Build kubevirt container disk

configs/remote-ign/pin-trustee.bu

@@ -1,5 +1,5 @@
 variant: fcos
-version: 1.7.0-experimental
+version: 1.6.0
 storage:
   luks:
     - name: root

containerfiles/trustee.container

@@ -11,7 +11,7 @@ RUN dnf install -y perl clang make git \
     && dnf clean all
 
 RUN cd /usr/src/ && \
-    git clone https://github.com/trusted-execution-clusters/trustee.git && \
+    git clone https://github.com/confidential-containers/trustee.git && \
     cd trustee && git checkout ${COMMIT}
 
 RUN cd /usr/src/trustee/kbs && \

coreos/Containerfile

@@ -1,7 +1,7 @@
 ARG BASE
-FROM quay.io/trusted-execution-clusters/trustee-attester:2025-11-12 as kbc
+FROM quay.io/trusted-execution-clusters/trustee-attester:fedora-b13fd8a as kbc
 FROM quay.io/trusted-execution-clusters/clevis-pin-trustee as clevis
-FROM quay.io/trusted-execution-clusters/ignition:attestation as ignition
+FROM ghcr.io/trusted-execution-clusters/ignition:20260112-85608d6 as ignition
 FROM $BASE
 
 COPY ./usr /usr

coreos/Containerfile.cd

@@ -0,0 +1,4 @@
+FROM scratch
+ARG IMAGE
+
+COPY $IMAGE /disk/disk.img

coreos/justfile

@@ -12,27 +12,64 @@ scos_os:= "rhcos"
 fcos_label:= "fedora-coreos"
 scos_label:= "centos-stream-coreos"
 
+fcos_config:= "https://github.com/coreos/fedora-coreos-config"
+scos_config:= "https://github.com/coreos/rhel-coreos-config.git"
+
 base := if os == "scos" { scos_base_img } else { fcos_base_img }
 image := if os == "scos" { scos_img } else { fcos_img }
 os_name := if os == "scos" { scos_os } else { fcos_os }
 label := if os == "scos" { scos_label } else { fcos_label }
 archive := os + ".ociarchive"
 
+config := if os == "scos" { scos_config } else { fcos_config }
+full_name := if os == "scos" { "centos-stream-coreos" } else { "fedora-coreos" }
+
 build:
     sudo podman build --no-cache --build-arg BASE={{base}} --build-arg COM_COREOS_OSNAME={{label}} -t {{image}} -f Containerfile .
 
 oci-archive:
     sudo skopeo copy containers-storage:{{image}} oci-archive:{{archive}}
 
-osbuild-qemu:
-    #!/bin/bash
-    set -xeuo pipefail
+# Reusable cosa function definition
+cosa_function := '''
+    #!/usr/bin/env bash
+    cosa() {
+        env | grep COREOS_ASSEMBLER || true
+
+        # Default container image
+        COREOS_ASSEMBLER_CONTAINER_LATEST="quay.io/coreos-assembler/coreos-assembler:latest"
+        sudo podman pull $COREOS_ASSEMBLER_CONTAINER_LATEST
+
+        set -ex
+        sudo podman run --rm -ti --security-opt=label=disable --privileged -u 0 \
+				--network host \
+            -v=${PWD}:/srv/ --device=/dev/kvm --device=/dev/fuse \
+            --tmpfs=/tmp -v=/var/tmp:/var/tmp --name=cosa \
+            ${COREOS_ASSEMBLER_CONFIG_GIT:+-v=$COREOS_ASSEMBLER_CONFIG_GIT:/srv/src/config/:ro} \
+            ${COREOS_ASSEMBLER_GIT:+-v=$COREOS_ASSEMBLER_GIT/src/:/usr/lib/coreos-assembler/:ro} \
+            ${COREOS_ASSEMBLER_ADD_CERTS:+-v=/etc/pki/ca-trust:/etc/pki/ca-trust:ro} \
+            ${COREOS_ASSEMBLER_CONTAINER_RUNTIME_ARGS} \
+            ${COREOS_ASSEMBLER_CONTAINER:-$COREOS_ASSEMBLER_CONTAINER_LATEST} "$@"
+    }
+'''
+
+init:
+    #!/usr/bin/env bash
+    {{cosa_function}}
+    mkdir -p cache
+    cp {{archive}} cache/{{archive}}
+    cd cache
+    cosa init --force {{config}}
+    cosa import oci-archive:/srv/{{archive}}
 
-    TMPDIR=$(mktemp -d)
-    git clone --depth 1 https://github.com/coreos/custom-coreos-disk-images ${TMPDIR}
+build-qemu:
+    #!/usr/bin/env bash
+    {{cosa_function}}
+    cd cache
+    cosa osbuild qemu
 
-    sudo -E ${TMPDIR}/custom-coreos-disk-images.sh --platform qemu \
-        --ociarchive {{archive}} \
-        --osname {{os_name}}
-    rm -rf "$TMPDIR"
-    sudo chown $USER:$USER {{os}}-qemu.x86_64.qcow2
+kubevirt:
+    #!/usr/bin/env bash
+    {{cosa_function}}
+    cd cache
+    cosa osbuild kubevirt

scripts/populate-local-kbs.sh

@@ -41,7 +41,6 @@ default executables := 33
 
 tpm_pcrs_valid if {
   input.tpm.pcr04 in data.reference.tpm_pcr4
-  input.tpm.pcr07 in data.reference.tpm_pcr7
   input.tpm.pcr14 in data.reference.tpm_pcr14
 }