Merge pull request #12813 from fitzthum/bump-gc-ma-sigs

Bump guest components to pickup additional signature support
Merge pull request #12814 from fidencio/topic/nvidia-always-do-vcpu-pinning
2026-04-10 22:12:35 +00:00 · 2026-04-10 23:57:19 +02:00 · 2026-04-10 23:47:44 +02:00 · 2026-04-10 16:41:34 +02:00 · 2026-04-10 06:54:58 -07:00 · 2026-04-10 06:52:53 -07:00
18 changed files with 1479 additions and 970 deletions
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -26,8 +26,8 @@ jobs:
      target-branch: ${{ github.ref_name }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
-      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
-      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -21,9 +21,9 @@ jobs:

    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
-      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
-      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -25,9 +25,9 @@ jobs:
      extensive-matrix-autogenerated-policy: "yes"
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
-      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
-      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -44,9 +44,9 @@ jobs:
      skip-test: ${{ needs.skipper.outputs.skip_test }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
-      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
-      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -19,11 +19,11 @@ on:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true

-      AZ_APPID2:
+      AZ_APPID:
        required: true
-      AZ_TENANT_ID2:
+      AZ_TENANT_ID:
       required: true
-      AZ_SUBSCRIPTION_ID2:
+      AZ_SUBSCRIPTION_ID:
        required: true
      QUAY_DEPLOYER_PASSWORD:
        required: true
@@ -120,9 +120,9 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
-      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
-      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
    permissions:
      contents: read
      id-token: write
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -27,11 +27,11 @@ on:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true

-      AZ_APPID2:
+      AZ_APPID:
        required: true
-      AZ_TENANT_ID2:
+      AZ_TENANT_ID:
       required: true
-      AZ_SUBSCRIPTION_ID2:
+      AZ_SUBSCRIPTION_ID:
        required: true
      CI_HKD_PATH:
        required: true
@@ -242,9 +242,9 @@ jobs:
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
    secrets:
-      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
-      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
-      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}

  run-k8s-tests-on-free-runner:
    if: ${{ inputs.skip-test != 'yes' }}
@@ -309,9 +309,9 @@ jobs:
      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
-      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
-      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+      AZ_APPID: ${{ secrets.AZ_APPID }}
+      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
      ITA_KEY: ${{ secrets.ITA_KEY }}

  run-k8s-tests-on-zvsi:
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -23,9 +23,9 @@ jobs:
      - name: Log into Azure
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID2 }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Install Python dependencies
        run: |
@@ -35,6 +35,6 @@ jobs:

      - name: Cleanup resources
        env:
-          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
          CLEANUP_AFTER_HOURS: 24 # Clean up resources created more than this many hours ago.
        run: python3 tests/cleanup_resources.py
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -26,11 +26,11 @@ on:
        default: ""
    secrets:

-      AZ_APPID2:
+      AZ_APPID:
        required: true
-      AZ_TENANT_ID2:
+      AZ_TENANT_ID:
       required: true
-      AZ_SUBSCRIPTION_ID2:
+      AZ_SUBSCRIPTION_ID:
        required: true


@@ -102,9 +102,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID2 }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -142,9 +142,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID2 }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Delete AKS cluster
        if: always()
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -26,11 +26,11 @@ on:
        type: string
    secrets:

-      AZ_APPID2:
+      AZ_APPID:
        required: true
-      AZ_TENANT_ID2:
+      AZ_TENANT_ID:
       required: true
-      AZ_SUBSCRIPTION_ID2:
+      AZ_SUBSCRIPTION_ID:
        required: true
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true
@@ -98,9 +98,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID2 }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -150,9 +150,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID2 }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Delete AKS cluster
        if: always()
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -31,11 +31,11 @@ on:
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true
-      AZ_APPID2:
+      AZ_APPID:
        required: true
-      AZ_TENANT_ID2:
+      AZ_TENANT_ID:
       required: true
-      AZ_SUBSCRIPTION_ID2:
+      AZ_SUBSCRIPTION_ID:
        required: true
      ITA_KEY:
        required: true
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -22,11 +22,11 @@ on:
        type: string
        default: ""
    secrets:
-      AZ_APPID2:
+      AZ_APPID:
        required: true
-      AZ_TENANT_ID2:
+      AZ_TENANT_ID:
       required: true
-      AZ_SUBSCRIPTION_ID2:
+      AZ_SUBSCRIPTION_ID:
        required: true

 permissions: {}
@@ -77,9 +77,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID2 }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -112,9 +112,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID2 }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
+          client-id: ${{ secrets.AZ_APPID }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}

      - name: Delete AKS cluster
        if: always()
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -506,6 +506,8 @@ ifneq (,$(QEMUCMD))
    # Best practice for production is to set this to true
    DEFSANDBOXCGROUPONLY_NV = true

