Intel® TDX is a Confidential Computing technology which deploys hardware-isolated, Virtual Machines (VMs) called Trust Domains (TDs). It protects TDs from a broad range of software attacks by isolating them from the Virtual-Machine Manager (VMM), hypervisor, and other non-TD software on the host platform. As a result, Intel TDX enhances a platform user’s control of data security and IP protection. Also, it enhances the Cloud Service Providers’ (CSP) ability to provide managed cloud services without exposing tenant data to adversaries. For more information, see the Intel TDX overview.
This tech preview of Intel TDX on Ubuntu 24.04 provides base host OS, guest OS, and remote attestation functionalities. Follow these instructions to setup the Intel TDX host, create a TD, boot the TD, and attest the integrity of the TD's execution environment.
The setup can be customized by editing the global configuration file: setup-tdx-config
Please submit an issue here and we'll get back to you ASAP.
This release supports 4th Generation Intel® Xeon® Scalable Processors with activated Intel® TDX and all 5th Generation Intel® Xeon® Scalable Processors.
In this section, you will install a generic Ubuntu 24.04 server image, install necessary packages to turn the host OS into an Intel TDX-enabled host OS, optionally install remote attestation components, and enable Intel TDX settings in the BIOS.
Download and install Ubuntu 24.04 server on the host machine.
Download this repository by downloading an asset file from the releases page on GitHub or by cloning the repository (at the appropriate tag/branch).
NOTE: If you're behind a proxy, use sudo -E
to preserve user environment.
cd tdx
sudo ./setup-tdx-host.sh
Reboot.
Go into the host's BIOS.
NOTE: The following is a sample BIOS configuration. The necessary BIOS settings or the menus might differ based on the platform that is used. Please reach out to your OEM/ODM or independent BIOS vendor for instructions dedicated for your BIOS.
Go to Socket Configuration > Processor Configuration > TME, TME-MT, TDX
.
Memory Encryption (TME)
to Enabled
Total Memory Encryption Bypass
to Enabled
(Optional setting for best host OS and regular VM performance.)Total Memory Encryption Multi-Tenant (TME-MT)
to Enabled
TME-MT memory integrity
to Disabled
Trust Domain Extension (TDX)
to Enabled
TDX Secure Arbitration Mode Loader (SEAM Loader)
to Enabled
. (NOTE: This allows loading Intel TDX Loader and Intel TDX Module from the ESP or BIOS.)TME-MT/TDX key split
to a non-zero valueGo to Socket Configuration > Processor Configuration > Software Guard Extension (SGX)
.
SW Guard Extensions (SGX)
to Enabled
Save the BIOS settings and boot up.
Verify that Intel TDX is enabled using the dmesg
command:
sudo dmesg | grep -i tdx
The message virt/tdx: module initialized
proves that the tdx has been properly initialized. Here is an example output:
...
[ 5.205693] virt/tdx: BIOS enabled: private KeyID range [64, 128)
[ 29.884504] virt/tdx: 1050644 KB allocated for PAMT
[ 29.884513] virt/tdx: module initialized
...
In this section, you will create an Ubuntu 24.04-based TD image from scratch or convert an existing VM image into a TD image. This can be performed on any Ubuntu 22.04 or newer system - an Intel TDX-specific environment is not required.
The base image is an Ubuntu 24.04 cloud image.
By default, the generic kernel is used for the guest. The Intel kernel can be selected by changing the variable TDX_SETUP_INTEL_KERNEL
in the configuration file setup-tdx-config
.
A TD image can be generated with the following commands.
The resulting image will be based on an Ubuntu 24.04 cloud image (ubuntu-24.04-server-cloudimg-amd64.img
), the default root password is 123456
, and other default settings are used.
Please note the most important options described after the commands and have a look at the create-td-image.sh
script for more available options.
cd tdx/guest-tools/image/
# create tdx-guest-ubuntu-24.04-generic.qcow2
sudo ./create-td-image.sh
Important options for TD image creation:
sudo -E
to preserve user environment.To adjust the base image, set the following two environment variables before running the script:
export OFFICIAL_UBUNTU_IMAGE="https://cloud-images.ubuntu.com/noble/current/"
export CLOUD_IMG="noble-server-cloudimg-amd64.img"
generic
or intel
) will be reflected in the name of the resulting image so it is easy to distinguish.If you have an existing Ubuntu 24.04 VM image, you can enable the Intel TDX feature using the following steps:
Boot up your guest, i.e., your regular VM.
