rootfs: Add libtdx-attest into the confidential rootfs

This is required as the tdx-attest-rs crate, which is used as part of
the guest components, has a runtime dependency on libattest-tdx.

Fixes: #9021 -- part II

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -31,6 +31,7 @@ AGENT_POLICY=${AGENT_POLICY:-no}
 AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN:-""}
 AGENT_TARBALL=${AGENT_TARBALL:-""}
 COCO_GUEST_COMPONENTS_TARBALL=${COCO_GUEST_COMPONENTS_TARBALL:-""}
+CONFIDENTIAL_GUEST="${CONFIDENTIAL_GUEST:-no}"
 
 lib_file="${script_dir}/../scripts/lib.sh"
 source "$lib_file"
@@ -450,6 +451,7 @@ build_rootfs_distro()
 		fi
 
 		if [ -n "${COCO_GUEST_COMPONENTS_TARBALL}" ] ; then
+			CONFIDENTIAL_GUEST="yes"
 			engine_run_args+=" --env COCO_GUEST_COMPONENTS_TARBALL=${COCO_GUEST_COMPONENTS_TARBALL}"
 			engine_run_args+=" -v $(dirname ${COCO_GUEST_COMPONENTS_TARBALL}):$(dirname ${COCO_GUEST_COMPONENTS_TARBALL})"
 		fi
@@ -500,6 +502,7 @@ build_rootfs_distro()
 			--env TARGET_ARCH="${TARGET_ARCH}" \
 			--env HOME="/root" \
 			--env AGENT_POLICY="${AGENT_POLICY}" \
+			--env CONFIDENTIAL_GUEST="${CONFIDENTIAL_GUEST}" \
 			-v "${repo_dir}":"/kata-containers" \
 			-v "${ROOTFS_DIR}":"/rootfs" \
 			-v "${script_dir}/../scripts":"/scripts" \

tools/osbuilder/rootfs-builder/ubuntu/Dockerfile.in

@@ -23,6 +23,7 @@ RUN apt-get update && \
          [ "$gcc_arch" = x86_64 ] && gcc_arch=x86-64 && libc_arch=amd64; \
          echo "gcc-$gcc_arch-linux-gnu libc6-dev-$libc_arch-cross")) \
     git \
+    gnupg2 \
     make \
     makedev \
     multistrap \

tools/osbuilder/rootfs-builder/ubuntu/config.sh

@@ -2,9 +2,10 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+source /etc/os-release
 OS_NAME=ubuntu
 # This should be Ubuntu's code name, e.g. "focal" (Focal Fossa) for 20.04
-OS_VERSION=${OS_VERSION:-focal}
+OS_VERSION=${OS_VERSION:-${UBUNTU_CODENAME}}
 PACKAGES="chrony iptables dbus"
 [ "$AGENT_INIT" = no ] && PACKAGES+=" init"
 [ "$MEASURED_ROOTFS" = yes ] && PACKAGES+=" cryptsetup-bin e2fsprogs"

tools/osbuilder/rootfs-builder/ubuntu/rootfs_lib.sh

@@ -22,9 +22,24 @@ bootstrap=Ubuntu
 [Ubuntu]
 source=$REPO_URL
 keyring=ubuntu-keyring
-suite=focal
+suite=$UBUNTU_CODENAME
 packages=$PACKAGES $EXTRA_PKGS
 EOF
+
+	if [ "${CONFIDENTIAL_GUEST}" == "yes" ] && [ "${DEB_ARCH}" == "amd64" ]; then
+		mkdir -p $rootfs_dir/etc/apt/trusted.gpg.d/
+		curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key |
+			gpg --dearmour -o $rootfs_dir/etc/apt/trusted.gpg.d/intel-sgx-deb.gpg
+		sed -i -e "s/bootstrap=Ubuntu/bootstrap=Ubuntu intel-sgx/" $multistrap_conf
+		cat >> $multistrap_conf << EOF
+
+[intel-sgx]
+source=https://download.01.org/intel-sgx/sgx_repo/ubuntu
+suite=$UBUNTU_CODENAME
+packages=libtdx-attest=1.20\*
+EOF
+	fi
+
 	if ! multistrap -a "$DEB_ARCH" -d "$rootfs_dir" -f "$multistrap_conf"; then
 		build_dbus $rootfs_dir
 	fi