release: Update Intel TDX CC HW status

[arronwy]

Signed-off-by: Wang, Arron arron.wang@intel.com

[peterzcst]

So we do have some CI for TDX, but there are a couple of questions about the coverage.

First of all, it doesn't look like the kata-ci has any tests that use remote attestation for TDX. This is a bit of a gap.

Second, we don't have any TDX testing for the operator. In the community meeting a few weeks ago @fidencio said that he thought platform specific CI for the operator should be a hard requirement for the first release. I'm not sure what we should do about it. It might not be too hard to add but we don't have much time.

cc: @peterzcst @wainersm @c3d

For remote attestation in Kata-CI, it's a GAP but not function GAP. TDX remote attestation has been there since last November. The challenges here are complexity of setting up service of remote attestation in CI. It's not TDX specific. Currently no any HWTEE CI has remote attestation in place.

For operator CI, Per Fabiano, Arron is working on rest of operator CI. Some issues are still there. Arron is working with Wainer (and keep Fabiano updated). Not sure when we can have operator CI finished.

All in all, TDX CoCo support is complete for Sep release, except operator CI parts.

[peterzcst]

So we do have some CI for TDX, but there are a couple of questions about the coverage.

First of all, it doesn't look like the kata-ci has any tests that use remote attestation for TDX. This is a bit of a gap.

Second, we don't have any TDX testing for the operator. In the community meeting a few weeks ago @fidencio said that he thought platform specific CI for the operator should be a hard requirement for the first release. I'm not sure what we should do about it. It might not be too hard to add but we don't have much time.

cc: @peterzcst @wainersm @c3d @fitzthum for remote attestation in Kata-CI, it's a GAP but not function GAP. TDX remote attestation has been there since last November. The challenges here are complexity of setting up service of remote attestation in CI. It's not TDX specific. Currently no any HWTEE CI has remote attestation in place.

For operator CI, Per Fabiano, Arron is working on rest of operator CI. Some issues are still there. Arron is working with Wainer (and keep Fabiano updated). Not sure when we can have operator CI finished.

All in all, TDX CoCo support is complete for Sep release, except operator CI parts.

[fitzthum]

The challenges here are complexity of setting up service of remote attestation in CI. It's not TDX specific. Currently no any HWTEE CI has remote attestation in place.

See https://github.com/kata-containers/tests/pull/4977

Let's not make it about SEV vs TDX, though. I agree with you that TDX is functioning and has been for a long time. At the same time @fidencio felt strongly about having good testing coverage before he went on vacation. I'm not exactly sure what is best. Maybe we can change the wording somehow to say that it is a feature but it isn't yet fully supported in the CI.

[sameo]

FWIW those are the 2 PRs needed to enable the operator CI for TDX:

https://github.com/confidential-containers/operator/pull/79 https://github.com/confidential-containers/operator/pull/85

[fitzthum]

Ok, I think this is superseded by #49 which adds a new section for supported hw and lists TDX there. wdyt @arronwy

[arronwy]

Ok, I think this is superseded by #49 which adds a new section for supported hw and lists TDX there. wdyt @arronwy

Thanks @fitzthum ,lgtm.

[sameo]

@arronwy @peterzcst Please let us know if we can close that PR now that #49 is merged.

[peterzcst]

@arronwy @peterzcst Please let us know if we can close that PR now that #49 is merged.

yes, this one can be closed. Thanks @fitzthum @sameo

[arronwy]

@arronwy @peterzcst Please let us know if we can close that PR now that #49 is merged.

Thanks @sameo ,yes, we can close this PR now.