Intel® TDX is a confidential computing technology which deploys hardware-isolated, Virtual Machines (VMs) called Trust Domains (TDs). It protects TD VMs from a broad range of software attacks by isolating them from the Virtual-Machine Manager (VMM), hypervisor and other non-TD software on the host platform. As a result, it enhances a platform user’s control of data security and IP protection. Also, it enhances the Cloud Service Providers’ (CSP) ability to provide managed cloud services without exposing tenant data to adversaries. For more information see the Intel TDX overview.
This tech preview of TDX on Ubuntu 23.10 provides base host and guest functionalities. Follow these instructions to setup the TDX host, create a TD guest, and boot it.
Please submit an issue here and we'll get back to you ASAP.
This release supports 4th Generation Intel® Xeon® Scalable Processors with Intel® TDX and all 5th Generation Intel® Xeon® Scalable Processors.
In this section, you will install a generic Ubuntu 23.10 server, install necessary packages to turn the host into a TDX host, and enable TDX settings in the BIOS.
- Download and install Ubuntu 23.10 server on the host machine.
NOTE: Although rare, the installer may hang during its bootup on some systems, which is caused by a kernel graphics driver issue. The workaround is to add the nomodeset parameter to the kernel command-line. Follow these steps:
- At the
GRUBboot menu, presse - Add
nomodesetto linux line, like the example below:
linux /casper/vmlinuz nomodeset ---- Press
Ctrl-xto continue the boot process - After installation is complete, reboot, use
nomodesetagain, like the example below:
linux /boot/vmlinuz-6.5.0-10-generic nomodeset root=UUID=c5605a23-05ae-4d9d-b65f-e47ba48b7560 ro- Step #3 below will automatically add
nomodesetto the GRUB config so that no additional intervention is needed
- Clone this repo to get scripts that will be used throughout this README.
git clone https://github.com/canonical/tdx.git- Run the script.
cd tdx
sudo ./setup-tdx-host.sh- Reboot.
- Go into the host's BIOS.
NOTE: The following is a sample BIOS configuration. It may vary slightly from one manufacturer to another.
-
Go to
Socket Configuration > Processor Configuration > TME, TME-MT, TDX.* Set `Memory Encryption (TME)` to `Enabled` * Set `Total Memory Encryption Bypass` to `Enabled` (Optional: for best host and non-TDVM performance.) * Set `Total Memory Encryption Multi-Tenant (TME-MT)` to `Enabled` * Set `TME-MT memory integrity` to `Disabled` * Set `Trust Domain Extension (TDX)` to `Enabled` * Set `TDX Secure Arbitration Mode Loader (SEAM Loader)` to `Enabled`. (NOTE: This allows loading SEAMLDR and TDX module from the ESP or BIOS.) * Set `TME-MT/TDX key split` to a non-zero value -
Go to
Socket Configuration > Processor Configuration > Software Guard Extension (SGX).* Set `SW Guard Extensions (SGX)` to `Enabled` -
Save the BIOS settings and boot up.
- Verify that TDX is enabled using the
dmesgcommand.
sudo dmesg | grep -i tdxExample output:
...
[ 5.300843] tdx: BIOS enabled: private KeyID range [16, 32)
[ 15.960876] tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 5, build_date 20230323, build_num 481
[ 15.960879] tdx: CMR: [0x100000, 0x77800000)
[ 15.960881] tdx: CMR: [0x100000000, 0x407a000000)
[ 15.960882] tdx: CMR: [0x4080000000, 0x807c000000)
[ 15.960883] tdx: CMR: [0x8080000000, 0xc07c000000)
[ 15.960884] tdx: CMR: [0xc080000000, 0x1007c000000)
[ 18.149996] tdx: 4202516 KBs allocated for PAMT.
[ 18.150000] tdx: module initialized.
...In this section, you will create an Ubuntu 23.10-based TD guest from scratch or convert an existing non-TD guest into one. This can be performed on any Ubuntu 22.04 or newer system and a TDX-specific environment is not required.
