libkrun icon indicating copy to clipboard operation
libkrun copied to clipboard
verified publisher icon containers

Add support for Intel Trust Domain Extensions (TDX)

Open jakecorrenti opened this issue 1 year ago • 1 comments

This PR adds support for the Intel Trust Domain Extensions (TDX) Confidential Computing architecture.

This is currently a draft as the following issues are present:

  • The guest is failing to complete the boot sequence. I suspect this is due to firmware issues, such as a lack of proper IDT setup and #VE handling
  • https://www.github.com/virtee/tdx needs to get published to crates.io before this can get merged

Before merging there are some commits that will be squashed and/or re-ordered.

There is also additional functionality that I would like to add such as:

  • [ ] Comprehensive CPUID configuration based off of the TDX capabilities reported by KVM_TDX_CAPABILITIES
  • [ ] Handle the following VMCALLs
    • [x] TDG.VP.VMCALL<SetupEventNotifyInterrupt>
    • [ ] TDG.VP.VMCALL<GetQuote>
    • [x] TDG.VP.VMCALL<MapGPA>
    • [x] TDG.VP.VMCALL<REPORT_FATAL_ERROR>
  • [ ] Validate TDX Attributes when reported by KVM_TDX_CAPABILITIES
  • [ ] Update README.md and other docs
  • [ ] Make sure guests work with varying memory and vCPU configurations

Any early reviews are welcome.

jakecorrenti avatar Oct 21 '24 19:10 jakecorrenti

Temporarily pushing a mess of commits so that it can get cleaned up...

jakecorrenti avatar Feb 25 '25 17:02 jakecorrenti

closing in favor of https://github.com/containers/libkrun/pull/313

jakecorrenti avatar Apr 09 '25 20:04 jakecorrenti