-
Notifications
You must be signed in to change notification settings - Fork 31
TDX KVM
sathyaintel edited this page Mar 22, 2024
·
26 revisions
You need the four following component, TDX KVM, TDX qemu, TDX guest, TDVF(guest OS) and kvm-unit-tests.
- [TDX KVM] https://github.com/intel/tdx/tree/kvm-upstream
- [TDX KVM] https://github.com/intel/tdx/tree/kvm-upstream-next: kvm-upstream + large page support
- [TDX qemu] https://github.com/intel/qemu-tdx/tree/tdx-qemu-upstream: matched with kvm-upstream
- [TDX qemu] https://github.com/intel/qemu-tdx/tree/tdx-qemu-next: matched with kvm-upstream-next
- [TDX guest] https://github.com/torvalds/linux
- [TDVF] https://github.com/tianocore/edk2-staging/tree/TDVF
- [grub] https://github.com/intel/grub-tdx/
- [TDX KVM] https://github.com/intel/tdx/tree/kvm-upstream-workaround
- [TDX qemu] QEMU feature branch are internal-only right now
- [TDX guest] https://github.com/intel/tdx/tree/guest-next
- [TDVF] https://github.com/tianocore/edk2-staging/tree/TDVF
- [grub] https://github.com/intel/grub-tdx/
note: tdx grub is needed if you would like to boot with grub. If qemu direct boot(-kernel -append, -initrd options) is used, tdx grub isn't needed.
- https://github.com/intel/tdx/tree/kvm-upstream The tree that includes patches sent for upstreaming. So some features can be missing. This is based on host-upstream branch. tag: kvm-upstream-/date/-/base version/
- https://github.com/intel/tdx/tree/kvm-upstream-next The tree includes kvm-upstream + large page support + kselftest + debug patch.
- https://github.com/intel/tdx/tree/kvm-upstream-workaround kvm-upstreaming + more patches for future submission to upstream. E.g. PMU support, off-TD debug, UPM support. tag: kvm-upstream-/date/-/base version/-workaround This tree includes also selftest for TDX KVM.
- https://github.com/intel/tdx/tree/host-upstream the branch that includes x86 TDX host patches.
- https://github.com/intel/tdx/tree/kvm old branches. corresonding tags is a format of tdx-kvm-/date/-/base version/ e.g. tdx-kvm-2021.11.24-v5.16-rc1 This tree is being deprecated.
- https://git.kernel.org/pub/scm/virt/kvm/kvm.git/?h=kvm-tdx-5.17 The tree that includes posted patches for v5.17
enable following configs
- CONFIG_INTEL_TDX_HOST=y
- CONFIG_KVM=y
- CONFIG_KVM_INTEL=y
- CONFIG_KVM_MMU_PRIVATE=y When loading kvm_intel, use module parameter "kvm_intel.tdx=on". By default TDX support is disabled. For automation, add it to kernel command line, or edit modules.conf.
- https://github.com/intel/qemu-tdx/tree/tdx-qemu-upstream The tree that includes patches posting to QEMU community for upstream. This corresponds to kvm-upstream repo. tag: tdx-upstream-/postfix/
- https://github.com/intel/qemu-tdx/tree/tdx-qemu-next tdx-qemu-upstream + more patches for enhancement or debug/test. (Note, non-trivial TDX features, like off-TD debug, live migration, etc are not included in this branch)
- https://github.com/intel/qemu-tdx/tree/tdx The old tree. This branch is being deprecated. tag: tdx-qemu-/date/-/base version/
| QEMU -upstream-* tags | KVM tags |
|---|---|
| tdx-qemu-upstream-2024.02.29-v8.2.0 | kvm-upstream-2024.02.27.v6.8-rc5 |
| tdx-qemu-upstream-2024.01.25-v8.2.0 | no matched kvm, because kvm-upstream-2024.01.22.v6.8-rc1 contains the patches bump TDX ioctls |
