmf.sh b/tools/packaging/static-build/ovmf/build-ovmf.sh
index 23f6e05585..4fb6ac15a1 100755
--- a/tools/packaging/static-build/ovmf/build-ovmf.sh
+++ b/tools/packaging/static-build/ovmf/build-ovmf.sh
@@ -22,14 +22,16 @@ package_output_dir="${package_output_dir:-}"
 DESTDIR=${DESTDIR:-${PWD}}
 PREFIX="${PREFIX:-/opt/kata}"
 architecture="${architecture:-X64}"
-if [ "${ovmf_build}" == "arm64" ]; then
+if [[ "${ovmf_build}" == "arm64" ]] || [[ "${ovmf_build}" == "cca" ]]; then
 	architecture="AARCH64"
 fi
 toolchain="${toolchain:-GCC5}"
 build_target="${build_target:-RELEASE}"
 
 [ -n "$ovmf_repo" ] || die "failed to get ovmf repo"
-[ -n "$ovmf_version" ] || die "failed to get ovmf version or commit"
+if [[ -z "${ovmf_version}" ]] && [[ -z "${ovmf_branch}" ]]; then
+    die "failed to get ovmf version or branch"
+fi
 [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit"
 [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit"
 
@@ -73,7 +75,7 @@ if [ "${ovmf_build}" == "tdx" ]; then
 	stat "${build_path_fv}/OVMF.fd"
 	stat "${build_path_fv}/OVMF_CODE.fd"
 	stat "${build_path_fv}/OVMF_VARS.fd"
-elif [ "${ovmf_build}" == "arm64" ]; then
+elif [ "${ovmf_build}" == "arm64" ] || [ "${ovmf_build}" == "cca" ]; then
 	stat "${build_path_fv}/QEMU_EFI.fd"
 	stat "${build_path_fv}/QEMU_VARS.fd"
 else
@@ -84,7 +86,7 @@ fi
 popd
 
 info "Install fd to destdir"
-if [ "${ovmf_build}" == "arm64" ]; then
+if [ "${ovmf_build}" == "arm64" ] || [ "${ovmf_build}" == "cca" ]; then
 	install_dir="${DESTDIR}/${PREFIX}/share/aavmf"
 else
 	install_dir="${DESTDIR}/${PREFIX}/share/ovmf"
@@ -97,7 +99,7 @@ elif [ "${ovmf_build}" == "tdx" ]; then
 	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}"
 	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_CODE.fd ${install_dir}
 	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_VARS.fd ${install_dir}
-elif [ "${ovmf_build}" == "arm64" ]; then
+elif [ "${ovmf_build}" == "arm64" ] || [ "${ovmf_build}" == "cca" ]; then
 	install $build_root/$ovmf_dir/"${build_path_fv}"/QEMU_EFI.fd "${install_dir}/AAVMF_CODE.fd"
 	install $build_root/$ovmf_dir/"${build_path_fv}"/QEMU_VARS.fd "${install_dir}/AAVMF_VARS.fd"
 	# QEMU expects 64MiB CODE and VARS files on ARM/AARCH64 architectures
diff --git a/tools/packaging/static-build/ovmf/build.sh b/tools/packaging/static-build/ovmf/build.sh
index c6e8d009af..7fa3ffbe53 100755
--- a/tools/packaging/static-build/ovmf/build.sh
+++ b/tools/packaging/static-build/ovmf/build.sh
@@ -21,6 +21,7 @@ kata_version="${kata_version:-}"
 ovmf_repo="${ovmf_repo:-}"
 ovmf_version="${ovmf_version:-}"
 ovmf_package="${ovmf_package:-}"
+ovmf_branch="${ovmf_branch:-}"
 package_output_dir="${package_output_dir:-}"
 
 if [ -z "$ovmf_repo" ]; then
@@ -45,9 +46,14 @@ elif [ "${ovmf_build}" == "arm64" ]; then
 	[ -n "$ovmf_version" ] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.arm64.version")
 	[ -n "$ovmf_package" ] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.arm64.package")
 	[ -n "$package_output_dir" ] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.arm64.package_output_dir")
+elif [[ "${ovmf_build}" == "cca" ]]; then
+  ovmf_repo=$(get_from_kata_deps ".externals.ovmf.cca.url")
+	[[ -n "${ovmf_version}" ]] || ovmf_version=$(get_from_kata_deps ".externals.ovmf.cca.version")
+	[[ -n "${ovmf_package}" ]] || ovmf_package=$(get_from_kata_deps ".externals.ovmf.cca.package")
+	[[ -n "${package_output_dir}" ]] || package_output_dir=$(get_from_kata_deps ".externals.ovmf.cca.package_output_dir")
 fi
 
-[ -n "$ovmf_version" ] || die "failed to get ovmf version or commit"
+[ -n "$ovmf_version" ] || die "failed to get ovmf package or commit"
 [ -n "$ovmf_package" ] || die "failed to get ovmf package or commit"
 [ -n "$package_output_dir" ] || die "failed to get ovmf package or commit"
 
diff --git a/versions.yaml b/versions.yaml
index 7ee004a826..c649dd492f 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -391,6 +391,12 @@ externals:
       version: "edk2-stable202508"
       package: "ArmVirtPkg/ArmVirtQemu.dsc"
       package_output_dir: "ArmVirtQemu-AARCH64"
+    cca:
+      description: "UEFI for arm64 CCA virtual machines."
+      version: "cca/2025-02-06"
+      url: "https://git.codelinaro.org/linaro/dcap/edk2"
+      package: "ArmVirtPkg/ArmVirtQemu.dsc"
+      package_output_dir: "ArmVirtQemu-AARCH64"
 
   protoc:
     description: "Protobuf compiler"