From 4f4ff286830d1e15cc1e1f0932a2db68a3ecc963 Mon Sep 17 00:00:00 2001 From: Hector Cao <122458375+hector-cao@users.noreply.github.com> Date: Fri, 10 May 2024 18:04:00 +0200 Subject: [PATCH] improvement setup configuration management (#104) * improve setup scripts configuration put all variables in a config file clean up setup scripts in the guest at the end * allow downgrade for attestation packages --- README.md | 40 +++++++----------------- attestation/setup-attestation-guest.sh | 2 +- attestation/setup-attestation-host.sh | 6 ++-- guest-tools/image/create-td-image.sh | 24 +++++++++------ guest-tools/image/setup.sh | 9 ++---- setup-tdx-config | 42 ++++++++++++++++++++++++++ setup-tdx-guest.sh | 7 ++++- setup-tdx-host.sh | 5 +++ 8 files changed, 85 insertions(+), 50 deletions(-) create mode 100644 setup-tdx-config diff --git a/README.md b/README.md index 584471c..7e8ff80 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,10 @@ As a result, it enhances a platform user’s control of data security and IP pro Cloud Service Providers’ (CSP) ability to provide managed cloud services without exposing tenant data to adversaries. For more information, see the [Intel TDX overview](https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html). -This tech preview of TDX on Ubuntu 24.04 provides base host, guest, and remote attestation functionalities. Follow these instructions to setup the TDX host, create a TD guest, boot it, and attest the integrity of its execution environment. +This tech preview of TDX on Ubuntu 24.04 provides base host, guest, and remote attestation functionalities. +Follow these instructions to setup the TDX host, create a TD guest, boot it, and attest the integrity of its execution environment. + +The setup can be customized by editing the global configuration file : `setup-tdx-config` ## 2. Report an Issue @@ -45,14 +48,11 @@ the host into a TDX host, optionally install remote attestation components, and 3. Run the script.
-NOTE 1: If you'd like to have the attestation components installed automatically, change the value -of `TDX_SETUP_ATTESTATION` from `0` to `1`. - -NOTE 2: If you're behind a proxy, use `sudo -E` to preserve user environment. +NOTE: If you're behind a proxy, use `sudo -E` to preserve user environment. ```bash cd tdx -sudo TDX_SETUP_ATTESTATION=0 ./setup-tdx-host.sh +sudo ./setup-tdx-host.sh ``` 4. Reboot. @@ -87,7 +87,7 @@ NOTE: The following is a sample BIOS configuration. It may vary slightly from o sudo dmesg | grep -i tdx ``` -An example output: +The message `virt/tdx: module initialized` proves that the tdx has been properly initialized. Here is an example output: ``` ... @@ -103,31 +103,16 @@ In this section, you will create an Ubuntu 24.04-based TD guest from scratch or ### Create a New TD Guest Image -The base image is an Ubuntu 24.04 cloud image [`ubuntu-24.04-server-cloudimg-amd64.img`](https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img). You can be customized your preferences by setting these two environment variables before running the script: - -```bash -export OFFICIAL_UBUNTU_IMAGE="https://cloud-images.ubuntu.com/noble/current/" -export CLOUD_IMG="noble-server-cloudimg-amd64.img" -``` +The base image is an Ubuntu 24.04 cloud image. 1. Generate a TD guest image.