Download this repository by downloading an asset file from the releases page on GitHub or by cloning the repository (at the appropriate tag/branch).
Run the following script.
cd tdx
sudo ./setup-tdx-guest.sh
Shutdown the guest.
Now that you have a TD image, let’s boot it using one of the following two ways:
NOTE: The script provided for the virsh method supports running multiple TDs simultaneously. The script provided for the QEMU method supports running only a single instance.
Boot TD with the provided script.
By default, the script will use an image with a generic kernel located at
./image/tdx-guest-ubuntu-24.04-generic.qcow2
. A different qcow2
image (e.g., one with an intel kernel) can be used by setting the TD_IMG
command-line variable.
NOTE: It is recommended that you run the script as a non-root user.
cd tdx/guest-tools
./run_td.sh
An example output:
TD, PID: 111924, SSH : ssh -p 10022 root@localhost
[Recommended] Configure libvirt to be usable as non-root user.
Apply the following settings to the file /etc/libvirt/qemu.conf
.
user = <your_user_name>
group = <your_group>
dynamic_ownership = 0
Restart the libvirtd
service
systemctl restart libvirtd
Boot TD using the following commands.
cd tdx/guest-tools
./tdvirsh new
Details about tdvirsh
:
virsh
tool.
This new tdvirsh
tool extends virsh
with new capabilities to create/remove TDs.tdvirsh
will use an image located at ./image/tdx-guest-ubuntu-24.04-generic.qcow2
with the generic
Ubuntu kernel.
A different qcow2 image (e.g., one with an intel
kernel) can be used by setting the TD_IMG
command-line variable.All VMs can be listed with the following command:
./tdvirsh list --all
Example of output:
```
$ ./tdvirsh list --all
Id Name State
---------------------------------------------------------------------------
1 tdvirsh-trust_domain-f7210c2b-2657-4f30-adf3-639b573ea39f running (ssh:32855, cid:3)
```
`ssh:32855` displays the port user can use to connect to the VM via `ssh`.
./tdvirsh delete [domain]
./tdvirsh -h
To run a TD VM with secure boot enabled, use the tdvirsh
tool with
dedicated libvirt configuration:
cd tdx/guest-tools
XML_TEMPLATE=trust_domain-sb.xml.template ./tdvirsh new
Log into the TD using one of the following commands.
NOTE: If you booted your TD with td_virsh_tool.sh
, you will likely need
a different port number from the one below. The tool will print the appropriate port to use
after it has successfully booted the TD.
# From localhost
ssh -p 10022 root@localhost
# From remote host
ssh -p 10022 root@<host_ip>
Verify Intel TDX is enabled in the guest using the following command:
dmesg | grep -i tdx
An example output:
[ 0.000000] tdx: Guest detected
[ 0.000000] DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 2023.05-2+tdx1.0~ubuntu23.10.1 10/17/2023
[ 0.395218] process: using TDX aware idle routine
[ 0.395218] Memory Encryption Features active: Intel TDX
Verify quote generation provider:
mkdir -p /sys/kernel/config/tsm/report/testreport0
cat /sys/kernel/config/tsm/report/testreport0/provider
Should give the following output:
tdx_guest
Attestation is a process in which the attester requests the verifier (e.g., Intel Tiber Trust Services) to confirm that a TD is operating in a secure and trusted environment. This process involves the attester generating a "TD Quote", which contains measurements of the Trusted Execution Environment (TEE) and other cryptographic evidence. The TD Quote is sent to the verifier who then confirms its validity against reference values and policies. If confirmed, the verifier returns an attestation token. The attester can then send the token to a relying party who will validate it. For more on the basics of attestation, see Attestation overview.
For attestation to work, you need Production hardware. Run the following commands to verify.
cd tdx/attestation
sudo ./check-production.sh
Install the required DCAP packages inside the host OS.
