Revert "tdx: Update GPU config for the latest TDX stack"

Prefer the "full feature TDVF" instead of the generic OVMF build. See Option-B in https://github.com/tianocore/edk2/tree/master/OvmfPkg/IntelTdx#configurations-and-features for the extra hardening supported. FIRMWAREPATH_NV also seems to be TDX specific unlike the Makefile suggests. Therefore, it can be dropped completely. This reverts commit 66ccc25724.
packaging: build OVMF for Intel TDX again
2026-02-22 06:43:41 +00:00 · 2026-01-02 13:27:55 +02:00 · 2026-01-02 13:16:32 +02:00
9 changed files with 25 additions and 16 deletions
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -54,6 +54,7 @@ jobs:
          - nydus
          - ovmf
          - ovmf-sev
+          - ovmf-tdx
          - pause-image
          - qemu
          - qemu-snp-experimental
--- a/src/runtime/Makefile
+++ b/src/runtime/Makefile
@@ -147,8 +147,7 @@ DEFROOTFSTYPE := $(ROOTFSTYPE_EXT4)
 FIRMWAREPATH :=
 FIRMWAREVOLUMEPATH :=

-#FIRMWARETDVFPATH := $(PREFIXDEPS)/share/tdvf/OVMF.fd
-FIRMWARETDVFPATH := PLACEHOLDER_FOR_DISTRO_OVMF_WITH_TDX_SUPPORT
+FIRMWARETDVFPATH := $(PREFIXDEPS)/share/ovmf/OVMF.inteltdx.fd
 FIRMWARETDVFVOLUMEPATH :=

 FIRMWARESNPPATH := $(PREFIXDEPS)/share/ovmf/AMDSEV.fd
@@ -488,8 +487,6 @@ ifneq (,$(QEMUCMD))
    # Setting this to false can lead to cgroup leakages in the host
    # Best practice for production is to set this to true
    DEFSANDBOXCGROUPONLY_NV = true
-    # The latest OVMF build should be good for both TDX and SNP
-    FIRMWAREPATH_NV := $(PREFIXDEPS)/share/ovmf/OVMF.fd

    ifneq (,$(QEMUFW))
        FIRMWAREPATH := $(PREFIXDEPS)/share/$(EDK2_NAME)/$(QEMUFW)
@@ -667,7 +664,6 @@ USER_VARS += KERNELTDXPARAMS_NV
 USER_VARS += KERNELSNPPARAMS_NV
 USER_VARS += DEFAULTTIMEOUT_NV
 USER_VARS += DEFSANDBOXCGROUPONLY_NV
-USER_VARS += FIRMWAREPATH_NV
 USER_VARS += DEFROOTFSTYPE
 USER_VARS += MACHINETYPE
 USER_VARS += KERNELDIR
--- a/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
+++ b/src/runtime/config/configuration-qemu-nvidia-gpu-tdx.toml.in
@@ -71,7 +71,7 @@ kernel_params = "@KERNELTDXPARAMS_NV@"

 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWAREPATH_NV@"
+firmware = "@FIRMWARETDVFPATH@"

 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
--- a/src/runtime/config/configuration-qemu-tdx.toml.in
+++ b/src/runtime/config/configuration-qemu-tdx.toml.in
@@ -70,7 +70,7 @@ kernel_params = "@KERNELTDXPARAMS@"

 # Path to the firmware.
 # If you want that qemu uses the default firmware leave this option empty
-firmware = "@FIRMWAREPATH_NV@"
+firmware = "@FIRMWARETDVFPATH@"

 # Path to the firmware volume.
 # firmware TDVF or OVMF can be split into FIRMWARE_VARS.fd (UEFI variables
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -27,6 +27,7 @@ BASE_TARBALLS = serial-targets \
 	kernel-tarball \
 	nydus-tarball \
 	ovmf-sev-tarball \
+	ovmf-tdx-tarball \
 	ovmf-tarball \
 	qemu-snp-experimental-tarball \
 	qemu-tdx-experimental-tarball \
@@ -156,6 +157,9 @@ nydus-tarball:
 ovmf-sev-tarball:
 	${MAKE} $@-build

