config: switch CoCo templates from monolithic image to base + addon

Update all six CoCo configuration templates (coco-dev, snp, tdx for
both Go and Rust runtimes) to use the standard base image instead of
the monolithic confidential image, and add an [[extra_images]] section
for the CoCo addon:

  image = "@IMAGEPATH@"          (was @IMAGECONFIDENTIALPATH@)

  [[hypervisor.qemu.extra_images]]
  name = "coco"
  path = "@COCOIMAGEPATH@"
  verity_params = "@COCOVERITYPARAMS@"

Add COCOIMAGENAME (kata-containers-coco-addon.img), COCOIMAGEPATH, and
COCOVERITYPARAMS to both runtime Makefiles so the placeholders are
substituted at install time.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>

src/runtime-rs/Makefile

@@ -105,6 +105,9 @@ PKGRUNDIR := $(LOCALSTATEDIR)/run/$(PROJECT_DIR)
 KERNELDIR := $(PKGDATADIR)
 IMAGEPATH := $(PKGDATADIR)/$(IMAGENAME)
 IMAGECONFIDENTIALPATH := $(PKGDATADIR)/$(IMAGECONFIDENTIALNAME)
+COCOIMAGENAME := $(PROJECT_TAG)-coco-addon.img
+COCOIMAGEPATH := $(PKGDATADIR)/$(COCOIMAGENAME)
+COCOVERITYPARAMS :=
 INITRDPATH := $(PKGDATADIR)/$(INITRDNAME)
 INITRDCONFIDENTIALPATH := $(PKGDATADIR)/$(INITRDCONFIDENTIALNAME)
 
@@ -606,6 +609,9 @@ USER_VARS += IMAGECONFIDENTIALNAME
 USER_VARS += IMAGEPATH
 USER_VARS += IMAGEPATH_NV
 USER_VARS += IMAGECONFIDENTIALPATH
+USER_VARS += COCOIMAGENAME
+USER_VARS += COCOIMAGEPATH
+USER_VARS += COCOVERITYPARAMS
 USER_VARS += INITRDNAME
 USER_VARS += INITRDCONFIDENTIALNAME
 USER_VARS += INITRDPATH

src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in

@@ -15,7 +15,7 @@
 [hypervisor.qemu]
 path = "@QEMUPATH@"
 kernel = "@KERNELPATH_COCO@"
-image = "@IMAGECONFIDENTIALPATH@"
+image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 
 # rootfs filesystem type:
@@ -792,3 +792,8 @@ experimental = @DEFAULTEXPFEATURES@
 # If enabled, user can run pprof tools with shim v2 process through kata-monitor.
 # (default: false)
 enable_pprof = false
+
+[[hypervisor.qemu.extra_images]]
+name = "coco"
+path = "@COCOIMAGEPATH@"
+verity_params = "@COCOVERITYPARAMS@"

src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in

@@ -16,7 +16,7 @@
 [hypervisor.qemu]
 path = "@QEMUPATH@"
 kernel = "@KERNELPATH_COCO@"
-image = "@IMAGECONFIDENTIALPATH@"
+image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 
 # Enable confidential guest support.
@@ -726,3 +726,8 @@ enable_pprof = false
 # to the hypervisor.
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
+
+[[hypervisor.qemu.extra_images]]
+name = "coco"
+path = "@COCOIMAGEPATH@"
+verity_params = "@COCOVERITYPARAMS@"

src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in

@@ -15,7 +15,7 @@
 [hypervisor.qemu]
 path = "@QEMUPATH@"
 kernel = "@KERNELPATH_COCO@"
-image = "@IMAGECONFIDENTIALPATH@"
+image = "@IMAGEPATH@"
 # initrd = "@INITRDPATH@"
 machine_type = "@MACHINETYPE@"
 tdx_quote_generation_service_socket_port = @QEMUTDXQUOTEGENERATIONSERVICESOCKETPORT@
@@ -703,3 +703,7 @@ enable_pprof = false
 # (default: /run/kata-containers/dans)
 dan_conf = "@DEFDANCONF@"
 
+[[hypervisor.qemu.extra_images]]
+name = "coco"
+path = "@COCOIMAGEPATH@"
+verity_params = "@COCOVERITYPARAMS@"

src/runtime/Makefile

@@ -129,6 +129,9 @@ KERNELDIR := $(PKGDATADIR)
 
