packaging: coco-guest-components: add TEE_PLATFORM arg

[huoqifeng]

export TEE_PLATFORM="xx" did not take effect

[BbolroC]

FYI: I was able to reach the following build step and got the artifacts successfully built:

$ make coco-guest-components-tarball TEE_PLATFORM=se
... build log ...

build attestation-agent for se
cd attestation-agent && make ttrpc=true ARCH=s390x LIBC=gnu ATTESTER=se-attester
make[1]: Entering directory '/home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/builddir/guest-components/attestation-agent'
DEBIANOS is: true
make[1]: sudo: Command not found
cd attestation-agent &&  cargo build --release --no-default-features --features "coco_as,kbs bin,ttrpc se-attester,openssl" --bin ttrpc-aa --target s390x-unknown-linux-gnu

... build log ...

guest components built for se succeeded!
s390x/powerpc64le only supports gnu
install -D -m0755 target/s390x-unknown-linux-gnu/release/confidential-data-hub /home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir/usr/local/bin/confidential-data-hub
install -D -m0755 target/s390x-unknown-linux-gnu/release/attestation-agent /home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir/usr/local/bin/attestation-agent
install -D -m0755 target/s390x-unknown-linux-gnu/release/api-server-rest /home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir/usr/local/bin/api-server-rest
/home/ubuntu/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/builddir
./
./usr/
./usr/local/
./usr/local/bin/
./usr/local/bin/api-server-rest
./usr/local/bin/confidential-data-hub
./usr/local/bin/attestation-agent
drwxr-xr-x ubuntu/ubuntu     0 2024-06-11 18:34 ./
drwxr-xr-x ubuntu/ubuntu     0 2024-06-11 18:34 ./usr/
drwxr-xr-x ubuntu/ubuntu     0 2024-06-11 18:34 ./usr/local/
drwxr-xr-x ubuntu/ubuntu     0 2024-06-11 18:56 ./usr/local/bin/
-rwxr-xr-x ubuntu/ubuntu 2491296 2024-06-11 18:56 ./usr/local/bin/api-server-rest
-rwxr-xr-x ubuntu/ubuntu 18105344 2024-06-11 18:56 ./usr/local/bin/confidential-data-hub
-rwxr-xr-x ubuntu/ubuntu 12820152 2024-06-11 18:56 ./usr/local/bin/attestation-agent
~/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build ~/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir
~/go/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/coco-guest-components/destdir
make[1]: Leaving directory '/home/ubuntu/go/src/github.com/kata-containers/kata-containers'

with the following changes:

diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
index 56864457e..39fdbd695 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries-in-docker.sh
@@ -113,6 +113,7 @@ docker run \
        --env ARTEFACT_REGISTRY_PASSWORD="${ARTEFACT_REGISTRY_PASSWORD}" \
        --env TARGET_BRANCH="${TARGET_BRANCH}" \
        --env BUILDER_REGISTRY="${BUILDER_REGISTRY}" \
+       --env TEE_PLATFORM="${TEE_PLATFORM:-}" \
        --env PUSH_TO_REGISTRY="${PUSH_TO_REGISTRY}" \
        --env AGENT_CONTAINER_BUILDER="${AGENT_CONTAINER_BUILDER}" \
        --env COCO_GUEST_COMPONENTS_CONTAINER_BUILDER="${COCO_GUEST_COMPONENTS_CONTAINER_BUILDER}" \
diff --git a/tools/packaging/static-build/coco-guest-components/build.sh b/tools/packaging/static-build/coco-guest-components/build.sh
index c68ccbdfa..ab82679c0 100755
--- a/tools/packaging/static-build/coco-guest-components/build.sh
+++ b/tools/packaging/static-build/coco-guest-components/build.sh
@@ -39,7 +39,7 @@ docker pull ${container_image} || \
         push_to_registry "${container_image}")

 # Temp settings until we have a matching TEE_PLATFORM
-TEE_PLATFORM=""
+TEE_PLATFORM="${TEE_PLATFORM:-}"
 RESOURCE_PROVIDER="kbs,sev"
 ATTESTER="none"
 # snp-attester and tdx-attester crates require packages only available on x86
@@ -48,7 +48,7 @@ ATTESTER="none"
 docker run --rm -i -v "${repo_root_dir}:${repo_root_dir}" \
        -w "${PWD}" \
        --env DESTDIR="${DESTDIR}" \
-       --env TEE_PLATFORM=${TEE_PLATFORM:+"all"} \
+       --env TEE_PLATFORM=${TEE_PLATFORM:-} \
        --env RESOURCE_PROVIDER=${RESOURCE_PROVIDER:-} \
        --env ATTESTER=${ATTESTER:-} \
        --env coco_guest_components_repo="${coco_guest_components_repo}" \
diff --git a/versions.yaml b/versions.yaml
index 4cf2a4d85..a5f6703d1 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -221,7 +221,7 @@ externals:
   coco-guest-components:
     description: "Provides attested key unwrapping for image decryption"
     url: "https://github.com/confidential-containers/guest-components/"
-    version: "adca2f94091d73c0b0c96a7789322a801c15811b"
+    version: "c543f208211aedd5fbecc5ddddf4c3200d0bbc00"
     toolchain: "1.76.0"

   coco-trustee:

[huoqifeng]

@BbolroC yes, the sh file is the minimal change required.

[huoqifeng]

@BbolroC @fidencio @wainersm may you help have a look at it?

[huoqifeng]

@fidencio may you help have a look at it?

[fidencio]

cc @stevenhorsman

[stevenhorsman]

Hi @huoqifeng - when I originally wrote this I had to explicitly override the TEE_PLATFORM to blank (and instead specify the KBC_PROVIDER and ATTESTER fields) as all forced the tss to be build into for the vTPM attesters and that wasn't required, or working. I was told there were plans to create a separate TEE_PLATFORM that didn't bring on there dependencies, but I don't think that has been done (or is under ALL).

Have things changes in guest-components where we expect this to work now?

[huoqifeng]

@stevenhorsman I want bring the option TEE_PLATFORM=se when build guest components.

[stevenhorsman]

Ok, could you achieve this with setting ${TEE_PLATFORM:+all} (so if it isn't set it won't be overridden. Similarly I assume you want RESOURCE_PROVIDER="${RESOURCE_PROVIDER:+kbs,sev}", so that if you set TEE_PLATFORM=se then this isn't run?

The alternative without using TEE_PLATFORM is to set RESOURCE_PROVIDER=se for secure execution?

[BbolroC]

@stevenhorsman I was wondering if the following is what you wanted to achieve:

$ echo $SHELL
/bin/bash
$ TEE_PLATFORM=se
$ TEE_PLATFORM=${TEE_PLATFORM:+all}
$ echo $TEE_PLATFORM
all
$ unset TEE_PLATFORM
$ TEE_PLATFORM=${TEE_PLATFORM:+all}
$ echo $TEE_PLATFORM

So, ${TEE_PLATFORM:+all} wouldn't be able to achieve what @huoqifeng wants to do, I guess. If TEE_PLATFORM is set to all, we cannot build a binary due to a compilation error on s390x.

[stevenhorsman]

Hmm, it looks like that operator doesn't work in the way I was expecting. Back to the drawing board I guess...

[stevenhorsman]

Maybe we just set TEE_PLATFORM=${TEE_PLATFORM:-} and don't worry about the defaulting to all if unset (which clearly doesn't work anyway!)?

[BbolroC]

Oh, I can see se-attester is not included in all-attesters: https://github.com/confidential-containers/guest-components/blob/dd2984d6c8bbb30205bbbff67cbb4c95c516224f/attestation-agent/attestation-agent/Cargo.toml#L61 So I am fine with either TEE_PLATFORM=${TEE_PLATFORM:-} or TEE_PLATFORM=${TEE_PLATFORM:-all}. 😉

@huoqifeng I think https://github.com/confidential-containers/guest-components/blob/dd2984d6c8bbb30205bbbff67cbb4c95c516224f/README.md?plain=1#L38 should be updated to reflect the current Cargo.toml for AA.

[huoqifeng]

Yes, let me open a PR to do this -- there is a problem to build some other attesters on s390x although it should ne OK to build IBM SE attester on x86. I think build all attester on x86 is our case.

[huoqifeng]

confidential-containers/guest-components#590 created