+ovmf-tdx-tarball:
+	${MAKE} $@-build
+
 ovmf-cca-tarball:
 	${MAKE} $@-build

--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -124,6 +124,7 @@ options:
 	pause-image
 	ovmf
 	ovmf-sev
+	ovmf-tdx
 	ovmf-cca
 	qemu
 	qemu-cca-experimental
@@ -1015,6 +1016,7 @@ install_ovmf() {

 	local component_name="ovmf"
 	[ "${ovmf_type}" == "sev" ] && component_name="ovmf-sev"
+	[ "${ovmf_type}" == "tdx" ] && component_name="ovmf-tdx"

 	latest_artefact="$(get_from_kata_deps ".externals.ovmf.${ovmf_type}.version")"
 	latest_builder_image="$(get_ovmf_image_name)"
@@ -1036,6 +1038,11 @@ install_ovmf_sev() {
 	install_ovmf "sev" "edk2-sev.tar.gz"
 }

+# Install OVMF TDX
+install_ovmf_tdx() {
+	install_ovmf "tdx" "edk2-tdx.tar.gz"
+}
+
 # Install OVMF CCA
 install_ovmf_cca() {
 	install_ovmf "cca" "edk2-cca.tar.gz"
@@ -1284,6 +1291,7 @@ handle_build() {
 		install_nydus
 		install_ovmf
 		install_ovmf_sev
+		install_ovmf_tdx
 		install_qemu
 		install_qemu_snp_experimental
 		install_qemu_tdx_experimental
@@ -1338,6 +1346,8 @@ handle_build() {

 	ovmf-sev) install_ovmf_sev ;;

+	ovmf-tdx) install_ovmf_tdx ;;
+
 	ovmf-cca) install_ovmf_cca ;;

 	pause-image) install_pause_image ;;
--- a/tools/packaging/static-build/ovmf/build-ovmf.sh
+++ b/tools/packaging/static-build/ovmf/build-ovmf.sh
@@ -60,10 +60,6 @@ fi

 info "Building ovmf"
 build_cmd="build -b ${build_target} -t ${toolchain} -a ${architecture} -p ${ovmf_package}"
-if [ "${ovmf_build}" == "tdx" ]; then
-	build_cmd+=" -D SECURE_BOOT_ENABLE=TRUE"
-fi
-
 eval "${build_cmd}"

 info "Done Building"
@@ -73,8 +69,6 @@ build_path_fv="${build_path_target_toolchain}/FV"
 if [ "${ovmf_build}" == "tdx" ]; then
 	build_path_arch="${build_path_target_toolchain}/X64"
 	stat "${build_path_fv}/OVMF.fd"
-	stat "${build_path_fv}/OVMF_CODE.fd"
-	stat "${build_path_fv}/OVMF_VARS.fd"
 elif [ "${ovmf_build}" == "arm64" ] || [ "${ovmf_build}" == "cca" ]; then
 	stat "${build_path_fv}/QEMU_EFI.fd"
 	stat "${build_path_fv}/QEMU_VARS.fd"
@@ -96,9 +90,7 @@ mkdir -p "${install_dir}"
 if [ "${ovmf_build}" == "sev" ]; then
 	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}/AMDSEV.fd"
 elif [ "${ovmf_build}" == "tdx" ]; then
-	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}"
-	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_CODE.fd ${install_dir}
-	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF_VARS.fd ${install_dir}
+	install $build_root/$ovmf_dir/"${build_path_fv}"/OVMF.fd "${install_dir}/OVMF.inteltdx.fd"
 elif [ "${ovmf_build}" == "arm64" ] || [ "${ovmf_build}" == "cca" ]; then
 	install $build_root/$ovmf_dir/"${build_path_fv}"/QEMU_EFI.fd "${install_dir}/AAVMF_CODE.fd"
 	install $build_root/$ovmf_dir/"${build_path_fv}"/QEMU_VARS.fd "${install_dir}/AAVMF_VARS.fd"
--- a/tools/testing/gatekeeper/required-tests.yaml
+++ b/tools/testing/gatekeeper/required-tests.yaml
@@ -112,6 +112,7 @@ mapping:
      - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (kernel, test)
      - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (nydus, test)
      - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (ovmf-sev, test)
+      # - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (ovmf-tdx, test)
      - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (ovmf, test)
      - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (qemu-snp-experimental, test)
      - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (qemu, test)
--- a/versions.yaml
+++ b/versions.yaml
@@ -379,6 +379,11 @@ externals:
      version: "edk2-stable202508"
      package: "OvmfPkg/AmdSev/AmdSevX64.dsc"
      package_output_dir: "AmdSev"
+    tdx:
+      description: "UEFI for Intel TDX virtual machines."
+      version: "edk2-stable202511"
+      package: "OvmfPkg/IntelTdx/IntelTdxX64.dsc"
+      package_output_dir: "IntelTdx"
    arm64:
      description: "UEFI for arm64 virtual machines."
      version: "edk2-stable202508"