-NOTE 1: If you'd like to have the attestation components installed automatically, change the value -of `TDX_SETUP_ATTESTATION` from `0` to `1`. -NOTE 2: If you're behind a proxy, use `sudo -E` to preserve user environment. +NOTE: If you're behind a proxy, use `sudo -E` to preserve user environment. ```bash cd tdx/guest-tools/image/ # create tdx-guest-ubuntu-24.04-generic.qcow2 -sudo -E ./create-td-image.sh -``` - -The TD guest image uses the Ubuntu generic kernel by default, the intel kernel can be selected by using -the environment variable `TDX_SETUP_INTEL_KERNEL`. - -```bash -# create tdx-guest-ubuntu-24.04-intel.qcow2 -sudo TDX_SETUP_ATTESTATION=0 TDX_SETUP_INTEL_KERNEL=1 ./create-td-image.sh +sudo ./create-td-image.sh ``` Note that the kernel type (`generic` or `intel`) is automatically included in the image name so it is easy to distinguish. @@ -144,12 +129,9 @@ If you have an existing Ubuntu 24.04 non-TD guest, you can enable the TDX featur 3. Run the script. -NOTE: If you'd like to have the attestation components installed automatically, change the value -of `TDX_SETUP_ATTESTATION` from `0` to `1`. - ```bash cd tdx -sudo TDX_SETUP_ATTESTATION=0 ./setup-tdx-guest.sh +sudo ./setup-tdx-guest.sh ``` 4. Shutdown the guest. diff --git a/attestation/setup-attestation-guest.sh b/attestation/setup-attestation-guest.sh index 596146e..44c5d6f 100755 --- a/attestation/setup-attestation-guest.sh +++ b/attestation/setup-attestation-guest.sh @@ -9,7 +9,7 @@ apt install --yes software-properties-common add-apt-repository -y ppa:kobuk-team/tdx-release apt update -apt install --yes libtdx-attest-dev trustauthority-cli +apt install --yes --allow-downgrades libtdx-attest-dev trustauthority-cli # compile tdx-attest source apt install --yes build-essential diff --git a/attestation/setup-attestation-host.sh b/attestation/setup-attestation-host.sh index bea8107..29d5463 100755 --- a/attestation/setup-attestation-host.sh +++ b/attestation/setup-attestation-host.sh @@ -10,11 +10,11 @@ add-apt-repository -y ppa:kobuk-team/tdx-release apt update -apt install --yes sgx-dcap-pccs tdx-qgs +apt install --yes --allow-downgrades sgx-dcap-pccs tdx-qgs # using RA registration (direct registration method) -apt install --yes sgx-ra-service +apt install --yes --allow-downgrades sgx-ra-service # using indirect registration method -apt install --yes sgx-pck-id-retrieval-tool +apt install --yes --allow-downgrades sgx-pck-id-retrieval-tool diff --git a/guest-tools/image/create-td-image.sh b/guest-tools/image/create-td-image.sh index 0191fb0..0d6de5e 100755 --- a/guest-tools/image/create-td-image.sh +++ b/guest-tools/image/create-td-image.sh @@ -16,9 +16,15 @@ # # TODO : ask cloud init to run the TDX setup script +CURR_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) + +# source config file +if [ -f ${CURR_DIR}/../../setup-tdx-config ]; then + source ${CURR_DIR}/../../setup-tdx-config +fi + LOGFILE=/tmp/tdx-guest-setup.txt WORK_DIR=${PWD} -CURR_DIR=$(dirname "$(realpath $0)") FORCE_RECREATE=false OFFICIAL_UBUNTU_IMAGE=${OFFICIAL_UBUNTU_IMAGE:-"https://cloud-images.ubuntu.com/releases/noble/release/"} CLOUD_IMG=${CLOUD_IMG:-"ubuntu-24.04-server-cloudimg-amd64.img"} @@ -216,16 +222,14 @@ EOT } setup_guest_image() { - # export environment variables to guest - # all environment variables with prefix : TDX_SETUP_ - declare -px | grep TDX_SETUP_ > ${CURR_DIR}/tdx-guest-setup-env virt-customize -a /tmp/${GUEST_IMG} \ - --copy-in ${CURR_DIR}/setup.sh:/tmp/ \ - --copy-in ${CURR_DIR}/../../setup-tdx-guest.sh:/tmp/ \ - --copy-in ${CURR_DIR}/../../setup-tdx-common:/tmp/ \ - --copy-in ${CURR_DIR}/../../attestation/:/tmp/ \ - --copy-in ${CURR_DIR}/tdx-guest-setup-env:/tmp/ \ - --run-command "/tmp/setup.sh" + --mkdir /tmp/tdx/ \ + --copy-in ${CURR_DIR}/setup.sh:/tmp/tdx/ \ + --copy-in ${CURR_DIR}/../../setup-tdx-guest.sh:/tmp/tdx/ \ + --copy-in ${CURR_DIR}/../../setup-tdx-common:/tmp/tdx \ + --copy-in ${CURR_DIR}/../../setup-tdx-config:/tmp/tdx \ + --copy-in ${CURR_DIR}/../../attestation/:/tmp/tdx \ + --run-command "/tmp/tdx/setup.sh" if [ $? -eq 0 ]; then ok "Setup guest image..." else diff --git a/guest-tools/image/setup.sh b/guest-tools/image/setup.sh index 0968cb5..16c4f3c 100755 --- a/guest-tools/image/setup.sh +++ b/guest-tools/image/setup.sh @@ -1,10 +1,5 @@ #!