kata-deploy: support build confidential rootfs and initrd for CCA

Also add cca-attester for coco-guest-component Signed-off-by: Kevin Zhao <kevin.zhao@linaro.org> Co-authored-by: Seunguk Shin <seunguk.shin@arm.com>
2025-10-22 04:18:53 +00:00 · 2024-11-21 09:43:16 +00:00
parent 40dac78412
commit c7d5f207f1
4 changed files with 19 additions and 0 deletions
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -57,6 +57,8 @@ BASE_TARBALLS = serial-targets \
 	shim-v2-tarball \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-cca-confidential-image-tarball \
+	rootfs-cca-confidential-initrd-tarball \
 	rootfs-initrd-tarball
 endif

@@ -200,6 +202,12 @@ rootfs-image-nvidia-gpu-confidential-tarball: agent-tarball busybox-tarball paus
 rootfs-initrd-nvidia-gpu-confidential-tarball: agent-tarball busybox-tarball pause-image-tarball coco-guest-components-tarball kernel-nvidia-gpu-confidential-tarball
 	${MAKE} $@-build

+rootfs-cca-confidential-image-tarball: agent-tarball pause-image-tarball coco-guest-components-tarball kernel-cca-confidential-tarball
+	${MAKE} $@-build
+
+rootfs-cca-confidential-initrd-tarball: agent-tarball pause-image-tarball coco-guest-components-tarball kernel-cca-confidential-tarball
+	${MAKE} $@-build
+
 shim-v2-tarball:
 	${MAKE} $@-build

--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -1335,6 +1335,10 @@ handle_build() {

 	rootfs-initrd-nvidia-gpu-confidential) install_initrd_nvidia_gpu_confidential ;;

+	rootfs-cca-confidential-image) install_image_confidential ;;
+
+	rootfs-cca-confidential-initrd) install_initrd_confidential ;;
+
 	runk) install_runk ;;

 	shim-v2) install_shimv2 ;;
--- a/tools/packaging/static-build/coco-guest-components/build.sh
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@@ -46,6 +46,7 @@ RESOURCE_PROVIDER="kbs,sev"
 case "$(uname -m)" in
 	x86_64) ATTESTER="snp-attester,tdx-attester,nvidia-attester" ;;
 	s390x) ATTESTER="se-attester" ;;
+	aarch64) ATTESTER="cca-attester" ;;
 	*) ATTESTER="none" ;;
 esac

--- a/versions.yaml
+++ b/versions.yaml
@@ -123,6 +123,9 @@ assets:
      aarch64:
        name: "ubuntu"
        version: "noble"  # 24.04 LTS
+        confidential:
+          name: "ubuntu"
+          version: "noble" # 24.04 LTS
        nvidia-gpu:
          name: "ubuntu"
          version: "noble"  # 24.04 LTS
@@ -163,6 +166,9 @@ assets:
      aarch64:
        name: "alpine"
        version: "3.22"
+        confidential:
+          name: "ubuntu"
+          version: "noble"  # 24.04 LTS
        nvidia-gpu:
          name: "ubuntu"
          version: "noble"  # 24.04 LTS