Merge pull request #11569 from Xynnn007/bump-coco

deps(chore): update guest-components and trustee

src/agent/src/initdata.rs

@@ -27,6 +27,9 @@ const AA_CONFIG_KEY: &str = "aa.toml";
 const CDH_CONFIG_KEY: &str = "cdh.toml";
 const POLICY_KEY: &str = "policy.rego";
 
+/// The path of initdata toml
+pub const INITDATA_TOML_PATH: &str = concatcp!(INITDATA_PATH, "/initdata.toml");
+
 /// The path of AA's config file
 pub const AA_CONFIG_PATH: &str = concatcp!(INITDATA_PATH, "/aa.toml");
 
@@ -95,7 +98,7 @@ pub async fn read_initdata(device_path: &str) -> Result<Vec<u8>> {
 }
 
 pub struct InitdataReturnValue {
-    pub digest: Vec<u8>,
+    pub _digest: Vec<u8>,
     pub _policy: Option<String>,
 }
 
@@ -122,7 +125,11 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
     info!(logger, "Initdata version: {}", initdata.version());
     initdata.validate()?;
 
-    let digest = match initdata.algorithm() {
+    tokio::fs::write(INITDATA_TOML_PATH, &initdata_content)
+        .await
+        .context("write initdata toml failed")?;
+
+    let _digest = match initdata.algorithm() {
         "sha256" => Sha256::digest(&initdata_content).to_vec(),
         "sha384" => Sha384::digest(&initdata_content).to_vec(),
         "sha512" => Sha512::digest(&initdata_content).to_vec(),
@@ -143,10 +150,10 @@ pub async fn initialize_initdata(logger: &Logger) -> Result<Option<InitdataRetur
         info!(logger, "write CDH config from initdata");
     }
 
-    debug!(logger, "Initdata digest: {}", STANDARD.encode(&digest));
+    debug!(logger, "Initdata digest: {}", STANDARD.encode(&_digest));
 
     let res = InitdataReturnValue {
-        digest,
+        _digest,
         _policy: initdata.get_coco_data(POLICY_KEY).cloned(),
     };
 

src/agent/src/main.rs

@@ -19,7 +19,6 @@ extern crate scopeguard;
 extern crate slog;
 
 use anyhow::{anyhow, bail, Context, Result};
-use base64::Engine;
 use cfg_if::cfg_if;
 use clap::Parser;
 use const_format::concatcp;
@@ -485,12 +484,9 @@ async fn launch_guest_component_procs(
 
     debug!(logger, "spawning attestation-agent process {}", AA_PATH);
     let mut aa_args = vec!["--attestation_sock", AA_ATTESTATION_URI];
-    let initdata_parameter;
-    if let Some(initdata_return_value) = initdata_return_value {
-        initdata_parameter =
-            base64::engine::general_purpose::STANDARD.encode(&initdata_return_value.digest);
-        aa_args.push("--initdata");
-        aa_args.push(&initdata_parameter);
+    if initdata_return_value.is_some() {
+        aa_args.push("--initdata-toml");
+        aa_args.push(initdata::INITDATA_TOML_PATH);
     }
 
     launch_process(

versions.yaml

@@ -233,18 +233,18 @@ externals:
   coco-guest-components:
     description: "Provides attested key unwrapping for image decryption"
     url: "https://github.com/confidential-containers/guest-components/"
-    version: "4cd62c3f8a6475a556eceb5f4538e523e9491400"
+    version: "591d0bb45cd7a2c66f3778428940c40f7eec3b7d"
     toolchain: "1.85.1"
 
   coco-trustee:
     description: "Provides attestation and secret delivery components"
     url: "https://github.com/confidential-containers/trustee"
-    version: "8462025ed2d2a94281344e63405bbe7500bd4484"
+    version: "beb4ce9346bc7f9a7ff0f686eb868472767ad8fb"
     # image / ita_image and image_tag / ita_image_tag must be in sync
     image: "ghcr.io/confidential-containers/staged-images/kbs"
-    image_tag: "8462025ed2d2a94281344e63405bbe7500bd4484"
+    image_tag: "beb4ce9346bc7f9a7ff0f686eb868472767ad8fb"
     ita_image: "ghcr.io/confidential-containers/staged-images/kbs-ita-as"
-    ita_image_tag: "8462025ed2d2a94281344e63405bbe7500bd4484-x86_64"
+    ita_image_tag: "beb4ce9346bc7f9a7ff0f686eb868472767ad8fb-x86_64"
     toolchain: "1.85.1"
 
   crio: