From 2ca390757a86f7de98e93f342c229b2077d30847 Mon Sep 17 00:00:00 2001
From: Magnus Kulke <magnuskulke@microsoft.com>
Date: Thu, 13 Jun 2024 13:07:42 +0200
Subject: [PATCH] guest-components: Bump guest-components dependency

There has been a change in build flags in the way attestation-agent is
built. cc_kbc is now always enabled as part of the `coco-as` and `kbs`
features. a new `ATTESTER` Makefile flag has been introduced to pick the
attesters that should be included in the attestation-agent build. By
default all attesters are being built, which won't build ootb, since
it's missing dependencies (e.g. sgx libraries)

For peerpods only a limited set of attesters actually make sense and
usually you'd want to define it at build time for a given TEE
architecture (e.g. azure vtpm or ibm se attester modules), so we default
to `ATTESTER=sample` in most cases.

The `AA_KBC` param is now only used for templating the `aa-kbc-params`
value in the podvm's static kata-agent config.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
---
 .github/workflows/azure-podvm-image-build.yml             | 2 +-
 .github/workflows/podvm_binaries.yaml                     | 2 +-
 src/cloud-api-adaptor/Makefile                            | 3 ++-
 src/cloud-api-adaptor/azure/build-image.md                | 2 +-
 src/cloud-api-adaptor/docker/image/Makefile               | 4 ++--
 src/cloud-api-adaptor/podvm-mkosi/Makefile                | 8 ++++----
 src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries     | 6 ++++--
 .../podvm/Dockerfile.podvm_binaries.fedora                | 6 ++++--
 .../podvm/Dockerfile.podvm_binaries.rhel                  | 6 ++++--
 src/cloud-api-adaptor/podvm/Makefile.inc                  | 5 +++--
 src/cloud-api-adaptor/test/e2e/README.md                  | 4 ++--
 src/cloud-api-adaptor/versions.yaml                       | 2 +-
 12 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/azure-podvm-image-build.yml b/.github/workflows/azure-podvm-image-build.yml
index 51c706a4eb..48a7146764 100644
--- a/.github/workflows/azure-podvm-image-build.yml
+++ b/.github/workflows/azure-podvm-image-build.yml
@@ -108,7 +108,7 @@ jobs:
 
     - name: Build binaries
       run: make binaries \
-        AA_KBC="cc_kbc_az_snp_vtpm,cc_kbc_az_tdx_vtpm" \
+        ATTESTER="az_snp_vtpm_attester,az_tdx_vtpm_attester" \
         LIBC=gnu
 
     - uses: azure/login@v1
diff --git a/.github/workflows/podvm_binaries.yaml b/.github/workflows/podvm_binaries.yaml
index fad4a927fb..fe2000eea9 100644
--- a/.github/workflows/podvm_binaries.yaml
+++ b/.github/workflows/podvm_binaries.yaml
@@ -71,7 +71,7 @@ jobs:
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Build and push
-      run: AA_KBC=cc_kbc make podvm-binaries
+      run: make podvm-binaries
       env:
           PUSH: true
           REGISTRY: ${{ inputs.registry }}
diff --git a/src/cloud-api-adaptor/Makefile b/src/cloud-api-adaptor/Makefile
index d7ab442c99..73a5004b45 100644
--- a/src/cloud-api-adaptor/Makefile
+++ b/src/cloud-api-adaptor/Makefile
@@ -18,6 +18,7 @@ BINARIES    := cloud-api-adaptor agent-protocol-forwarder process-user-data
 SOURCEDIRS  := ./cmd ./pkg
 PACKAGES    := $(shell go list $(addsuffix /...,$(SOURCEDIRS)))
 SOURCES     := $(shell find $(SOURCEDIRS) -name '*.go' -print)
+ATTESTER    ?= none
 # End-to-end tests overall run timeout.
 TEST_E2E_TIMEOUT ?= 60m
 
@@ -193,7 +194,7 @@ podvm-binaries:
 	--build-arg BUILDER_IMG=$(PODVM_BUILDER_IMAGE) \
 	--build-arg PODVM_DISTRO=$(PODVM_DISTRO) \
 	--build-arg ARCH=$(ARCH) \
-	--build-arg AA_KBC=$(AA_KBC) \
+	--build-arg ATTESTER=$(ATTESTER) \
 	$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
 	$(DOCKER_OPTS) .
 	rm -rf .git
diff --git a/src/cloud-api-adaptor/azure/build-image.md b/src/cloud-api-adaptor/azure/build-image.md
index 354019b756..ed1b975afd 100644
--- a/src/cloud-api-adaptor/azure/build-image.md
+++ b/src/cloud-api-adaptor/azure/build-image.md
@@ -110,7 +110,7 @@ export PKR_VAR_az_gallery_image_version="0.0.1"
 export PKR_VAR_offer=0001-com-ubuntu-confidential-vm-jammy
 export PKR_VAR_sku=22_04-lts-cvm
 