 IMAGEPATH := $(PKGDATADIR)/$(IMAGENAME)
 IMAGECONFIDENTIALPATH := $(PKGDATADIR)/$(IMAGECONFIDENTIALNAME)
+COCOIMAGENAME := $(PROJECT_TAG)-coco-addon.img
+COCOIMAGEPATH := $(PKGDATADIR)/$(COCOIMAGENAME)
+COCOVERITYPARAMS :=
 INITRDPATH := $(PKGDATADIR)/$(INITRDNAME)
 INITRDCONFIDENTIALPATH := $(PKGDATADIR)/$(INITRDCONFIDENTIALNAME)
 
@@ -663,6 +666,9 @@ USER_VARS += IMAGENAME
 USER_VARS += IMAGECONFIDENTIALNAME
 USER_VARS += IMAGEPATH
 USER_VARS += IMAGECONFIDENTIALPATH
+USER_VARS += COCOIMAGENAME
+USER_VARS += COCOIMAGEPATH
+USER_VARS += COCOVERITYPARAMS
 USER_VARS += INITRDNAME
 USER_VARS += INITRDCONFIDENTIALNAME
 USER_VARS += INITRDPATH

src/runtime/config/configuration-qemu-coco-dev.toml.in

@@ -15,7 +15,7 @@
 [hypervisor.qemu]
 path = "@QEMUPATH@"
 kernel = "@KERNELCONFIDENTIALPATH@"
-image = "@IMAGECONFIDENTIALPATH@"
+image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 
 # rootfs filesystem type:
@@ -784,3 +784,8 @@ kubelet_root_dir = "@DEFKUBELETROOTDIR@"
 #      cold_plug_vfio != no_port AND pod_resource_api_sock != "" => kubelet
 #              based cold plug.
 pod_resource_api_sock = "@DEFPODRESOURCEAPISOCK@"
+
+[[hypervisor.qemu.extra_images]]
+name = "coco"
+path = "@COCOIMAGEPATH@"
+verity_params = "@COCOVERITYPARAMS@"

src/runtime/config/configuration-qemu-snp.toml.in

@@ -15,7 +15,7 @@
 [hypervisor.qemu]
 path = "@QEMUPATH@"
 kernel = "@KERNELCONFIDENTIALPATH@"
-image = "@IMAGECONFIDENTIALPATH@"
+image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 
 # rootfs filesystem type:
@@ -792,3 +792,8 @@ kubelet_root_dir = "@DEFKUBELETROOTDIR@"
 #      cold_plug_vfio != no_port AND pod_resource_api_sock != "" => kubelet
 #              based cold plug.
 pod_resource_api_sock = "@DEFPODRESOURCEAPISOCK@"
+
+[[hypervisor.qemu.extra_images]]
+name = "coco"
+path = "@COCOIMAGEPATH@"
+verity_params = "@COCOVERITYPARAMS@"

src/runtime/config/configuration-qemu-tdx.toml.in

@@ -14,7 +14,7 @@
 [hypervisor.qemu]
 path = "@QEMUPATH@"
 kernel = "@KERNELCONFIDENTIALPATH@"
-image = "@IMAGECONFIDENTIALPATH@"
+image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 tdx_quote_generation_service_socket_port = @QEMUTDXQUOTEGENERATIONSERVICESOCKETPORT@
 
@@ -769,3 +769,8 @@ kubelet_root_dir = "@DEFKUBELETROOTDIR@"
 #      cold_plug_vfio != no_port AND pod_resource_api_sock != "" => kubelet
 #              based cold plug.
 pod_resource_api_sock = "@DEFPODRESOURCEAPISOCK@"
+
+[[hypervisor.qemu.extra_images]]
+name = "coco"
+path = "@COCOIMAGEPATH@"
+verity_params = "@COCOVERITYPARAMS@"

tools/packaging/static-build/shim-v2/build.sh

@@ -43,6 +43,7 @@ esac
 
 # Variants (targets) that build a measured rootfs as of now are:
 # - rootfs-image-confidential
+# - rootfs-image-coco-addon
 # - rootfs-image-nvidia-gpu
 # - rootfs-image-nvidia-gpu-confidential
 #
@@ -50,6 +51,7 @@ esac
 root_hash_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build"
 verity_variants=(
 	"confidential:KERNELVERITYPARAMS"
+	"coco-addon:COCOVERITYPARAMS"
 	"nvidia-gpu:KERNELVERITYPARAMS_NV"
 	"nvidia-gpu-confidential:KERNELVERITYPARAMS_CONFIDENTIAL_NV"
 )