search

kata-containers / kata-containers

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
Apache License 2.0
5.08k stars 1k forks source link

packaging: coco-guest-components: add TEE_PLATFORM arg #9817

Open huoqifeng opened 2 weeks ago

huoqifeng commented 2 weeks ago

export TEE_PLATFORM="xx" did not take effect

BbolroC commented 2 weeks ago

FYI: I was able to reach the following build step and got the artifacts successfully built:

$ make coco-guest-components-tarball TEE_PLATFORM=se
... build log ...

build attestation-agent for se
cd attestation-agent && make ttrpc=true ARCH=s390x LIBC=gnu ATTESTER=se-attester
make[1]: Entering directory '/home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/builddir/guest-components/attestation-agent'
DEBIANOS is: true
make[1]: sudo: Command not found
cd attestation-agent &&  cargo build --release --no-default-features --features "coco_as,kbs bin,ttrpc se-attester,openssl" --bin ttrpc-aa --target s390x-unknown-linux-gnu

... build log ...

guest components built for se succeeded!
s390x/powerpc64le only supports gnu
install -D -m0755 target/s390x-unknown-linux-gnu/release/confidential-data-hub /home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir/usr/local/bin/confidential-data-hub
install -D -m0755 target/s390x-unknown-linux-gnu/release/attestation-agent /home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir/usr/local/bin/attestation-agent
install -D -m0755 target/s390x-unknown-linux-gnu/release/api-server-rest /home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir/usr/local/bin/api-server-rest
/home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/builddir
./
./usr/
./usr/local/
./usr/local/bin/
./usr/local/bin/api-server-rest
./usr/local/bin/confidential-data-hub
./usr/local/bin/attestation-agent
drwxr-xr-x ubuntu/ubuntu     0 2024-06-11 18:34 ./
drwxr-xr-x ubuntu/ubuntu     0 2024-06-11 18:34 ./usr/
drwxr-xr-x ubuntu/ubuntu     0 2024-06-11 18:34 ./usr/local/
drwxr-xr-x ubuntu/ubuntu     0 2024-06-11 18:56 ./usr/local/bin/
-rwxr-xr-x ubuntu/ubuntu 2491296 2024-06-11 18:56 ./usr/local/bin/api-server-rest
-rwxr-xr-x ubuntu/ubuntu 18105344 2024-06-11 18:56 ./usr/local/bin/confidential-data-hub
-rwxr-xr-x ubuntu/ubuntu 12820152 2024-06-11 18:56 ./usr/local/bin/attestation-agent
~/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build ~/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir
~/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir
make[1]: Leaving directory '/home/ubuntu/go/src/github.com/kata-containers/kata-containers'

with the following changes:

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
index 56864457e..39fdbd695 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@@ -113,6 +113,7 @@ docker run \
        --env ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD}" \
        --env TARGET_BRANCH="${TARGET_BRANCH}" \
        --env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
+       --env TEE_PLATFORM="${TEE_PLATFORM:-}" \
        --env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
        --env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
        --env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \
diff --git a/tools/packaging/static-build/coco-guest-components/build.sh b/tools/packaging/static-build/coco-guest-components/build.sh
index c68ccbdfa..ab82679c0 100755
--- a/tools/packaging/static-build/coco-guest-components/build.sh
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@@ -39,7 +39,7 @@ docker pull ${container_image} || \
         push_to_registry "${container_image}")

 # Temp settings until we have a matching TEE_PLATFORM
-TEE_PLATFORM=""
+TEE_PLATFORM="${TEE_PLATFORM:-}"
 RESOURCE_PROVIDER="kbs,sev"
 ATTESTER="none"
 # snp-attester and tdx-attester crates require packages only available on x86
@@ -48,7 +48,7 @@ ATTESTER="none"
 docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
        -w "${PWD}" \
        --env DESTDIR="${DESTDIR}" \
-       --env TEE_PLATFORM=${TEE_PLATFORM:+"all"} \
+       --env TEE_PLATFORM=${TEE_PLATFORM:-} \
        --env RESOURCE_PROVIDER=${RESOURCE_PROVIDER:-} \
        --env ATTESTER=${ATTESTER:-} \
        --env coco_guest_components_repo="${coco_guest_components_repo}" \
diff --git a/versions.yaml b/versions.yaml
index 4cf2a4d85..a5f6703d1 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -221,7 +221,7 @@ externals:
   coco-guest-components:
     description: "Provides attested key unwrapping for image decryption"
     url: "https://github.com/confidential-containers/guest-components/"
-    version: "adca2f94091d73c0b0c96a7789322a801c15811b"
+    version: "c543f208211aedd5fbecc5ddddf4c3200d0bbc00"
     toolchain: "1.76.0"

   coco-trustee:
huoqifeng commented 2 weeks ago

@BbolroC yes, the sh file is the minimal change required.

huoqifeng commented 1 week ago

@BbolroC @fidencio @wainersm may you help have a look at it?

huoqifeng commented 1 week ago

@fidencio may you help have a look at it?

fidencio commented 1 week ago

cc @stevenhorsman