/bin/bash -# caller can set a list of environment variables by putting them into the file /tmp/tdx-guest-setup-env -if [ -f /tmp/tdx-guest-setup-env ]; then - source /tmp/tdx-guest-setup-env -fi - apt update # Utilities packages for automated testing @@ -18,4 +13,6 @@ sed -i 's|[#]*PermitRootLogin .*|PermitRootLogin yes|g' /etc/ssh/sshd_config sed -i 's|[#]*KbdInteractiveAuthentication .*|KbdInteractiveAuthentication yes|g' /etc/ssh/sshd_config # Enable TDX -/tmp/setup-tdx-guest.sh +/tmp/tdx/setup-tdx-guest.sh + +rm -rf /tmp/tdx || true diff --git a/setup-tdx-config b/setup-tdx-config new file mode 100644 index 0000000..1e41b5f --- /dev/null +++ b/setup-tdx-config @@ -0,0 +1,42 @@ +################################################################ +# GENERAL # +################################################################ + +################################################################ +# Enable the setup of attestation components +# Set to 1 to enable +# By default, the attestation components are not installed +################################################################ +TDX_SETUP_ATTESTATION=0 + +################################################################ +# HOST # +################################################################ + + +################################################################ +# GUEST # +################################################################ + +################################################################ +# Enable the intel optimized kernel for the guest +# Set to 1 to enable +# By default, the generic kernel is used +################################################################ +TDX_SETUP_INTEL_KERNEL=0 + +################################################################ +# Image configuration +# The base image is an Ubuntu 24.04 cloud image +# You can use a different image setting these two environment +# variables before running the setup script +################################################################ +OFFICIAL_UBUNTU_IMAGE="https://cloud-images.ubuntu.com/releases/noble/release/" +CLOUD_IMG="ubuntu-24.04-server-cloudimg-amd64.img" + +################################################################ +# Configure the guest credentials +################################################################ +GUEST_USER="tdx" +GUEST_PASSWORD="123456" +GUEST_HOSTNAME="tdx-guest" diff --git a/setup-tdx-guest.sh b/setup-tdx-guest.sh index d7e1c46..13f62fd 100755 --- a/setup-tdx-guest.sh +++ b/setup-tdx-guest.sh @@ -2,11 +2,16 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +# source config file +if [ -f ${SCRIPT_DIR}/setup-tdx-config ]; then + source ${SCRIPT_DIR}/setup-tdx-config +fi + # the kernel flavour/type we want to use KERNEL_TYPE=linux-image-generic # use can use -intel kernel by setting TDX_SETUP_INTEL_KERNEL -if [ -n "${TDX_SETUP_INTEL_KERNEL}" ]; then +if [[ "${TDX_SETUP_INTEL_KERNEL}" == "1" ]]; then KERNEL_TYPE=linux-image-intel fi diff --git a/setup-tdx-host.sh b/setup-tdx-host.sh index a0b9e82..7b5c151 100755 --- a/setup-tdx-host.sh +++ b/setup-tdx-host.sh @@ -2,6 +2,11 @@ SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) +# source config file +if [ -f ${SCRIPT_DIR}/setup-tdx-config ]; then + source ${SCRIPT_DIR}/setup-tdx-config +fi + on_exit() { rc=$? if [ ${rc} -ne 0 ]; then