Merge pull request #8933 from fidencio/topic/package-coco-guest-components

packaging: Build coco-guest-components

.github/workflows/build-kata-static-tarball-amd64.yaml

@@ -32,6 +32,7 @@ jobs:
           - agent-ctl
           - cloud-hypervisor
           - cloud-hypervisor-glibc
+          - coco-guest-components
           - firecracker
           - genpolicy
           - kata-ctl

.github/workflows/build-kata-static-tarball-s390x.yaml

@@ -28,6 +28,7 @@ jobs:
       matrix:
         asset:
           - agent
+          - coco-guest-components
           - kernel
           - qemu
           - rootfs-image

tools/osbuilder/rootfs-builder/rootfs.sh

@@ -28,6 +28,9 @@ LIBC=${LIBC:-musl}
 SECCOMP=${SECCOMP:-"yes"}
 SELINUX=${SELINUX:-"no"}
 AGENT_POLICY=${AGENT_POLICY:-no}
+AGENT_SOURCE_BIN=${AGENT_SOURCE_BIN:-""}
+AGENT_TARBALL=${AGENT_TARBALL:-""}
+COCO_GUEST_COMPONENTS_TARBALL=${COCO_GUEST_COMPONENTS_TARBALL:-""}
 
 lib_file="${script_dir}/../scripts/lib.sh"
 source "$lib_file"
@@ -143,6 +146,11 @@ ARCH                Target architecture (according to \`uname -m\`).
                     and glibc agents.
                     Default value: $(uname -m)
 
+COCO_GUEST_COMPONENTS_TARBALL       Path to the kata-coco-guest-components.tar.xz tarball to be unpacked inside the
+                                    rootfs.
+                                    If set, the tarball will be unpacked onto the rootfs.
+                                    Default value: <not set>
+
 DISTRO_REPO         Use host repositories to install guest packages.
                     Default value: <not set>
 
@@ -684,7 +692,7 @@ EOF
 			rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}"
 		fi
 		popd
-	elif [ "${AGENT_SOURCE_BIN}" ]; then
+	elif [ -n "${AGENT_SOURCE_BIN}" ]; then
 		mkdir -p ${AGENT_DIR}
 		cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}
 		OK "cp ${AGENT_SOURCE_BIN} ${AGENT_DEST}"
@@ -780,6 +788,10 @@ EOF
 	[ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}"
 	OK "init is installed"
 
+	if [ -n "${COCO_GUEST_COMPONENTS_TARBALL}" ] ; then
+		tar xvJpf ${COCO_GUEST_COMPONENTS_TARBALL} -C ${ROOTFS_DIR}
+	fi
+
 	# Create an empty /etc/resolv.conf, to allow agent to bind mount container resolv.conf to Kata VM
 	dns_file="${ROOTFS_DIR}/etc/resolv.conf"
 	if [ -L "$dns_file" ]; then

tools/packaging/guest-image/build_image.sh

@@ -44,7 +44,8 @@ build_initrd() {
 		USE_DOCKER=1 \
 		AGENT_TARBALL="${AGENT_TARBALL}" \
 		AGENT_INIT="yes" \
-		AGENT_POLICY="${AGENT_POLICY:-}"
+		AGENT_POLICY="${AGENT_POLICY:-}" \
+		COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}"
 	mv "kata-containers-initrd.img" "${install_dir}/${artifact_name}"
 	(
 		cd "${install_dir}"
@@ -63,7 +64,8 @@ build_image() {
 		IMG_OS_VERSION="${os_version}" \
 		ROOTFS_BUILD_DEST="${builddir}/rootfs-image" \
 		AGENT_TARBALL="${AGENT_TARBALL}" \
-		AGENT_POLICY="${AGENT_POLICY:-}"
+		AGENT_POLICY="${AGENT_POLICY:-}" \
+		COCO_GUEST_COMPONENTS_TARBALL="${COCO_GUEST_COMPONENTS_TARBALL:-}"
 	mv -f "kata-containers.img" "${install_dir}/${artifact_name}"
 	if [ -e "root_hash.txt" ]; then
 	    cp root_hash.txt "${install_dir}/"

tools/packaging/kata-deploy/local-build/Makefile

@@ -88,6 +88,9 @@ agent-opa-tarball: copy-scripts-for-the-agent-build
 agent-ctl-tarball:
 	${MAKE} $@-build
 
