External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-11-05 11:31:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
db06c31305
cloud-hypervisor/docs/intel_tdx.md
Sebastien Boeuf 072114d7c5 docs: Add TDShim to the Intel TDX documentation 
Adding a bit of documentation and links about the TDShim and how to run
it with Cloud Hypervisor.

Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com>
2022-02-09 13:50:45 +00:00

3.4 KiB
Raw Blame History

Intel TDX

Intel® Trust Domain Extensions (Intel® TDX) is an Intel technology designed to isolate virtual machines from the VMM, hypervisor and any other software on the host platform.

For more information about TDX technical aspects, design and specification please refer to the TDX Homepage.

The required Linux changes for the host side can be found in the KVM TDX tree while the changes for the guest side can be found in the Guest TDX tree.

The TDVF firmware can be found in the EDK2 staging project.

The TDShim firmware can be found in the Confidential Containers project.

Cloud Hypervisor support

First, you must be running on a machine with TDX enabled in hardware, and with the host OS compiled from the KVM TDX tree.

Cloud Hypervisor can run TDX VM (Trust Domain) by loading a TD firmware, which will then load the guest kernel from the image. The image must be custom as it must include a kernel built from the Guest TDX tree.

TDVF

The firmware can be built as follows:

git clone https://github.com/tianocore/edk2-staging.git
cd edk2-staging
git checkout origin/TDVF
git submodule update --init --recursive
make -C BaseTools
source ./edksetup.sh
build -p OvmfPkg/OvmfCh.dsc -a X64 -t GCC5 -b RELEASE

If debug logs are needed, here is the alternative command:

build -p OvmfPkg/OvmfCh.dsc -a X64 -t GCC5 -D DEBUG_ON_SERIAL_PORT=TRUE

On the Cloud Hypervisor side, all you need is to build the project with the tdx feature enabled:

cargo build --features tdx

And run a TDX VM by providing the firmware previously built, along with the guest image containing the TDX enlightened kernel. Assuming the guest kernel command line contains console=hvc0 (printing to the virtio-console device), run Cloud Hypervisor as follows:

./cloud-hypervisor \
    --tdx firmware=edk2-staging/Build/OvmfCh/RELEASE_GCC5/FV/OVMF.fd \
    --cpus boot=1 \
    --memory size=1G \
    --disk path=tdx_guest_img

And here is the alternative command when looking for debug logs (assuming the guest kernel command line contains console=ttyS0):

./cloud-hypervisor \
    --tdx firmware=edk2-staging/Build/OvmfCh/DEBUG_GCC5/FV/OVMF.fd \
    --cpus boot=1 \
    --memory size=1G \
    --disk path=tdx_guest_img \
    --serial tty \
    --console off

TDShim

This is a lightweight version of the TDVF, written in Rust and designed for direct kernel boot, which is useful for containers use cases.

You can find the instructions for building the firmware directly from the project documentation.

And run a TDX VM by providing the firmware previously built, along with a guest kernel built from the Guest TDX tree. The appropriate kernel boot options must be provided through the --cmdline option as well.

./cloud-hypervisor \
    --tdx firmware=tdshim \
    --kernel bzImage \
    --cmdline "root=/dev/vda1 console=hvc0 rw tdx_allow_acpi=MCFG"
    --cpus boot=1 \
    --memory size=1G \
    --disk path=tdx_guest_img