Merge pull request #6886 from fidencio/topic/cc-stick-to-2022ww44-for-tdx

CC: tdx: Stick to the 2022ww44 TDX stack for the CCv0 branch
2025-08-23 10:12:10 +00:00 · 2023-05-19 11:55:13 +02:00 · 2023-05-19 11:55:13 +02:00 · 6763c41d7e
commit 6763c41d7e
parent ac99d2d63e c29e5036a6
11 changed files with 37 additions and 23 deletions
--- a/src/runtime/pkg/govmm/qemu/qemu.go
+++ b/src/runtime/pkg/govmm/qemu/qemu.go
@ -363,12 +363,16 @@ func (object Object) QemuParams(config *Config) []string {

 	case TDXGuest:
 		objectParams = append(objectParams, string(object.Type))
-		objectParams = append(objectParams, "sept-ve-disable=on")
 		objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID))
 		if object.Debug {
 			objectParams = append(objectParams, "debug=on")
 		}
-		config.Bios = object.File
+		deviceParams = append(deviceParams, string(object.Driver))
+		deviceParams = append(deviceParams, fmt.Sprintf("id=%s", object.DeviceID))
+		deviceParams = append(deviceParams, fmt.Sprintf("file=%s", object.File))
+		if object.FirmwareVolume != "" {
+			deviceParams = append(deviceParams, fmt.Sprintf("config-firmware-volume=%s", object.FirmwareVolume))
+		}
 	case SEVGuest:
 		objectParams = append(objectParams, string(object.Type))
 		objectParams = append(objectParams, fmt.Sprintf("id=%s", object.ID))
--- a/src/runtime/virtcontainers/hypervisor_linux_amd64.go
+++ b/src/runtime/virtcontainers/hypervisor_linux_amd64.go
@ -12,6 +12,8 @@ const (

 	tdxSysFirmwareDir = "/sys/firmware/tdx/"

+	tdxCPUFlag = "tdx"
+
 	sevKvmParameterPath = "/sys/module/kvm_amd/parameters/sev"

 	snpKvmParameterPath = "/sys/module/kvm_amd/parameters/sev_snp"
@ -19,6 +21,10 @@ const (

 // TDX is supported and properly loaded when the firmware directory (either tdx or tdx_seam) exists or `tdx` is part of the CPU flag
 func checkTdxGuestProtection(flags map[string]bool) bool {
+	if flags[tdxCPUFlag] {
+		return true
+	}
+
 	if d, err := os.Stat(tdxSysFirmwareDir); err == nil && d.IsDir() {
 		return true
 	}
--- a/src/runtime/virtcontainers/qemu_amd64.go
+++ b/src/runtime/virtcontainers/qemu_amd64.go
@ -260,7 +260,7 @@ func (q *qemuAmd64) enableProtection() error {
 		if q.qemuMachine.Options != "" {
 			q.qemuMachine.Options += ","
 		}
-		q.qemuMachine.Options += "confidential-guest-support=tdx"
+		q.qemuMachine.Options += "kvm-type=tdx,confidential-guest-support=tdx"
 		logger.Info("Enabling TDX guest protection")
 		return nil
 	case sevProtection:
--- a/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf
+++ b/tools/packaging/kernel/configs/fragments/x86_64/tdx/tdx.conf
@ -5,9 +5,13 @@ CONFIG_DMA_RESTRICTED_POOL=y
 CONFIG_EFI=y
 CONFIG_EFI_STUB=y
 CONFIG_INTEL_IOMMU_SVM=y
+CONFIG_INTEL_TDX_ATTESTATION=y
+CONFIG_INTEL_TDX_FIXES=y
 CONFIG_INTEL_TDX_GUEST=y
 CONFIG_OF=y
 CONFIG_OF_RESERVED_MEM=y
 CONFIG_X86_5LEVEL=y
 CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+CONFIG_X86_MEM_ENCRYPT_COMMON=y
 CONFIG_X86_PLATFORM_DEVICES=y
+CONFIG_X86_PLATFORM_DRIVERS_INTEL=y
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@ -1 +1 @@
-105cc
+106cc
--- a/tools/packaging/kernel/patches/5.19-TDX-v2.x/no_patches.txt
+++ b/tools/packaging/kernel/patches/5.19-TDX-v2.x/no_patches.txt
--- a/tools/packaging/qemu/patches/tag_patches/ad4c7f529a279685da84297773b4ec8080153c2d-plus-TDX-v1.3/no_patches.txt
+++ b/tools/packaging/qemu/patches/tag_patches/ad4c7f529a279685da84297773b4ec8080153c2d-plus-TDX-v1.3/no_patches.txt
--- a/tools/packaging/scripts/configure-hypervisor.sh
+++ b/tools/packaging/scripts/configure-hypervisor.sh
@ -247,7 +247,6 @@ generate_qemu_options() {
 	else
 		qemu_options+=(size:--disable-png)
 	fi
-
 	qemu_options+=(size:--disable-vnc-sasl)

