From e28a8a4e47e671fd7a3b977e54ebb250536a1764 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <ffidencio@nvidia.com>
Date: Tue, 7 Apr 2026 12:27:55 +0200
Subject: [PATCH] build: add arm64 coco-dev build dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Build coco-guest-components, pause-image, and rootfs-image-confidential
for arm64, which are required by qemu-coco-dev-runtime-rs.

Enable MEASURED_ROOTFS on the arm64 shim-v2 build, add the aarch64 case
to install_kernel() so the default kernel is built as a unified kernel
(with confidential guest support, like x86_64), and adjust the kernel
install naming so only CCA builds get the -confidential suffix.

Also wire rootfs-image-confidential-tarball into the aarch64 local-build
Makefile.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
---
 .github/workflows/build-kata-static-tarball-arm64.yaml     | 6 ++++++
 tools/packaging/kata-deploy/local-build/Makefile           | 1 +
 .../kata-deploy/local-build/kata-deploy-binaries.sh        | 5 +++++
 tools/packaging/kernel/build-kernel.sh                     | 7 +++++--
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml
index 9e69f0e7c2..669edb9d70 100644
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@@ -43,6 +43,7 @@ jobs:
           - agent
           - busybox
           - cloud-hypervisor
+          - coco-guest-components
           - firecracker
           - kernel
           - kernel-debug
@@ -51,6 +52,7 @@ jobs:
           - kernel-cca-confidential
           - nydus
           - ovmf
+          - pause-image
           - qemu
           - virtiofsd
     env:
@@ -151,6 +153,7 @@ jobs:
       matrix:
         asset:
           - rootfs-image
+          - rootfs-image-confidential
           - rootfs-image-nvidia-gpu
           - rootfs-initrd
     steps:
@@ -216,7 +219,9 @@ jobs:
       matrix:
         asset:
           - busybox
+          - coco-guest-components
           - kernel-nvidia-gpu-modules
+          - pause-image
     steps:
       - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         with:
@@ -288,6 +293,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          MEASURED_ROOTFS: yes
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index 05dbfb052a..49d6f9611b 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -60,6 +60,7 @@ BASE_TARBALLS = serial-targets \
 	shim-v2-tarball \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-image-confidential-tarball \
 	rootfs-cca-confidential-image-tarball \
 	rootfs-cca-confidential-initrd-tarball \
 	rootfs-initrd-tarball
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index 0eed9f4862..a9c16c3fce 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -705,6 +705,11 @@ install_kernel() {
 			export MEASURED_ROOTFS="no"
 			extra_cmd="-x"
 			;;
+		aarch64)
+			export CONFIDENTIAL_GUEST="yes"
+			export MEASURED_ROOTFS="yes"
+			extra_cmd="-x"
+			;;
 		x86_64)
 			export CONFIDENTIAL_GUEST="yes"
 			export MEASURED_ROOTFS="yes"
diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index 612353e5d5..25ad1e0d52 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -578,8 +578,11 @@ install_kata() {
 	if [[ ${gpu_vendor} != "" ]]; then
 		suffix="-${gpu_vendor}-gpu${suffix}"
 	elif [[ ${conf_guest} != "" ]]; then
-		# CCA on aarch64 uses -confidential suffix; x86_64/s390x unified kernel does not
-		if [[ "${arch_target}" == "aarch64" ]]; then
+		# CCA kernel on aarch64 needs a -confidential suffix to coexist
+		# with the unified kernel; the regular kernel with -x does not
+		# get the suffix (matching x86_64/s390x unified kernel behavior).
+		# CCA builds are identified by -H (linux_headers) being set.
+		if [[ "${arch_target}" == "aarch64" ]] && [[ -n "${linux_headers}" ]]; then
 			suffix="-${conf_guest}${suffix}"
 		fi
 	fi