-
Notifications
You must be signed in to change notification settings - Fork 31
TDX KVM
You need the four following component, TDX KVM, TDX qemu, TDX guest, TDVF(guest OS) and kvm-unit-tests.
- [TDX KVM] https://github.com/intel/tdx/tree/kvm-upstream
- [TDX qemu] https://github.com/intel/qemu-tdx/tree/tdx-upstream
- [TDX guest] https://github.com/intel/tdx/tree/guest-upstream
- [TDVF] https://github.com/tianocore/edk2-staging/tree/TDVF
- [grub] https://github.com/intel/grub-tdx/
- [TDX KVM] https://github.com/intel/tdx/tree/kvm-upstream-workaround
- [TDX qemu] https://github.com/intel/qemu-tdx/tree/tdx-upstream-wip
- [TDX guest] https://github.com/intel/tdx/tree/guest-upstream
- [TDVF] https://github.com/tianocore/edk2-staging/tree/TDVF
- [grub] https://github.com/intel/grub-tdx/
note: tdx grub is needed if you would like to boot with grub. If qemu direct boot(-kernel -append, -initrd options) is used, tdx grub isn't needed.
- https://github.com/intel/tdx/tree/kvm-upstream The tree that includes patches sent for upstreaming. So some features can be missing. This is based on host-upstream branch. tag: kvm-upstream-/date/-/base version/
- https://github.com/intel/tdx/tree/kvm-upstream-workaround kvm-upstreaming + more patches for future submission to upstream. E.g. PMU support, off-TD debug, UPM support. tag: kvm-upstream-/date/-/base version/-workaround This tree includes also selftest for TDX KVM.
- https://github.com/intel/tdx/tree/host-upstream the branch that includes x86 TDX host patches.
- https://github.com/intel/tdx/tree/kvm old branches. corresonding tags is a format of tdx-kvm-/date/-/base version/ e.g. tdx-kvm-2021.11.24-v5.16-rc1 This tree is being deprecated.
- https://git.kernel.org/pub/scm/virt/kvm/kvm.git/?h=kvm-tdx-5.17 The tree that includes posted patches for v5.17
enable following configs
- CONFIG_INTEL_TDX_HOST=y
- CONFIG_KVM=y
- CONFIG_KVM_INTEL=y
- CONFIG_KVM_MMU_PRIVATE=y When loading kvm_intel, use module parameter "kvm_intel.tdx=on". By default TDX support is disabled. For automation, add it to kernel command line, or edit modules.conf.
- https://github.com/intel/qemu-tdx/tree/tdx-upstream The tree that includes patches for upstreaming. This corresponds to kvm-upstream repo. tag: tdx-upstream-/postfix/
- https://github.com/intel/qemu-tdx/tree/tdx-upstream-wip tdx-upstream + more patches for future submission. E.g. off-TD debug, UPM.
- https://github.com/intel/qemu-tdx/tree/tdx The old tree. This branch is being deprecated. tag: tdx-qemu-/date/-/base version/
- configure --enable-kvm --target-list=x86_64-softmmu
- create TDX confidential computing object
- specify KVM (and KVM vm_type)
- specify q35 chipset (At this point only q35 is supported. piix4 and microvm aren't supported.)
- specify TDVF as guest BIOS
- specify split ircqhip
- disable PIC and PIT
-
for tdx-upstream qemu-system-x86_64
-object tdx-guest,id=tdx0,debug=off,sept-ve-disable=on
-machine confidential-guest-support=tdx0
-machine q35,accel=kvm
-bios ${PATH_TO_TDVF}
-machine kernel-irqchip=split,pic=off,pit=off
(add more qemu command line you want) -
for tdx -object tdx-guest,id=tdx0,debug=off,sept-ve-disable=on
-machine confidential-guest-support=tdx0
-machine q35,accel=kvm,kvm-type=tdx
-device loader,file=${OVMF}
-machine kernel-irqchip=split,pic=off,pit=off
If UPM is wanted
- UPM (Unmapping Process Memory): create memfd-private backend
-object memory-backend-memfd-private,id=ram1,size=${MEM}
-machine memory-backend=ram1
If KVM gmem is wanted: Any memory backend is usable. Add "private=on" property
- kvm gmem: create gmem fd for backend
-object memory-backend-xxx,id=ram1,size=${MEM},private=on
-machine memory-backend=ram1
- https://github.com/intel/tdx/tree/guest-upstream This tree that includes patches for upstreaming
- https://github.com/intel/tdx/tree/guest This tree is stable but old.
- CONFIG_INTEL_TDX_GUEST=y
- CONFIG_INTEL_TDX_ATTESTATION=y
- https://github.com/tianocore/edk2-staging/tree/TDVF Upstreaming tree.Please refer to https://github.com/tianocore/edk2-staging/blob/TDVF/README.md
- https://github.com/tianocore/edk2 EKD2 master branch. Some TDVF features has been merged. Please refer to https://github.com/tianocore/edk2/blob/master/OvmfPkg/IntelTdx/README
- https://github.com/intel/grub-tdx TDX grub. If you would like to boot with grub instead of direct qemu loading with TDX, TDX grub is needed.
Please refer to https://github.com/intel/kvm-unit-tests-tdx#unit-test-in-tdx-environment
- https://github.com/intel/tdx-tools Linux stack for TDX
- https://github.com/confidential-containers/td-shim/
- https://github.com/intel/shim-tdx a first-stage UEFI bootloader. Slimed version of TDVF.