install-helper: Add DCAP support for coco-as deployments

Not using ITA is also an option for Intel TDX machines, and when not using ITA we can rely on DCAP and the CoCo AS to deal with the attestation. For this case, the changes here is what's needed. Signed-off-by: Fabiano Fidêncio <[email protected]>
openshift · Jan 10, 2025 · a83e8ff · a83e8ff
1 parent ddec700
commit a83e8ff
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 18 deletions.
diff --git a/scripts/install-helpers/README.md b/scripts/install-helpers/README.md
@@ -59,7 +59,7 @@ You can edit the `resource-policy` configMap and set `default allow = true`.
 Create the TDX configmap
 
 ```sh
-oc apply -f tdx-cm.yaml
+oc apply -f tdx-coco-as-cm.yaml
 ```
 
 Update the KbsConfig CR

diff --git a/scripts/install-helpers/install.sh b/scripts/install-helpers/install.sh
@@ -5,7 +5,11 @@ OCP_PULL_SECRET_LOCATION="${OCP_PULL_SECRET_LOCATION:-$HOME/pull-secret.json}"
 MIRRORING=false
 ADD_IMAGE_PULL_SECRET=false
 GA_RELEASE=true
+TDX=${TDX:-false}
 ITA_KEY="${ITA_KEY:-}"
+if [ -n "$ITA_KEY" ]; then
+	TDX=true
+fi
 DEFAULT_IMAGE=quay.io/openshift_sandboxed_containers/kbs:v0.10.1
 if [ -n "$ITA_KEY" ]; then
     DEFAULT_IMAGE+="-ita"
@@ -129,13 +133,21 @@ function create_trustee_artefacts() {
     local kbs_cm="kbs-cm.yaml"
     local rvps_cm="rvps-cm.yaml"
     local resource_policy_cm="resource-policy-cm.yaml"
+    local tdx_coco_as_cm=""
     local config="kbsconfig.yaml"
-    if [ -n "$ITA_KEY" ]; then
-        kbs_cm="tdx-ita-$kbs_cm"
-        resource_policy_cm="tdx-ita-$resource_policy_cm"
-        config="tdx-ita-$config"
-
-        sed -i -e "s/tBfd5kKX2x9ahbodKV1.../${ITA_KEY}/g" $kbs_cm
+    if [ "$TDX" = "true" ]; then
+        if [ -n "$ITA_KEY" ]; then
+            kbs_cm="tdx-ita-$kbs_cm"
+            resource_policy_cm="tdx-ita-$resource_policy_cm"
+            config="tdx-ita-$config"
+
+            sed -i -e "s/tBfd5kKX2x9ahbodKV1.../${ITA_KEY}/g" $kbs_cm
+	else
+            tdx_coco_as_cm="tdx-coco-as-cm.yaml"
+
+            sed -i -e "s/\# tdxConfigSpec/tdxConfigSpec/g" $config
+            sed -i -e "s/\#   kbsTdxConfigMapName/    kbsTdxConfigMapName/g" $config
+        fi
     fi
 
     # Create secret
@@ -169,6 +181,11 @@ function create_trustee_artefacts() {
         echo "Secret kbsres1 already exists, skipping creation"
     fi
 
+    # Create TDX configmap
+    if [ -n "$tdx_coco_as_cm" ]; then
+        oc apply -f "$tdx_coco_as_cm" || return 1
+    fi
+
     # Create KBSConfig
     oc apply -f "$config" || return 1
 
@@ -272,6 +289,9 @@ function display_help() {
     echo "# Install the GA operator with ITA support"
     echo " ITA_KEY="tBfd5kKX2x9ahbodKV1..." ./install.sh"
     echo " "
+    echo "# Install the GA operator with DCAP support"
+    echo " TDX=true ./install.sh"
+    echo " "
     echo "# Install the GA operator with image mirroring"
     echo " ./install.sh -m"
     echo " "

diff --git a/scripts/install-helpers/tdx-cm.yaml b/scripts/install-helpers/tdx-cm.yaml
diff --git a/scripts/install-helpers/tdx-coco-as-cm.yaml b/scripts/install-helpers/tdx-coco-as-cm.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tdx-config
+  namespace: trustee-operator-system
+data:
+  sgx_default_qcnl.conf: |
+    {
+      "pccs_url": "https://pccs-service.intel-dcap:8042/sgx/certification/v4/",
+      "use_secure_cert": false,
+      "retry_times": 6,
+      "retry_delay": 10,
+      "pck_cache_expire_hours": 168,
+      "verify_collateral_cache_expire_hours": 168,
+      "local_cache_only": false
+    }