-export AA_KBC="cc_kbc_az_snp_vtpm"
+export ATTESTER="az-snp-vtpm-attester,az-tdx-vtpm-attester"
 export LIBC=gnu
 export CLOUD_PROVIDER=azure
 PODVM_DISTRO=ubuntu make image
diff --git a/src/cloud-api-adaptor/docker/image/Makefile b/src/cloud-api-adaptor/docker/image/Makefile
index 80a4ccae4b..fe8b0123f4 100644
--- a/src/cloud-api-adaptor/docker/image/Makefile
+++ b/src/cloud-api-adaptor/docker/image/Makefile
@@ -1,8 +1,8 @@
-AA_KBC  ?= offline_fs_kbc
 ARCH    ?= $(subst x86_64,amd64,$(shell uname -m))
 BUILDER = ubuntu-binaries-builder-$(ARCH)
 PODVM_IMG ?= quay.io/confidential-containers/podvm-docker-image
 AGENT_POLICY = no
+ATTESTER ?= none
 
 .DEFAULT_GOAL := all
 .PHONY: all
@@ -35,7 +35,7 @@ binaries:
 	cp -rf ../../../../.git ../../../.git
 	docker buildx build \
 		--build-arg BUILDER_IMG=$(BUILDER) \
-		--build-arg AA_KBC=$(AA_KBC) \
+		--build-arg ATTESTER=$(ATTESTER) \
 		$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
 		-o type=local,dest="./resources/binaries-tree" \
 		-f ../../podvm/Dockerfile.podvm_binaries ../../../
diff --git a/src/cloud-api-adaptor/podvm-mkosi/Makefile b/src/cloud-api-adaptor/podvm-mkosi/Makefile
index 4fddc5eb4d..b5fc3f0d33 100644
--- a/src/cloud-api-adaptor/podvm-mkosi/Makefile
+++ b/src/cloud-api-adaptor/podvm-mkosi/Makefile
@@ -1,8 +1,8 @@
 include ../Makefile.defaults
 
-AA_KBC  ?= cc_kbc
-ARCH    ?= $(subst x86_64,amd64,$(shell uname -m))
-BUILDER = fedora-binaries-builder-$(ARCH)
+ATTESTER  ?= none
+ARCH      ?= $(subst x86_64,amd64,$(shell uname -m))
+BUILDER   = fedora-binaries-builder-$(ARCH)
 
 REGISTRY ?= quay.io/confidential-containers
 PODVM_DISTRO ?= fedora
@@ -43,7 +43,7 @@ binaries:
 	cp -rf ../../../.git ../../.git
 	docker buildx build \
 		--build-arg BUILDER_IMG=$(BUILDER) \
-		--build-arg AA_KBC=$(AA_KBC) \
+		--build-arg ATTESTER=$(ATTESTER) \
 		$(if $(DEFAULT_AGENT_POLICY_FILE),--build-arg DEFAULT_AGENT_POLICY_FILE=$(DEFAULT_AGENT_POLICY_FILE),) \
 		-o type=local,dest="./resources/binaries-tree" \
 		-f ../podvm/Dockerfile.podvm_binaries.fedora ../../
diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries
index 0432bfa96e..158cfad6c8 100644
--- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries
+++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries
@@ -12,7 +12,9 @@ ARG CLOUD_PROVIDER
 ARG PODVM_DISTRO=ubuntu
 ARG GUEST_COMPONENTS_VERSION
 ARG GUEST_COMPONENTS_REPO
-ARG AA_KBC="cc_kbc"
+# By default AA will be built with the `all-attesters` feature,
+# which doesn't compile ootb on ubuntu.
+ARG ATTESTER=none
 # If not provided, uses system architecture
 ARG ARCH
 #This is the name of the policy file under
@@ -23,7 +25,7 @@ ENV CLOUD_PROVIDER ${CLOUD_PROVIDER}
 ENV PODVM_DISTRO ${PODVM_DISTRO}
 ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION}
 ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO}
-ENV AA_KBC ${AA_KBC}
+ENV ATTESTER ${ATTESTER}
 ENV ARCH ${ARCH}
 ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}
 
diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora
index 15ffe85cb6..09c02f0398 100644
--- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora
+++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.fedora
@@ -12,7 +12,9 @@ ARG CLOUD_PROVIDER
 ARG PODVM_DISTRO=rhel
 ARG GUEST_COMPONENTS_VERSION
 ARG GUEST_COMPONENTS_REPO
-ARG AA_KBC="cc_kbc"
+# By default AA will be built with the `all-attesters` feature,
+# which doesn't compile on fedora.
+ARG ATTESTER=none
 # If not provided, uses system architecture
 ARG ARCH
 #This is the name of the policy file under
@@ -23,7 +25,7 @@ ENV CLOUD_PROVIDER ${CLOUD_PROVIDER}
 ENV PODVM_DISTRO ${PODVM_DISTRO}
 ENV GUEST_COMPONENTS_VERSION ${GUEST_COMPONENTS_VERSION}
 ENV GUEST_COMPONENTS_REPO ${GUEST_COMPONENTS_REPO}
-ENV AA_KBC ${AA_KBC}
+ENV ATTESTER ${ATTESTER}
 ENV ARCH ${ARCH}
 ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}
 
diff --git a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel
index 2ead5ea5fe..3c8285cfcf 100644
--- a/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel
+++ b/src/cloud-api-adaptor/podvm/Dockerfile.podvm_binaries.rhel
@@ -9,7 +9,9 @@ ARG BUILDER_IMG
 FROM ${BUILDER_IMG} AS podvm_builder
 
