Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podvm-mkosi: Install libtdx-attest #2294

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

podvm-mkosi: Install libtdx-attest #2294

wants to merge 1 commit into from

Conversation

fidencio
Copy link
Member

Although not required by all the CSPs, libtdx-attest should be present in the images for the cases where TPMs are not used.

The rpm provided comes from Intel's way of providing this to RPM based distros, which is a tar'd repo file present in:
https://download.01.org/intel-sgx/latest/linux-latest/distro/centos-stream9/

@fidencio
podvm-mkosi: Install libtdx-attest
781c20e 
Although not required by all the CSPs, libtdx-attest should be present
in the images for the cases where TPMs are not used.

The rpm provided comes from Intel's way of providing this to RPM based
distros, which is a tar'd repo file present in:
https://download.01.org/intel-sgx/latest/linux-latest/distro/centos-stream9/

Signed-off-by: Fabiano Fidêncio <[email protected]>
@fidencio fidencio requested a review from a team as a code owner February 11, 2025 19:24
@fidencio fidencio requested a review from mkulke February 12, 2025 09:22
mkulke
mkulke reviewed Feb 12, 2025
View reviewed changes
Copy link
Collaborator

@mkulke mkulke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's a great, least-intrusive way to include the package. Can we download the RPM in the Makefile instead of committing it into the repo?

@fidencio
Copy link
Member Author

I think that's a great, least-intrusive way to include the package. Can we download the RPM in the Makefile instead of committing it into the repo?

I'd say we could, but I'm not sure if I'd prefer doing that, though.
I don't fully trust Intel when it comes to Intel's abilities to packaging something, and / or not screwing up with already existent packages.

@stevenhorsman
Copy link
Member

As I thought it might - this breaks the s390x mkosi image build: https://github.com/confidential-containers/cloud-api-adaptor/actions/runs/13282665508/job/37084284158, so I guess we need some way to guard the architecture?

@mkulke
Copy link
Collaborator

mkulke commented Feb 12, 2025

I think that's a great, least-intrusive way to include the package. Can we download the RPM in the Makefile instead of committing it into the repo?

I'd say we could, but I'm not sure if I'd prefer doing that, though. I don't fully trust Intel when it comes to Intel's abilities to packaging something, and / or not screwing up with already existent packages.

We will also regularly have to bump fedora versions, and the package might stop working, so a binary blob in the repo might still cause build failures. Can we have a src.rpm and build that as part of the build process? If this is not possible and we have to include a binary blob from an unknown provenance, I would suggest to guard this behind an opt-in feature toggle in the Makefile.

@bpradipt
Copy link
Member

I think that's a great, least-intrusive way to include the package. Can we download the RPM in the Makefile instead of committing it into the repo?

I'd say we could, but I'm not sure if I'd prefer doing that, though. I don't fully trust Intel when it comes to Intel's abilities to packaging something, and / or not screwing up with already existent packages.

We will also regularly have to bump fedora versions, and the package might stop working, so a binary blob in the repo might still cause build failures. Can we have a src.rpm and build that as part of the build process? If this is not possible and we have to include a binary blob from an unknown provenance, I would suggest to guard this behind an opt-in feature toggle in the Makefile.

@fidencio can we install it from the fedora copr repo for the time being ?

@fidencio
Copy link
Member Author

@fidencio can we install it from the fedora copr repo for the time being ?

This will make things a little bit more complicated, but I can revisit this path.

@wainersm
Copy link
Member

Hi @fidencio !

What if publish the rpm either on quay.io or ghcr.io as an oras image? We could even have a workflow to pull from intel and push to the registry to ease updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkulke mkulke mkulke left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
test_e2e_docker test_e2e_libvirt Run Libvirt e2e tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@fidencio @stevenhorsman @mkulke @bpradipt @wainersm