 	# Disable PAM authentication: it's a feature used together with VNC access
--- a/tools/packaging/static-build/ovmf/build-ovmf.sh
+++ b/tools/packaging/static-build/ovmf/build-ovmf.sh
@ -57,7 +57,7 @@ fi
 info "Building ovmf"
 build_cmd="build -b ${build_target} -t ${toolchain} -a ${architecture} -p ${ovmf_package}"
 if [ "${ovmf_build}" == "tdx" ]; then
-	build_cmd+=" -D DEBUG_ON_SERIAL_PORT=FALSE -D TDX_MEM_PARTIAL_ACCEPT=512 -D TDX_EMULATION_ENABLE=FALSE -D SECURE_BOOT_ENABLE=TRUE -D TDX_ACCEPT_PAGE_SIZE=2M"
+	build_cmd+=" -D DEBUG_ON_SERIAL_PORT=TRUE -D TDX_MEM_PARTIAL_ACCEPT=512 -D TDX_EMULATION_ENABLE=FALSE -D TDX_ACCEPT_PAGE_SIZE=2M"
 fi

 eval "${build_cmd}"
@ -71,6 +71,7 @@ if [ "${ovmf_build}" == "tdx" ]; then
 	build_path_arch="${build_path_target_toolchain}/X64"
 	stat "${build_path_fv}/OVMF_CODE.fd"
 	stat "${build_path_fv}/OVMF_VARS.fd"
+	stat "${build_path_arch}/DumpTdxEventLog.efi"
 fi

 #need to leave tmp dir
@ -93,6 +94,7 @@ fi
 if [ "${ovmf_build}" == "tdx" ]; then
 	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_CODE.fd ${install_dir}
 	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_VARS.fd ${install_dir}
+	install $build_root/$ovmf_dir/"${build_path_arch}"/DumpTdxEventLog.efi ${install_dir}
 fi

 local_dir=${PWD}
--- a/tools/packaging/static-build/ovmf/build.sh
+++ b/tools/packaging/static-build/ovmf/build.sh
@ -28,6 +28,9 @@ if [ -z "$ovmf_repo" ]; then
 		"sev")
 			ovmf_repo=$(get_from_kata_deps "externals.ovmf.sev.url" "${kata_version}")
 			;;
+		"tdx")
+			ovmf_repo=$(get_from_kata_deps "externals.ovmf.tdx.url" "${kata_version}")
+			;;
 		*)
 			ovmf_repo=$(get_from_kata_deps "externals.ovmf.url" "${kata_version}")
 			;;
--- a/versions.yaml
+++ b/versions.yaml
@ -98,6 +98,10 @@ assets:
      uscan-url: >-
        https://github.com/qemu/qemu/tags
        .*/v?(\d\S+)\.tar\.gz
+      tdx:
+        description: "VMM that uses KVM and supports TDX"
+        url: "https://github.com/kata-containers/qemu"
+        tag: "TDX-v3.1"
      snp:
        description: "VMM that uses KVM and supports AMD SEV-SNP"
        url: "https://github.com/AMDESE/qemu"
@ -108,12 +112,6 @@ assets:
      url: "https://github.com/qemu/qemu"
      version: "7a800cf9496fddddf71b21a00991e0ec757a170a"

-    qemu-tdx-experimental:
-      # yamllint disable-line rule:line-length
-      description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww01"
-      url: "https://github.com/kata-containers/qemu"
-      tag: "ad4c7f529a279685da84297773b4ec8080153c2d-plus-TDX-v1.3"
-
  image:
    description: |
      Root filesystem disk image used to boot the guest virtual
@ -158,6 +156,10 @@ assets:
    description: "Linux kernel optimised for virtual machines"
    url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
    version: "v5.19.2"
+    tdx:
+      description: "Linux kernel that supports TDX"
+      url: "https://github.com/kata-containers/linux/archive/refs/tags"
+      tag: "5.15-plus-TDX"
    sev:
      description: "Linux kernel that supports SEV"
      url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
@ -182,12 +184,6 @@ assets:
    url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"
    version: "v5.10.25"

-  kernel-tdx-experimental:
-    # yamllint disable-line rule:line-length
-    description: "Linux kernel with TDX support -- based on https://github.com/intel/tdx-tools/releases/tag/2023ww01"
-    url: "https://github.com/kata-containers/linux/archive/refs/tags"
-    version: "5.19-TDX-v2.2"
-
 externals:
  description: "Third-party projects used by the system"

@ -305,11 +301,11 @@ externals:
      package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
      package_output_dir: "AmdSev"
    tdx:
-      # yamllint disable-line rule:line-length
-      description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww01"
-      version: "edk2-stable202211"
-      package: "OvmfPkg/IntelTdx/IntelTdxX64.dsc"
-      package_output_dir: "IntelTdx"
+      url: "https://github.com/tianocore/edk2-staging"
+      description: "TDVF build needed for TDX measured direct boot."
+      version: "2022-tdvf-ww28.5"
+      package: "OvmfPkg/OvmfPkgX64.dsc"
+      package_output_dir: "OvmfX64"

  td-shim:
    description: "Confidential Containers Shim Firmware"
 @ -1 +1 @@
 cc
 cc