External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-10-02 11:35:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: Add TDShim to the Intel TDX documentation

Browse Source 
Adding a bit of documentation and links about the TDShim and how to run
it with Cloud Hypervisor.

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
This commit is contained in:
Sebastien Boeuf 2022-02-09 11:43:29 +01:00 committed by Rob Bradford
parent 5e19422fcf
commit 072114d7c5
1 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
docs/intel_tdx.md
View File

@ -15,14 +15,20 @@ the guest side can be found in the [Guest TDX tree](https://github.com/intel/tdx
The TDVF firmware can be found in the The TDVF firmware can be found in the
[EDK2 staging project](https://github.com/tianocore/edk2-staging/tree/TDVF). [EDK2 staging project](https://github.com/tianocore/edk2-staging/tree/TDVF).
The TDShim firmware can be found in the
[Confidential Containers project](https://github.com/confidential-containers/td-shim).
## Cloud Hypervisor support ## Cloud Hypervisor support
First, you must be running on a machine with TDX enabled in hardware, and First, you must be running on a machine with TDX enabled in hardware, and
with the host OS compiled from the [KVM TDX tree](https://github.com/intel/tdx/tree/kvm). with the host OS compiled from the [KVM TDX tree](https://github.com/intel/tdx/tree/kvm).
Cloud Hypervisor can run TDX VM (Trust Domain) by loading the TDVF firmware, Cloud Hypervisor can run TDX VM (Trust Domain) by loading a TD firmware,
which will then load the guest kernel from the image. The image must be custom which will then load the guest kernel from the image. The image must be custom
as it must include a kernel built from the [Guest TDX tree](https://github.com/intel/tdx/tree/guest). as it must include a kernel built from the [Guest TDX tree](https://github.com/intel/tdx/tree/guest).
### TDVF
The firmware can be built as follows: The firmware can be built as follows:
```bash ```bash
@ -73,3 +79,26 @@ guest kernel command line contains `console=ttyS0`):
--serial tty \ --serial tty \
--console off --console off
``` ```
### TDShim
This is a lightweight version of the TDVF, written in Rust and designed for
direct kernel boot, which is useful for containers use cases.
You can find the instructions for building the firmware directly from the
project [documentation](https://github.com/confidential-containers/td-shim/tree/staging#how-to-build).
And run a TDX VM by providing the firmware previously built, along with a guest
kernel built from the [Guest TDX tree](https://github.com/intel/tdx/tree/guest).
The appropriate kernel boot options must be provided through the `--cmdline`
option as well.
```bash
./cloud-hypervisor \
--tdx firmware=tdshim \
--kernel bzImage \
--cmdline "root=/dev/vda1 console=hvc0 rw tdx_allow_acpi=MCFG"
--cpus boot=1 \
--memory size=1G \
--disk path=tdx_guest_img
```