From a83e8ffa524824b3db8ac1916b9a444120de007f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano@fidencio.org>
Date: Fri, 10 Jan 2025 11:23:16 +0100
Subject: [PATCH] install-helper: Add DCAP support for coco-as deployments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Not using ITA is also an option for Intel TDX machines, and when not
using ITA we can rely on DCAP and the CoCo AS to deal with the
attestation.  For this case, the changes here is what's needed.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
---
 scripts/install-helpers/README.md           |  2 +-
 scripts/install-helpers/install.sh          | 32 +++++++++++++++++----
 scripts/install-helpers/tdx-cm.yaml         | 11 -------
 scripts/install-helpers/tdx-coco-as-cm.yaml | 16 +++++++++++
 4 files changed, 43 insertions(+), 18 deletions(-)
 delete mode 100644 scripts/install-helpers/tdx-cm.yaml
 create mode 100644 scripts/install-helpers/tdx-coco-as-cm.yaml

diff --git a/scripts/install-helpers/README.md b/scripts/install-helpers/README.md
index d003168..eaaa3b4 100644
--- a/scripts/install-helpers/README.md
+++ b/scripts/install-helpers/README.md
@@ -59,7 +59,7 @@ You can edit the `resource-policy` configMap and set `default allow = true`.
 Create the TDX configmap
 
 ```sh
-oc apply -f tdx-cm.yaml
+oc apply -f tdx-coco-as-cm.yaml
 ```
 
 Update the KbsConfig CR
diff --git a/scripts/install-helpers/install.sh b/scripts/install-helpers/install.sh
index eede365..d7b6b7e 100755
--- a/scripts/install-helpers/install.sh
+++ b/scripts/install-helpers/install.sh
@@ -5,7 +5,11 @@ OCP_PULL_SECRET_LOCATION="${OCP_PULL_SECRET_LOCATION:-$HOME/pull-secret.json}"
 MIRRORING=false
 ADD_IMAGE_PULL_SECRET=false
 GA_RELEASE=true
+TDX=${TDX:-false}
 ITA_KEY="${ITA_KEY:-}"
+if [ -n "$ITA_KEY" ]; then
+	TDX=true
+fi
 DEFAULT_IMAGE=quay.io/openshift_sandboxed_containers/kbs:v0.10.1
 if [ -n "$ITA_KEY" ]; then
     DEFAULT_IMAGE+="-ita"
@@ -129,13 +133,21 @@ function create_trustee_artefacts() {
     local kbs_cm="kbs-cm.yaml"
     local rvps_cm="rvps-cm.yaml"
     local resource_policy_cm="resource-policy-cm.yaml"
+    local tdx_coco_as_cm=""
     local config="kbsconfig.yaml"
-    if [ -n "$ITA_KEY" ]; then
-        kbs_cm="tdx-ita-$kbs_cm"
-        resource_policy_cm="tdx-ita-$resource_policy_cm"
-        config="tdx-ita-$config"
-
-        sed -i -e "s/tBfd5kKX2x9ahbodKV1.../${ITA_KEY}/g" $kbs_cm
+    if [ "$TDX" = "true" ]; then
+        if [ -n "$ITA_KEY" ]; then
+            kbs_cm="tdx-ita-$kbs_cm"
+            resource_policy_cm="tdx-ita-$resource_policy_cm"
+            config="tdx-ita-$config"
+
+            sed -i -e "s/tBfd5kKX2x9ahbodKV1.../${ITA_KEY}/g" $kbs_cm
+	else
+            tdx_coco_as_cm="tdx-coco-as-cm.yaml"
+
+            sed -i -e "s/\# tdxConfigSpec/tdxConfigSpec/g" $config
+            sed -i -e "s/\#   kbsTdxConfigMapName/    kbsTdxConfigMapName/g" $config
+        fi
     fi
 
     # Create secret
@@ -169,6 +181,11 @@ function create_trustee_artefacts() {
         echo "Secret kbsres1 already exists, skipping creation"
     fi
 
+    # Create TDX configmap
+    if [ -n "$tdx_coco_as_cm" ]; then
+        oc apply -f "$tdx_coco_as_cm" || return 1
+    fi
+
     # Create KBSConfig
     oc apply -f "$config" || return 1
 
@@ -272,6 +289,9 @@ function display_help() {
     echo "# Install the GA operator with ITA support"
     echo " ITA_KEY="tBfd5kKX2x9ahbodKV1..." ./install.sh"
     echo " "
+    echo "# Install the GA operator with DCAP support"
+    echo " TDX=true ./install.sh"
+    echo " "
     echo "# Install the GA operator with image mirroring"
     echo " ./install.sh -m"
     echo " "
diff --git a/scripts/install-helpers/tdx-cm.yaml b/scripts/install-helpers/tdx-cm.yaml
deleted file mode 100644
index f5919aa..0000000
--- a/scripts/install-helpers/tdx-cm.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: tdx-config
-  namespace: trustee-operator-system
-data:
-  sgx_default_qcnl.conf: | \
-      {
-        "collateral_service": "https://api.trustedservices.intel.com/sgx/certification/v4/",
-         "pccs_url": "https://api.trustedservices.intel.com/sgx/certification/v4/"
-      }
\ No newline at end of file
diff --git a/scripts/install-helpers/tdx-coco-as-cm.yaml b/scripts/install-helpers/tdx-coco-as-cm.yaml
new file mode 100644
index 0000000..961c94e
--- /dev/null
+++ b/scripts/install-helpers/tdx-coco-as-cm.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tdx-config
+  namespace: trustee-operator-system
+data:
+  sgx_default_qcnl.conf: |
+    {
+      "pccs_url": "https://pccs-service.intel-dcap:8042/sgx/certification/v4/",
+      "use_secure_cert": false,
+      "retry_times": 6,
+      "retry_delay": 10,
+      "pck_cache_expire_hours": 168,
+      "verify_collateral_cache_expire_hours": 168,
+      "local_cache_only": false
+    }