+coco-guest-components-tarball:
+	${MAKE} $@-build
+
 cloud-hypervisor-tarball:
 	${MAKE} $@-build
 

tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh

@@ -86,6 +86,7 @@ TARGET_BRANCH="${TARGET_BRANCH:-}"
 BUILDER_REGISTRY="${BUILDER_REGISTRY:-}"
 PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY:-"no"}"
 AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER:-}"
+COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-}"
 INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER:-}"
 KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER:-}"
 OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER:-}"
@@ -110,6 +111,7 @@ docker run \
 	--env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
 	--env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
 	--env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
+	--env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \
 	--env INITRAMFS_CONTAINER_BUILDER="${INITRAMFS_CONTAINER_BUILDER}" \
 	--env KERNEL_CONTAINER_BUILDER="${KERNEL_CONTAINER_BUILDER}" \
 	--env OVMF_CONTAINER_BUILDER="${OVMF_CONTAINER_BUILDER}" \

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -23,6 +23,7 @@ readonly version_file="${repo_root_dir}/VERSION"
 readonly versions_yaml="${repo_root_dir}/versions.yaml"
 
 readonly agent_builder="${static_build_dir}/agent/build.sh"
+readonly coco_guest_components_builder="${static_build_dir}/coco-guest-components/build.sh"
 readonly clh_builder="${static_build_dir}/cloud-hypervisor/build-static-clh.sh"
 readonly firecracker_builder="${static_build_dir}/firecracker/build-static-firecracker.sh"
 readonly kernel_builder="${static_build_dir}/kernel/build.sh"
@@ -87,6 +88,7 @@ options:
 	agent-opa
 	agent-ctl
 	boot-image-se
+	coco-guest-components
 	cloud-hypervisor
 	cloud-hypervisor-glibc
 	firecracker
@@ -710,6 +712,22 @@ install_agent_opa() {
 	install_agent_helper "yes"
 }
 
+install_coco_guest_components() {
+	latest_artefact="$(get_from_kata_deps "externals.coco-guest-components.version")-$(get_from_kata_deps "externals.coco-guest-components.toolchain")"
+	latest_builder_image="$(get_coco_guest_components_image_name)"
+
+	install_cached_tarball_component \
+		"${build_target}" \
+		"${latest_artefact}" \
+		"${latest_builder_image}" \
+		"${final_tarball_name}" \
+		"${final_tarball_path}" \
+		&& return 0
+
+	info "build static coco-guest-components"
+	"${coco_guest_components_builder}"
+}
+
 install_tools_helper() {
 	tool=${1}
 
@@ -821,9 +839,11 @@ handle_build() {
 	agent-opa) install_agent_opa ;;
 
 	agent-ctl) install_agent_ctl ;;
-	
+
 	boot-image-se) install_se_image ;;
 
+	coco-guest-components) install_coco_guest_components ;;
+
 	cloud-hypervisor) install_clh ;;
 
 	cloud-hypervisor-glibc) install_clh_glibc ;;
@@ -941,6 +961,7 @@ main() {
 		agent-opa
 		agent-ctl
 		cloud-hypervisor
+		coco-guest-components
 		firecracker
 		genpolicy
 		kata-ctl

tools/packaging/release/release-notes.sh

@@ -151,6 +151,7 @@ used to build the release artefacts.
 The users who want to rebuild the tarballs using exactly the same images can simply use the following environment
 variables:
 * \`AGENT_CONTAINER_BUILDER\`
+* \`COCO_GUEST_COMPONENTS_CONTAINER_BUILDER\`
 * \`KERNEL_CONTAINER_BUILDER\`
 * \`OVMF_CONTAINER_BUILDER\`
 * \`QEMU_CONTAINER_BUILDER\`

tools/packaging/scripts/lib.sh

@@ -216,3 +216,8 @@ get_agent_image_name() {
 
 	echo "${BUILDER_REGISTRY}:agent-$(get_last_modification ${libs_dir})-$(get_last_modification ${agent_dir})-$(uname -m)"
 }
+
+get_coco_guest_components_image_name() {
+	coco_guest_components_script_dir="${repo_root_dir}/tools/packaging/static-build/coco-guest-components"
+	echo "${BUILDER_REGISTRY}:coco-guest-components-$(get_from_kata_deps "externals.coco-guest-components.toolchain")-$(get_last_modification ${coco_guest_components_script_dir})-$(uname -m)"
+}

tools/packaging/static-build/coco-guest-components/Dockerfile

@@ -0,0 +1,28 @@
+# Copyright (c) 2024 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+FROM ubuntu:22.04
+ARG RUST_TOOLCHAIN
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+RUN apt-get update && \
+	apt-get --no-install-recommends -y install \
+		binutils \
+		ca-certificates \
+		clang \
+		curl \
+		g++ \
+		gcc \
+		git \
+		gnupg \
+		libssl-dev \
+		make \
+		musl-tools \
+		openssl \
+		perl \
+		protobuf-compiler && \
+	apt-get clean && rm -rf /var/lib/apt/lists/ && \
+    	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${RUST_TOOLCHAIN}

