From 2bc43905ad85fbb7d204401857ffc88b161fd0e9 Mon Sep 17 00:00:00 2001
From: Jiale Zhang <zhangjiale@linux.alibaba.com>
Date: Tue, 3 Feb 2026 17:13:19 +0800
Subject: [PATCH 1/2] Enable encrypted local fs kbs backend of RPM and image

Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
---
 Dockerfile.kbs | 3 ++-
 dist/Makefile  | 2 +-
 kbs/Makefile   | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Dockerfile.kbs b/Dockerfile.kbs
index 5ec4185c..9bdd4e90 100644
--- a/Dockerfile.kbs
+++ b/Dockerfile.kbs
@@ -15,6 +15,7 @@ ARG ARCH=x86_64
 ARG HTTPS_CRYPTO=rustls
 ARG ALIYUN=true
 ARG TPM_PCA_PLUGIN=true
+ARG ENCRYPTED_LOCAL_FS=true
 
 WORKDIR /usr/src/kbs
 COPY . .
@@ -29,7 +30,7 @@ RUN if [ -n "$CARGO_JOBS" ]; then \
     fi
 
 # Build and Install KBS
-RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} TPM_PCA_PLUGIN=${TPM_PCA_PLUGIN} && \
+RUN cd kbs && make AS_FEATURE=coco-as-grpc ALIYUN=${ALIYUN} TPM_PCA_PLUGIN=${TPM_PCA_PLUGIN} ENCRYPTED_LOCAL_FS=${ENCRYPTED_LOCAL_FS} && \
     make install-kbs
 
 FROM ${BASE_IMAGE}
diff --git a/dist/Makefile b/dist/Makefile
index 353c7847..66ca9880 100644
--- a/dist/Makefile
+++ b/dist/Makefile
@@ -41,7 +41,7 @@ build:
 	cd ../trustee-gateway && \
 	CGO_ENABLED=1 GOOS=linux go build -mod vendor -a -installsuffix cgo -ldflags="-s -w" -o gateway cmd/server/main.go && \
 	cd ..
-	cargo build -p kbs --locked --release --no-default-features --features coco-as-grpc,aliyun,tpm-pca
+	cargo build -p kbs --locked --release --no-default-features --features coco-as-grpc,aliyun,tpm-pca,encrypted-local-fs
 	cargo build --bin restful-as --release --features restful-bin --locked
 	cargo build --bin grpc-as --release --features grpc-bin --locked
 	cargo build --bin rvps --release
diff --git a/kbs/Makefile b/kbs/Makefile
index c6534ac2..02a35cf7 100644
--- a/kbs/Makefile
+++ b/kbs/Makefile
@@ -2,7 +2,7 @@ AS_TYPE ?= coco-as
 ALIYUN ?= false
 NEBULA_CA_PLUGIN ?= false
 TPM_PCA_PLUGIN ?= false
-ENCRYPTED_LOCAL_FS ?= false
+ENCRYPTED_LOCAL_FS ?= true
 
 BUILD_ARCH := $(shell uname -m)
 ARCH ?= $(shell uname -m)

From b882c04e9aed2a15294b64e7ec5e28240f1d4ad0 Mon Sep 17 00:00:00 2001
From: Jiale Zhang <zhangjiale@linux.alibaba.com>
Date: Tue, 3 Feb 2026 17:52:45 +0800
Subject: [PATCH 2/2] Update RPM spec to v1.8.1

Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
---
 rpm/trustee.spec | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/rpm/trustee.spec b/rpm/trustee.spec
index e8ae03dc..4e7dd154 100644
--- a/rpm/trustee.spec
+++ b/rpm/trustee.spec
@@ -4,7 +4,7 @@
 %global __brp_mangle_shebangs %{nil}
 
 Name:           trustee
-Version:        1.8.0
+Version:        1.8.1
 Release:	    %{alinux_release}%{?dist}
 Summary:        Daemon services for attestation and secret distribution
 Group:          Applications/System
@@ -148,6 +148,11 @@ fi
 /var/lib/attestation/token/ear/policies/opa/default.rego
 
 %changelog
+* Tue Feb 3 2026 Jiale Zhang <xinjian.zjl@alibaba-inc.com> -1.8.1-1
+- KBS: add external KMS resource backend with dynamic .so provider loading
+- KBS: enable encrypted local fs backend by default in build options
+- Docs: update resource backend configuration for ExternalKms
+
 * Mon Jan 26 2026 Jiale Zhang <xinjian.zjl@alibaba-inc.com> -1.8.0-1
 - Add OIDC token support for attestation-service by @jinzihao
 - trustee-gateway: add eas_pod_name to audit structure by @jialez0