Skip to content

TDX KVM

yamahata edited this page May 16, 2022 · 26 revisions

TDX KVM

documentation on TDX KVM

How to test TDX KVM

You need the four following component, TDX KVM, TDX qemu, TDX guest, TDVF(guest OS) and kvm-unit-tests.

Repository combinations

minimal patches for upstreaming

Feature branches

note: tdx grub is needed if you would like to boot with grub. If qemu direct boot(-kernel -append, -initrd options) is used, tdx grub isn't needed.

Repositories, Branches and Tags

TDX KVM:

configurations

enable following configs

  • CONFIG_INTEL_TDX_HOST=y
  • CONFIG_KVM=y
  • CONFIG_KVM_INTEL=y
  • CONFIG_KVM_MMU_PRIVATE=y

TDX qemu

configurations

  • configure --enable-kvm --target-list=x86_64-softmmu

command line

  • create TDX confidential computing object
  • specify KVM (and KVM vm_type)
  • specify q35 chipset (At this point only q35 is supported. piix4 and microvm aren't supported.)
  • specify TDVF as guest BIOS
  • specify split ircqhip
  • disable PIC and PIT
  • for tdx-upstream qemu-system-x86_64
    -object tdx-guest,id=tdx0,debug=off,sept-ve-disable=on
    -machine confidential-guest-support=tdx0
    -machine q35,accel=kvm
    -bios ${PATH_TO_TDVF}
    -machine kernel-irqchip=split,pic=off,pit=off
    (add more qemu command line you want)

  • for tdx -object tdx-guest,id=tdx0,debug=off,sept-ve-disable=on
    -machine confidential-guest-support=tdx0
    -machine q35,accel=kvm,kvm-type=tdx
    -device loader,file=${OVMF}
    -machine kernel-irqchip=split,pic=off,pit=off

If UPM is wanted

  • UPM (Unmapping Process Memory): create memfd-private backend -object memory-backend-memfd-private,id=ram1,size=${MEM}
    -machine memory-backend=ram1

guest TD

configurations

  • CONFIG_INTEL_TDX_GUEST=y
  • CONFIG_INTEL_TDX_ATTESTATION=y

TDVF

How to compile

Please refer to https://github.com/tianocore/edk2-staging/blob/TDVF/README.md

TDX grub

kvm-unit-tests

how to run TDX related tests

Please refer to https://github.com/intel/kvm-unit-tests-tdx#unit-test-in-tdx-environment

libvirt

  • TODO
Clone this wiki locally