+    DEFENABLEVCPUPINNING_NV = true
+
    ifneq (,$(QEMUFW))
        FIRMWAREPATH := $(PREFIXDEPS)/share/$(EDK2_NAME)/$(QEMUFW)
    endif
@@ -679,6 +681,7 @@ USER_VARS += KERNELVERITYPARAMS_NV
 USER_VARS += KERNELVERITYPARAMS_CONFIDENTIAL_NV
 USER_VARS += DEFAULTTIMEOUT_NV
 USER_VARS += DEFSANDBOXCGROUPONLY_NV
+USER_VARS += DEFENABLEVCPUPINNING_NV
 USER_VARS += DEFROOTFSTYPE
 USER_VARS += MACHINETYPE
 USER_VARS += KERNELDIR
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-snp.toml.in
@@ -645,7 +645,7 @@ disable_guest_seccomp = @DEFDISABLEGUESTSECCOMP@
 # vCPUs pinning settings
 # if enabled, each vCPU thread will be scheduled to a fixed CPU
 # qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
-enable_vcpus_pinning = false
+enable_vcpus_pinning = @DEFENABLEVCPUPINNING_NV@

 # Apply a custom SELinux security policy to the container process inside the VM.
 # This is used when you want to apply a type other than the default `container_t`,
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
@@ -622,7 +622,7 @@ disable_guest_seccomp = @DEFDISABLEGUESTSECCOMP@
 # vCPUs pinning settings
 # if enabled, each vCPU thread will be scheduled to a fixed CPU
 # qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
-enable_vcpus_pinning = false
+enable_vcpus_pinning = @DEFENABLEVCPUPINNING_NV@

 # Apply a custom SELinux security policy to the container process inside the VM.
 # This is used when you want to apply a type other than the default `container_t`,
--- a/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu.toml.in
@@ -624,7 +624,7 @@ disable_guest_seccomp = @DEFDISABLEGUESTSECCOMP@
 # vCPUs pinning settings
 # if enabled, each vCPU thread will be scheduled to a fixed CPU
 # qualified condition: num(vCPU threads) == num(CPUs in sandbox's CPUSet)
-enable_vcpus_pinning = false
+enable_vcpus_pinning = @DEFENABLEVCPUPINNING_NV@

 # Apply a custom SELinux security policy to the container process inside the VM.
 # This is used when you want to apply a type other than the default `container_t`,
--- a/src/tools/agent-ctl/Cargo.lock
+++ b/src/tools/agent-ctl/Cargo.lock
--- a/src/tools/agent-ctl/Cargo.toml
+++ b/src/tools/agent-ctl/Cargo.toml
@@ -41,7 +41,7 @@ serde = { version = "1.0.131", features = ["derive"] }
 serde_json = "1.0.73"

 # Image pull/unpack
-image-rs = { git = "https://github.com/confidential-containers/guest-components", tag = "v0.18.0", features = [
+image-rs = { git = "https://github.com/confidential-containers/guest-components", rev = "de3f6ff62aa736619b80d99dfca5bc3d2c9a799d", features = [
    "oci-client-rustls",
    "signature-cosign-rustls",
 ] }
--- a/versions.yaml
+++ b/versions.yaml
@@ -292,7 +292,7 @@ externals:
  coco-guest-components:
    description: "Provides attested key unwrapping for image decryption"
    url: "https://github.com/confidential-containers/guest-components/"
-    version: "30b552e7841b10e656fa28cf643ed25b9d45e33f"
+    version: "de3f6ff62aa736619b80d99dfca5bc3d2c9a799d"
    toolchain: "1.90.0"

  coco-trustee:
Author	SHA1	Message	Date
Fabiano Fidêncio	d4a042a155	Merge pull request #12813 from fitzthum/bump-gc-ma-sigs Bump guest components to pickup additional signature support	2026-04-10 23:57:19 +02:00
Fabiano Fidêncio	78fa4c88e2	Merge pull request #12814 from fidencio/topic/nvidia-always-do-vcpu-pinning runtime: Set `enable_vcpus_pinning = true` for NVIDIA configs	2026-04-10 23:47:44 +02:00
Fabiano Fidêncio	7244389ad4	runtime: Set `enable_vcpus_pinning = true` for NVIDIA configs So we can have a better performance by default. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>	2026-04-10 16:41:34 +02:00
Tobin Feldman-Fitzthum	ff26a6b876	versions: update image-rs to pickup signature fixes The new version of image-rs supports more types of signed images. First, we added supported for a few more key types. Second, we added support for multi-arch images where the manifest digest is signed but the individual arch manifest is not. These images are relatively common, so let's pickup the fix asap. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>	2026-04-10 06:54:58 -07:00
Tobin Feldman-Fitzthum	2588a0e5a5	agent-ctl: bump image-rs version I don't think agent-ctl will benefit from the new image-rs features, but let's update it to be complete. Signed-off-by: Tobin Feldman-Fitzthum <tfeldmanfitz@nvidia.com>	2026-04-10 06:52:53 -07:00