 ARG PODVM_DISTRO=rhel
-ARG AA_KBC="cc_kbc"
+# By default AA will be built with the `all-attesters` feature,
+# which doesn't compile ootb on RHEL.
+ARG ATTESTER=none
 # If not provided, uses system architecture
 ARG ARCH
 #This is the name of the policy file under
@@ -17,7 +19,7 @@ ARG ARCH
 ARG DEFAULT_AGENT_POLICY_FILE=allow-all.rego
 
 ENV PODVM_DISTRO ${PODVM_DISTRO}
-ENV AA_KBC ${AA_KBC}
+ENV ATTESTER ${ATTESTER}
 ENV ARCH ${ARCH}
 ENV DEFAULT_AGENT_POLICY_FILE ${DEFAULT_AGENT_POLICY_FILE}
 
diff --git a/src/cloud-api-adaptor/podvm/Makefile.inc b/src/cloud-api-adaptor/podvm/Makefile.inc
index 5773fa8b9c..12ec831b63 100644
--- a/src/cloud-api-adaptor/podvm/Makefile.inc
+++ b/src/cloud-api-adaptor/podvm/Makefile.inc
@@ -23,12 +23,13 @@ ARCH        := $(or $(ARCH),$(HOST_ARCH))
 # Normalise x86_64 / amd64 for input ARCH
 ARCH        := $(subst amd64,x86_64,$(ARCH))
 DEB_ARCH    := $(subst x86_64,amd64,$(ARCH))
-AA_KBC      ?= cc_kbc
+AA_KBC      ?= offline_fs_kbc
 KBC_URI     ?= null
 LIBC        ?= $(if $(filter $(ARCH),s390x ppc64le),gnu,musl)
 RUST_ARCH   ?= $(subst ppc64le,powerpc64le,$(ARCH))
 RUST_TARGET := $(RUST_ARCH)-unknown-linux-$(LIBC)
 
+ATTESTER ?= none
 CDH_RESOURCE_PROVIDER ?= kbs
 SEALED_SECRET ?= yes
 
@@ -169,7 +170,7 @@ $(GUEST_COMPONENTS_SRC):
 	$(call git_clone_repo_ref,$(GUEST_COMPONENTS_REPO),$(GUEST_COMPONENTS_SRC),$(GUEST_COMPONENTS_VERSION))
 
 $(ATTESTATION_AGENT): $(FORCE_TARGET) | $(GUEST_COMPONENTS_SRC)
-	cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) KBC="$(AA_KBC)" ttrpc=true LIBC="$(LIBC)"
+	cd "$(GUEST_COMPONENTS_SRC)/attestation-agent" && CC= ARCH=$(ARCH) $(MAKE) ATTESTER=$(ATTESTER) ttrpc=true LIBC="$(LIBC)"
 	mkdir -p "$(@D)"
 	install --compare "$(GUEST_COMPONENTS_SRC)/target/$(RUST_TARGET)/release/attestation-agent" "$@"
 
diff --git a/src/cloud-api-adaptor/test/e2e/README.md b/src/cloud-api-adaptor/test/e2e/README.md
index d5d4c45fef..4cdf07b274 100644
--- a/src/cloud-api-adaptor/test/e2e/README.md
+++ b/src/cloud-api-adaptor/test/e2e/README.md
@@ -64,10 +64,10 @@ popd
 popd
 ```
 
-We need build and use the PodVM image with `AA_KBC=cc_kbc` enabled, for example:
+We need build and use the PodVM image:
 ```
 pushd ${cloud-api-adaptor}
-AA_KBC=cc_kbc make podvm-builder podvm-binaries podvm-image
+make podvm-builder podvm-binaries podvm-image
 popd
 ```
 Then extract the PodVM image and use it following [extracting-the-qcow2-image](../../podvm/README.md#extracting-the-qcow2-image)
diff --git a/src/cloud-api-adaptor/versions.yaml b/src/cloud-api-adaptor/versions.yaml
index 14f62e1cc2..7692b8bd2d 100644
--- a/src/cloud-api-adaptor/versions.yaml
+++ b/src/cloud-api-adaptor/versions.yaml
@@ -28,7 +28,7 @@ tools:
 git:
   guest-components:
     url: https://github.com/confidential-containers/guest-components
-    reference: 277617af60c32661819c1132ffbf3db8dc6e1b9f
+    reference: 9bcc7c1addcbad1e249a6d870d9df68f2824254b
   kata-containers:
     url: https://github.com/kata-containers/kata-containers
     reference: 59ff40f05484da2a462fa44f18fe95e7c8484546