Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Yocto tdx dependencies #23

Open
BigBoy3003 opened this issue Jan 23, 2025 · 3 comments
Open

Yocto tdx dependencies #23

BigBoy3003 opened this issue Jan 23, 2025 · 3 comments

Comments

@BigBoy3003
Copy link

Hi guys,
im new so sorry if this is not the right place for the question. i have created a custom yocto image for a project of mine. in this project i need to patch my image with tdx dependencies. it would be like in this gitgub repository here: https://github.com/canonical/tdx
in this one they of course use an ubuntu based VM in step 5.2 where they state:
5.2 Convert a Regular VM Image into a TD Image
If you have an existing Ubuntu (24.04 or 24.10) VM image, you can enable the Intel TDX feature using the following steps.

as i do not have an ubuntu VM image but a yocto one based on core-image-full-cmdline, i wanted to ask if you guys know any way to turn this image into TD image like in the 5.2 step of the canonical guide? the goal in the end would be to get a TD Quote. Thank you for the responses
@MoeMahhouk
Copy link
Collaborator

Hi @BigBoy3003 , no problems.
You can follow what we did in our meta-confidential-compute layer to make the yocto image TDX aware. It includes the kernel configuration and setup necessary for a TDX guest image.
There is also is pending PR which backports kernel 6.10 since to enable configfs-tsm and allow to generate TD quotes on bare-metal deployment within qemu similar to the ubuntu TDX canonical image.
In this repo, there is the TDX base configuration which sets up a minimal base yocto TDX image that you can follow its layers and guides you towards what you need.

@BigBoy3003
Copy link
Author

thank you fot the response i had some follow up questions if possible.

  1. is the meta-confidential-compute layer only compatible with the cvm-azure image and for any other image it would, such as my full-cmdline image it would have to be further modified? also can it give the iamge the capability to generate a TD quote ?

  2. the pending PR is suppose is still a work in progress and not usable atm right? and even if it were does it encompas only the core-image minimal?

thank you for the explanation

@MoeMahhouk
Copy link
Collaborator

1- yes, because in our initial use case, we were targetting azure deployment as Microsoft azure was the first to offer a way to deploy custom TDX Vms. However, with the pending PR, it is possible to build a TDX VM that also support bare-metal and GCP.
2- Although the PR is a work in progress but it is functional and can be used. You can try it out or take pieces of it to fit your use-case. We went with minimal-core-image to reduce the TCB size (reduce the attack surface) and keep everything to minimum.
That's said, you can try to apply the changes to other image types.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MoeMahhouk @BigBoy3003