tools/packaging/static-build/coco-guest-components/build-static-coco-guest-components.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2024 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+[ -n "$coco_guest_components_repo" ] || die "failed to get coco-guest-components repo"
+[ -n "$coco_guest_components_version" ] || die "failed to get coco-guest-components version"
+
+[ -d "guest-components" ] && rm -rf  guest-components
+
+init_env() {
+	source "$HOME/.cargo/env"
+
+	export LIBC=gnu
+
+	ARCH=$(uname -m)
+	rust_arch=""
+	case ${ARCH} in
+		"aarch64")
+			rust_arch=${ARCH}
+			;;
+		"ppc64le")
+			rust_arch="powerpc64le"
+			;;
+		"x86_64")
+			rust_arch=${ARCH}
+			;;
+		"s390x")
+			rust_arch=${ARCH}
+			;;
+	esac
+	rustup target add ${rust_arch}-unknown-linux-${LIBC}
+}
+
+build_coco_guest_components_from_source() {
+	echo "build coco-guest-components from source"
+
+	init_env
+
+	git clone --depth 1 ${coco_guest_components_repo} guest-components
+	pushd guest-components
+
+	git fetch --depth=1 origin "${coco_guest_components_version}"
+	git checkout FETCH_HEAD
+
+	TEE_PLATFORM=${TEE_PLATFORM} make build
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/confidential-data-hub
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/attestation-agent
+	strip target/${rust_arch}-unknown-linux-${LIBC}/release/api-server-rest
+	TEE_PLATFORM=${TEE_PLATFORM} make install
+	popd
+}
+
+build_coco_guest_components_from_source $@

tools/packaging/static-build/coco-guest-components/build.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+#
+# Copyright (c) 2024 Intel
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly coco_guest_components_builder="${script_dir}/build-static-coco-guest-components.sh"
+
+source "${script_dir}/../../scripts/lib.sh"
+
+coco_guest_components_repo="${coco_guest_components_repo:-}"
+coco_guest_components_version="${coco_guest_components_version:-}"
+coco_guest_components_toolchain="${coco_guest_components_toolchain:-}"
+package_output_dir="${package_output_dir:-}"
+
+[ -n "${coco_guest_components_repo}" ] || coco_guest_components_repo=$(get_from_kata_deps "externals.coco-guest-components.url")
+[ -n "${coco_guest_components_version}" ] || coco_guest_components_version=$(get_from_kata_deps "externals.coco-guest-components.version")
+[ -n "${coco_guest_components_toolchain}" ] || coco_guest_components_toolchain=$(get_from_kata_deps "externals.coco-guest-components.toolchain")
+
+[ -n "${coco_guest_components_repo}" ] || die "Failed to get coco-guest-components repo"
+[ -n "${coco_guest_components_version}" ] || die "Failed to get coco-guest-components version or commit"
+[ -n "${coco_guest_components_toolchain}" ] || die "Failed to get the rust toolchain to build coco-guest-components"
+
+container_image="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER:-$(get_coco_guest_components_image_name)}"
+[ "${CROSS_BUILD}" == "true" ] && container_image="${container_image}-cross-build"
+
+sudo docker pull ${container_image} || \
+	(sudo docker $BUILDX build $PLATFORM \
+	    	--build-arg RUST_TOOLCHAIN="${coco_guest_components_toolchain}" \
+		-t "${container_image}" "${script_dir}" && \
+	 # No-op unless PUSH_TO_REGISTRY is exported as "yes"
+	 push_to_registry "${container_image}")
+
+sudo docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
+	-w "${PWD}" \
+	--env TEE_PLATFORM=${TEE_PLATFORM:-all} \
+	--env coco_guest_components_repo="${coco_guest_components_repo}" \
+	--env coco_guest_components_version="${coco_guest_components_version}" \
+	"${container_image}" \
+	bash -c "${coco_guest_components_builder}"

versions.yaml

@@ -207,6 +207,12 @@ externals:
     url: "https://github.com/containernetworking/plugins"
     version: "v1.2.0"
 
+  coco-guest-components:
+    description: "Provides attested key unwrapping for image decryption"
+    url: "https://github.com/confidential-containers/guest-components/"
+    version: "42b7c9687ecd0907ef70da31cf290a60ee8432cd"
+    toolchain: "1.72.0"
+
   conmon:
     description: "An OCI container runtime monitor"
     url: "https://github.com/containers/conmon"