[launcher] update base cos image to 125 (google#629)

jkl73 · web-flow · commit 5e29741f5acb · 2026-01-22T11:12:42.000-08:00
Change rtmr interface to sysfs.
diff --git a/cel/canonical_eventlog.go b/cel/canonical_eventlog.go
@@ -139,9 +139,7 @@ func generateDigestMap(hashAlgos []crypto.Hash, event Content) (map[crypto.Hash]
 	return digestsMap, nil
 }
 
-// AppendEventRTMR appends a new RTMR record to the CEL. rtmrIndex indicates the RTMR to extend.
-// The index showing up in the record will be rtmrIndex + 1.
-func (c *CEL) AppendEventRTMR(client configfsi.Client, rtmrIndex int, event Content) error {
+func (c *CEL) appendEventRTMR(rtmrIndex int, event Content, extendFunc func([]byte) error) error {
 	digestsMap, err := generateDigestMap([]crypto.Hash{crypto.SHA384}, event)
 	if err != nil {
 		return err
@@ -152,8 +150,7 @@ func (c *CEL) AppendEventRTMR(client configfsi.Client, rtmrIndex int, event Cont
 		return err
 	}
 
-	err = rtmr.ExtendDigestClient(client, rtmrIndex, digestsMap[crypto.SHA384])
-	if err != nil {
+	if err := extendFunc(digestsMap[crypto.SHA384]); err != nil {
 		return err
 	}
 
@@ -169,9 +166,28 @@ func (c *CEL) AppendEventRTMR(client configfsi.Client, rtmrIndex int, event Cont
 	return nil
 }
 
+// AppendEventRTMRSysfs appends a new RTMR record to the CEL. rtmrIndex indicates the RTMR to extend.
+// The index showing up in the record will be rtmrIndex + 1.
+// This function uses thesysfs interface to extend the RTMR.
+func (c *CEL) AppendEventRTMRSysfs(rtmrIndex int, event Content) error {
+	return c.appendEventRTMR(rtmrIndex, event, func(digest []byte) error {
+		return rtmr.ExtendDigestSysfs(rtmrIndex, digest)
+	})
+}
+
+// AppendEventRTMR appends a new RTMR record to the CEL. rtmrIndex indicates the RTMR to extend.
+// The index showing up in the record will be rtmrIndex + 1.
+// This function uses the configfs interface to extend the RTMR.
+// Use AppendEventRTMRSysfs as the sysfs interface is available in later kernels.
+func (c *CEL) AppendEventRTMR(client configfsi.Client, rtmrIndex int, event Content) error {
+	return c.appendEventRTMR(rtmrIndex, event, func(digest []byte) error {
+		return rtmr.ExtendDigestClient(client, rtmrIndex, digest)
+	})
+}
+
 // AppendEvent appends a new PCR record to the CEL.
 //
-// Deprecated: Use AppendEventPCR or AppendEventRTMR directly.
+// Deprecated: Use AppendEventPCR or AppendEventRTMRSysfs/AppendEventRTMR directly.
 func (c *CEL) AppendEvent(tpm io.ReadWriteCloser, pcr int, event Content) error {
 	return c.AppendEventPCR(tpm, pcr, event)
 }
diff --git a/launcher/agent/agent.go b/launcher/agent/agent.go
@@ -325,7 +325,7 @@ func (t *tdxAttestRoot) GetCEL() *cel.CEL {
 }
 
 func (t *tdxAttestRoot) Extend(c cel.Content) error {
-	return t.cosCel.AppendEventRTMR(t.tsmClient, cel.CosRTMR, c)
+	return t.cosCel.AppendEventRTMRSysfs(cel.CosRTMR, c)
 }
 
 func (t *tdxAttestRoot) Attest(nonce []byte) (any, error) {
diff --git a/launcher/cloudbuild.yaml b/launcher/cloudbuild.yaml
@@ -1,7 +1,7 @@
 substitutions:
   '_BASE_IMAGE': '' # If left empty, will use the latest image in _BASE_IMAGE_FAMILY of _BASE_IMAGE_PROJECT
-  '_BASE_IMAGE_FAMILY': 'cos-tdx-113-lts'
-  '_BASE_IMAGE_PROJECT': 'confidential-vm-images'
+  '_BASE_IMAGE_FAMILY': 'cos-125-lts'
+  '_BASE_IMAGE_PROJECT': 'cos-cloud'
   '_OUTPUT_IMAGE_PREFIX': 'confidential-space'
   '_OUTPUT_IMAGE_SUFFIX': ''
   '_OUTPUT_IMAGE_FAMILY': ''

Original file line number	Diff line number	Diff line change
`@@ -325,7 +325,7 @@ func (t tdxAttestRoot) GetCEL() cel.CEL {`
`325`	`325`	`}`
`326`	`326`
`327`	`327`	`func (t *tdxAttestRoot) Extend(c cel.Content) error {`
`328`		`- return t.cosCel.AppendEventRTMR(t.tsmClient, cel.CosRTMR, c)`
	`328`	`+ return t.cosCel.AppendEventRTMRSysfs(cel.CosRTMR, c)`
`329`	`329`	`}`
`330`	`330`
`331`	`331`	`func (t *tdxAttestRoot) Attest(nonce []byte) (any, error) {`