| tdx-qemu-upstream-2023.12.08-v8.2.0 | kvm-upstream-2023.11.15.v6.7-rc1 |
| tdx-qemu-upstream-2023.12.06-v8.2.0 | kvm-upstream-2023.11.15.v6.7-rc1 |
| tdx-qemu-upstream-2023.10.20-v8.1.0 | no matched kvm, please use tdx-qemu-next-* variant because even corresponding kvm-upstream-2023.10.16-v6.6-rc2 bumps the IOCTLs numbers |
| tdx-qemu-upstream-2023.9.21-v8.1.0 | kvm-upstream-2023.09.18-v6.6-rc1 |
| QEMU -next-* tags | KVM tags |
|---|---|
| tdx-qemu-next-2024.01.25-v8.2.0 | kvm-upstream-2024.01.22.v6.8-rc1 / kvm-upstream-next-2024.01.22.v6.8-rc1 |
| tdx-qemu-next-2023.12.08-v8.2.0 | kvm-upstream-next-2023.11.15.v6.7-rc1 |
| tdx-qemu-next-2023.12.06-v8.2.0 | kvm-upstream-next-2023.11.15.v6.7-rc1 |
| tdx-qemu-next-2023.10.20-v8.1.0 | kvm-upstream-2023.10.16-v6.6-rc2 / kvm-upstream-next-2023.10.16-v6.6-rc2 |
| tdx-qemu-next-2023.9.21-v8.1.0 | kvm-upstream-next-2023.09.18-v6.6-rc1 |
| old QEMU tags | KVM -workaround tags |
|---|---|
| tdx-qemu-2023.9.21-v8.1.0-match-with-kvm-upstream-workaround-2023.9.19-v6.6-rc1 | kvm-upstream-workaround-2023.9.19-v6.6-rc1 |
| tdx-qemu-2023.08.15-v8.1-rc0-match-with-kvm-upstream-2023.08.10-v6.5-rc5-workaround | kvm-upstream-2023.08.10-v6.5-rc5-workaround |
| tdx-qemu-2023.08.02-v8.1-rc0-match-with-kvm-upstream-2023.08.01-v6.5-rc2-workaround | kvm-upstream-2023.08.01-v6.5-rc2-workaround |
| tdx-qemu-2023.07.27-v8.1-rc0-match-with-kvm-upstream-2023.07.25-v6.5-rc2-workaround | kvm-upstream-2023.07.25-v6.5-rc2-workaround |
| tdx-qemu-2023.07.25-v8.1-rc0-match-with-kvm-upstream-2023.07.15-v6.5-rc1-workaround | kvm-upstream-2023.07.15-v6.5-rc1-workaround |
| tdx-qemu-2023.06.13-v8.0-match-with-kvm-upstream-2023.06.05-v6.4-rc5-workaround | kvm-upstream-2023.06.05-v6.4-rc5-workaround |
| ... | ... |
- configure --enable-kvm --target-list=x86_64-softmmu
- create TDX confidential computing object
- specify KVM
- specify q35 chipset (At this point only q35 is supported. piix4 and microvm aren't supported.)
- specify TDVF as guest BIOS
- specify split ircqhip
- disable PIC and PIT
-
for tdx-upstream qemu-system-x86_64
-object tdx-guest,id=tdx0
-machine q35,accel=kvm,confidential-guest-support=tdx0,kernel-irqchip=split,pic=off,pit=off
-bios ${PATH_TO_TDVF} \(add more qemu command line you want)
- Core guest support is already upstreamed. Use the latest upstream kernel.
- If debug and hardening fixes are needed, try https://github.com/intel/tdx/tree/guest-next
- CONFIG_INTEL_TDX_GUEST=y
- CONFIG_TDX_GUEST_DRIVER=y (Enables attestation support)
- https://github.com/tianocore/edk2-staging/tree/TDVF Upstreaming tree.Please refer to https://github.com/tianocore/edk2-staging/blob/TDVF/README.md
- https://github.com/tianocore/edk2 EKD2 master branch. Some TDVF features has been merged. Please refer to https://github.com/tianocore/edk2/blob/master/OvmfPkg/IntelTdx/README
- https://github.com/intel/grub-tdx TDX grub. If you would like to boot with grub instead of direct qemu loading with TDX, TDX grub is needed.
Please refer to https://github.com/intel/kvm-unit-tests-tdx#unit-test-in-tdx-environment
- https://github.com/intel/tdx-tools Linux stack for TDX
- https://github.com/confidential-containers/td-shim/
- https://github.com/intel/shim-tdx a first-stage UEFI bootloader. Slimed version of TDVF.