NOTE 1: If you have already installed Canoncial's attestation components as part of the host OS setup (see step 2 in section 4.2), you can continue with step 3.
NOTE 2: If you're behind a proxy, use sudo -E
to preserve user environment.
cd tdx/attestation
sudo ./setup-attestation-host.sh
Reboot the system.
Verify that The Intel SGX devices have proper user and group.
NOTE: These devices are needed as Intel TDX's attestation flow is based on the Intel SGX attestation flow.
$ ls -l /dev/sgx_*
crw-rw-rw- 1 root sgx 10, 125 Apr 3 21:14 /dev/sgx_enclave
crw-rw---- 1 root sgx_prv 10, 126 Apr 3 21:14 /dev/sgx_provision
crw-rw---- 1 root sgx 10, 124 Apr 3 21:14 /dev/sgx_vepc
Verify the QGS service is running properly:
sudo systemctl status qgsd
Verify the PCCS service is running properly:
sudo systemctl status pccs
To setup the PCCS in the next step, you need a subscription key for the Intel PCS.
Configure the PCCS service:
sudo /usr/bin/pccs-configure
An example configuration you can use:
Checking nodejs version ...
nodejs is installed, continue...
Checking cracklib-runtime ...
Set HTTPS listening port [8081] (1024-65535) :
Set the PCCS service to accept local connections only? [Y] (Y/N) :
Set your Intel PCS API key (Press ENTER to skip) : <Enter your Intel PCS subscription key here>
You didn't set Intel PCS API key. You can set it later in config/default.json.
Choose caching fill method : [LAZY] (LAZY/OFFLINE/REQ) :
Set PCCS server administrator password: <PCCS-ADMIN-PASSWORD>
Re-enter administrator password: <PCCS-ADMIN-PASSWORD>
Set PCCS server user password: <PCCS-SERVER-USER-PASSWORD>
Re-enter user password: <PCCS-SERVER-USER-PASSWORD>
Do you want to generate insecure HTTPS key and cert for PCCS service? [Y] (Y/N) :N
Restart the PCCS service:
sudo systemctl restart pccs
Verify the PCCS service is running properly:
sudo systemctl status pccs
Platform registration.
The platform registration is done with the mpa_registration_tool
tool.
This service is executed on system start up, registers the platform, and gets deactivated.
Please check the following two logs to confirm successful registration:
Check service logs with following command:
sudo systemctl status mpa_registration_tool
A successful example output:
mpa_registration_tool.service - Intel MPA Registration
Loaded: loaded (/usr/lib/systemd/system/mpa_registration_tool.service; enabled; preset: enabled)
Active: inactive (dead) since Tue 2024-04-09 22:54:50 UTC; 11h ago
Duration: 46ms
Main PID: 3409 (code=exited, status=0/SUCCESS)
CPU: 21ms
Apr 09 22:54:50 right-glider-515046 systemd[1]: Started mpa_registration_tool.service - Intel MPA Registratio>
Apr 09 22:54:50 right-glider-515046 systemd[1]: mpa_registration_tool.service: Deactivated successfully.
Check MPA log file with following command:
cat /var/log/mpa_registration.log
A successful example output:
[04-06-2024 03:05:53] INFO: SGX Registration Agent version: 1.20.100.2
[04-06-2024 03:05:53] INFO: Starts Registration Agent Flow.
[04-06-2024 03:05:54] INFO: Registration Flow - PLATFORM_ESTABLISHMENT or TCB_RECOVERY passed successfully.
[04-06-2024 03:05:54] INFO: Finished Registration Agent Flow.
If an error is reported in one of the logs, boot into the BIOS, go to
Socket Configuration > Processor Configuration > Software Guard Extension (SGX)
, and set
SGX Factory Reset
to Enabled
SGX Auto MP Registration
to Enabled
NOTE: If you have already installed the attestation components as part of the TD image creation, you proceed to step 4.
Boot a TD and connect to it.
Download this repository by downloading an asset file from the releases page on GitHub or by cloning the repository (at the appropriate tag/branch).