The base image is an Ubuntu 23.10 cloud image ubuntu-23.10-server-cloudimg-amd64.img. You can be customized your preferences by setting these two environment variables before running the script:
export OFFICIAL_UBUNTU_IMAGE="https://cloud-images.ubuntu.com/releases/mantic/release/"
export CLOUD_IMG="ubuntu-23.10-server-cloudimg-amd64.img"- Generate a TD guest image.
cd tdx/guest-tools/image/
sudo ./create-td-image.shThe produced TD guest image is tdx-guest-ubuntu-23.10.qcow2.
The root password is set to 123456.
If you have an existing Ubuntu 23.10 non-TD guest, you can enable the TDX feature by following these steps.
-
Boot up your guest.
-
Clone this repo.
git clone https://github.com/canonical/tdx.git- Run the script.
cd tdx
sudo ./setup-tdx-guest.sh- Shutdown the guest.
Now that you have a TD guest image, let’s boot it. There are two ways to boot it:
- Boot using QEMU
- Boot using virsh
- Boot TD Guest with the provided script.
NOTE: It is recommended that you run the script as a non-root user. To do this, add the current user to the kvm group:
sudo usermod -aG kvm $USERClose the current shell and open a new one to apply this group settings.
cd tdx/guest-tools
TD_IMG=<path_to_td_qcow2_image> ./run_td.sh- Configure the libvirt.
NOTE: It is recommended that you run virsh as a non-root user. To do that, please apply these settings to /etc/libvirt/qemu.conf.
user = <your_user_name>
group = <your_group>
dynamic_ownership = 0- Restart the
libvirtdservice
systemctl restart libvirtd- Boot TD guest with libvirt
cd tdx/guest-tools
TD_IMG=<path_to_td_qcow2_image> ./run_td_virsh.sh- Log into the guest.
NOTE: The example below uses the credentials for a TD guest created from scratch. If you converted your own guest, please use your original credentials.
# From localhost
ssh -p 10022 root@localhost
# From remote host
ssh -p 10022 root@<host_ip>- Verify TDX is enabled in the guest.
sudo dmesg | grep -i tdxExample output:
[ 0.000000] tdx: Guest detected
[ 0.000000] DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.05-2+tdx1.0~ubuntu23.10.1 10/17/2023
[ 0.395218] process: using TDX aware idle routine
[ 0.395218] Memory Encryption Features active: Intel TDX- Verify the
tdx_guestdevice exists.
ls /dev/tdx_guestExample output:
/dev/tdx_guestIf you're interested in doing additional sanity and functional testing of TDX, see this wiki.
Despite the fact that TDX components live in a separate PPA from the rest of the Ubuntu packages, they follow the Ubuntu standards and offer users the same facilities for code source access and building.
You can find generic instructions on how to build a package from source here : https://wiki.debian.org/BuildingTutorial
Here are the example intructions for building qemu (for normal user with sudo rights):
- Install Ubuntu 23.10
You can install Ubuntu 23.10 or use an existing Ubuntu 23.10 system.
- Install components for build:
sudo apt update
sudo apt install --no-install-recommends --yes software-properties-common \
build-essential \
fakeroot \
devscripts \
wget \
git \
equivs \
liblz4-tool \
sudo \
unzip \
curl \
xz-utils \
cpio \
gawk- Download package's source
sudo add-apt-repository -s ppa:kobuk-team/tdx-release
apt source qemuThis command will create several files and a folder, the folder is the qemu source code.
- Rebuild
cd <qemu-source-code>
sudo apt build-dep ./
debuild -us -uc -bThe resulting debian packages are available in the parent folder.
- Install the packages
You can refer to https://wiki.debian.org/BuildingTutorial#Installing_and_testing_the_modified_package
The core idea of building a package from source code is to be able to edit the source code. The instructions can be found at https://wiki.debian.org/BuildingTutorial#Edit_the_source_code