From c7d5f207f1ed2acf5a481dd0f1f11b1f8aa08922 Mon Sep 17 00:00:00 2001
From: Seunguk Shin <seunguk.shin@arm.com>
Date: Thu, 21 Nov 2024 09:43:16 +0000
Subject: [PATCH] kata-deploy: support build confidential rootfs and initrd for
 CCA

Also add cca-attester for coco-guest-component

Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org>
Co-authored-by: Seunguk Shin <seunguk.shin@arm.com>
---
 tools/packaging/kata-deploy/local-build/Makefile          | 8 ++++++++
 .../kata-deploy/local-build/kata-deploy-binaries.sh       | 4 ++++
 .../packaging/static-build/coco-guest-components/build.sh | 1 +
 versions.yaml                                             | 6 ++++++
 4 files changed, 19 insertions(+)

diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index d9f5183f69..b958b987a1 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -57,6 +57,8 @@ BASE_TARBALLS = serial-targets \
 	shim-v2-tarball \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-cca-confidential-image-tarball \
+	rootfs-cca-confidential-initrd-tarball \
 	rootfs-initrd-tarball
 endif
 
@@ -200,6 +202,12 @@ rootfs-image-nvidia-gpu-confidential-tarball: agent-tarball busybox-tarball paus
 rootfs-initrd-nvidia-gpu-confidential-tarball: agent-tarball busybox-tarball pause-image-tarball coco-guest-components-tarball kernel-nvidia-gpu-confidential-tarball
 	${MAKE} $@-build
 
+rootfs-cca-confidential-image-tarball: agent-tarball pause-image-tarball coco-guest-components-tarball kernel-cca-confidential-tarball
+	${MAKE} $@-build
+
+rootfs-cca-confidential-initrd-tarball: agent-tarball pause-image-tarball coco-guest-components-tarball kernel-cca-confidential-tarball
+	${MAKE} $@-build
+
 shim-v2-tarball:
 	${MAKE} $@-build
 
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index ab8e62597f..63911c24c4 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -1335,6 +1335,10 @@ handle_build() {
 
 	rootfs-initrd-nvidia-gpu-confidential) install_initrd_nvidia_gpu_confidential ;;
 
+	rootfs-cca-confidential-image) install_image_confidential ;;
+
+	rootfs-cca-confidential-initrd) install_initrd_confidential ;;
+
 	runk) install_runk ;;
 
 	shim-v2) install_shimv2 ;;
diff --git a/tools/packaging/static-build/coco-guest-components/build.sh b/tools/packaging/static-build/coco-guest-components/build.sh
index 850d310d4a..dbabf485ec 100755
--- a/tools/packaging/static-build/coco-guest-components/build.sh
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@@ -46,6 +46,7 @@ RESOURCE_PROVIDER="kbs,sev"
 case "$(uname -m)" in
 	x86_64) ATTESTER="snp-attester,tdx-attester,nvidia-attester" ;;
 	s390x) ATTESTER="se-attester" ;;
+	aarch64) ATTESTER="cca-attester" ;;
 	*) ATTESTER="none" ;;
 esac
 
diff --git a/versions.yaml b/versions.yaml
index 8b68b06cc8..0aed0d57ae 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -123,6 +123,9 @@ assets:
       aarch64:
         name: "ubuntu"
         version: "noble"  # 24.04 LTS
+        confidential:
+          name: "ubuntu"
+          version: "noble" # 24.04 LTS
         nvidia-gpu:
           name: "ubuntu"
           version: "noble"  # 24.04 LTS
@@ -163,6 +166,9 @@ assets:
       aarch64:
         name: "alpine"
         version: "3.22"
+        confidential:
+          name: "ubuntu"
+          version: "noble"  # 24.04 LTS
         nvidia-gpu:
           name: "ubuntu"
           version: "noble"  # 24.04 LTS