Install the Intel Tiber Trust Service CLI.
cd tdx/attestation
./setup-attestation-guest.sh
Verify presence of Intel Tiber Trust Service CLI by printing its version.
trustauthority-cli version
An example output:
Intel® Trust Authority CLI for TDX
Version: 1.2.0-
Build Date: 2024-03-07T17:35:34+00:00
Boot a TD and connect to it.
Inside the TD, generate a sample TD Quote to prove the Quote Generation Service is working properly.
cd /usr/share/doc/libtdx-attest-dev/examples/
./test_tdx_attest
An example output of a successful quote generation:
TDX report data
00000000: 1a d0 79 02 45 df 7e 77 2b 9f a2 43 8c 69 4f 8a
00000010: f3 0b 53 44 01 87 15 e1 44 1b 27 f1 c0 eb 14 da
00000020: bb 8d dd 00 6c 5b 78 97 fa 1a da 86 83 2a 10 76
00000030: 35 63 bb 36 ea d0 17 2f eb 3e 20 ab 2a 34 86 e5
TDX report
00000000: 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000010: 06 06 16 18 03 ff 00 04 00 00 00 00 00 00 00 00
00000020: ae ef a8 61 f5 b5 f0 4f b5 ad 95 8c 1b ae f7 5f
00000030: 2c 05 e0 e1 5e cd 5f 87 96 85 0a 10 cf ca a7 58
....
....
Successfully get the TD Quote
Wrote TD Quote to quote.dat
Failed to extend rtmr[2]
Failed to extend rtmr[3]
NOTE: You can ignore the Failed to extend rtmr
messages.
You should also find a quote.dat
file generated.
Attest with the Intel Tiber Trust Service.
Obtain an API key following the tutorial.
Create a config.json
file like the example below:
{
"trustauthority_url": "https://portal.trustauthority.intel.com",
"trustauthority_api_url": "https://api.trustauthority.intel.com",
"trustauthority_api_key": "<Your Intel Tiber Trust Service API key>"
}
Use the Intel Tiber Trust Service CLI to generation an attestation token. Under the hood, the CLI will generate a TD Quote using the CPU, send the TD Quote to the external Intel Tiber Trust Service for TD Quote verification, and receive an attestation token on success.
trustauthority-cli token -c config.json
An example of a successful attestation token generation:
2024/04/30 22:55:17 [DEBUG] GET https://api.trustauthority.intel.com/appraisal/v1/nonce
2024/04/30 22:55:18 [DEBUG] POST https://api.trustauthority.intel.com/appraisal/v1/attest
Trace Id: U5sA2GNVoAMEPkQ=
eyJhbGciOiJQUzM4NCIsImprdSI6Imh0dHBzOi8vYW1iZXItdGVzdDEtdXNlcjEucHJvamVjdC1hbWJlci1zbWFzLmN
.....
.....
.....
DRctLIeN4MioXztymyK7qsT1p7n7Dh56-HmDQH47MVgrEL_S-wRYDQioEkUvtuA_3pGk
Even though the Intel TDX components live in a separate PPA from the rest of the Ubuntu packages, they follow the Ubuntu standards and offer users the same facilities for code source access and building.
You can find generic instructions on how to build a package from source here: https://wiki.debian.org/BuildingTutorial. The core idea of building a package from source code is to be able to edit the source code (see https://wiki.debian.org/BuildingTutorial#Edit_the_source_code).
Here are example instructions for building QEMU (for normal user with sudo rights):
Install Ubuntu 24.04 (or use an existing Ubuntu 24.04 system).
Install build dependencies:
sudo apt update
sudo apt install --no-install-recommends --yes software-properties-common \
build-essential \
fakeroot \
devscripts \
wget \
git \
equivs \
liblz4-tool \
sudo \
unzip \
curl \
xz-utils \
cpio \
gawk
Download package's source:
sudo add-apt-repository -s ppa:kobuk-team/tdx-release
apt source qemu
This command will create several files and a folder, the folder is the qemu source code.
Rebuild
cd <qemu-source-code>
sudo apt build-dep ./
debuild -us -uc -b
The resulting debian packages are available in the parent folder.
Install the packages.
For details, you can refer to https://wiki.debian.org/BuildingTutorial#Installing_and_testing_the_modified_package
Please follow tests/README to run Intel TDX tests.