From 4f4ff286830d1e15cc1e1f0932a2db68a3ecc963 Mon Sep 17 00:00:00 2001
From: Hector Cao <122458375+hector-cao@users.noreply.github.com>
Date: Fri, 10 May 2024 18:04:00 +0200
Subject: [PATCH] improvement setup configuration management (#104)
* improve setup scripts configuration
put all variables in a config file
clean up setup scripts in the guest at the end
* allow downgrade for attestation packages
---
README.md | 40 +++++++-----------------
attestation/setup-attestation-guest.sh | 2 +-
attestation/setup-attestation-host.sh | 6 ++--
guest-tools/image/create-td-image.sh | 24 +++++++++------
guest-tools/image/setup.sh | 9 ++----
setup-tdx-config | 42 ++++++++++++++++++++++++++
setup-tdx-guest.sh | 7 ++++-
setup-tdx-host.sh | 5 +++
8 files changed, 85 insertions(+), 50 deletions(-)
create mode 100644 setup-tdx-config
diff --git a/README.md b/README.md
index 584471c..7e8ff80 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,10 @@ As a result, it enhances a platform user’s control of data security and IP pro
Cloud Service Providers’ (CSP) ability to provide managed cloud services without exposing tenant data to adversaries.
For more information, see the [Intel TDX overview](https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html).
-This tech preview of TDX on Ubuntu 24.04 provides base host, guest, and remote attestation functionalities. Follow these instructions to setup the TDX host, create a TD guest, boot it, and attest the integrity of its execution environment.
+This tech preview of TDX on Ubuntu 24.04 provides base host, guest, and remote attestation functionalities.
+Follow these instructions to setup the TDX host, create a TD guest, boot it, and attest the integrity of its execution environment.
+
+The setup can be customized by editing the global configuration file : `setup-tdx-config`
## 2. Report an Issue
@@ -45,14 +48,11 @@ the host into a TDX host, optionally install remote attestation components, and
3. Run the script.
-NOTE 1: If you'd like to have the attestation components installed automatically, change the value
-of `TDX_SETUP_ATTESTATION` from `0` to `1`.
-
-NOTE 2: If you're behind a proxy, use `sudo -E` to preserve user environment.
+NOTE: If you're behind a proxy, use `sudo -E` to preserve user environment.
```bash
cd tdx
-sudo TDX_SETUP_ATTESTATION=0 ./setup-tdx-host.sh
+sudo ./setup-tdx-host.sh
```
4. Reboot.
@@ -87,7 +87,7 @@ NOTE: The following is a sample BIOS configuration. It may vary slightly from o
sudo dmesg | grep -i tdx
```
-An example output:
+The message `virt/tdx: module initialized` proves that the tdx has been properly initialized. Here is an example output:
```
...
@@ -103,31 +103,16 @@ In this section, you will create an Ubuntu 24.04-based TD guest from scratch or
### Create a New TD Guest Image
-The base image is an Ubuntu 24.04 cloud image [`ubuntu-24.04-server-cloudimg-amd64.img`](https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img). You can be customized your preferences by setting these two environment variables before running the script:
-
-```bash
-export OFFICIAL_UBUNTU_IMAGE="https://cloud-images.ubuntu.com/noble/current/"
-export CLOUD_IMG="noble-server-cloudimg-amd64.img"
-```
+The base image is an Ubuntu 24.04 cloud image.
1. Generate a TD guest image.
-NOTE 1: If you'd like to have the attestation components installed automatically, change the value
-of `TDX_SETUP_ATTESTATION` from `0` to `1`.
-NOTE 2: If you're behind a proxy, use `sudo -E` to preserve user environment.
+NOTE: If you're behind a proxy, use `sudo -E` to preserve user environment.
```bash
cd tdx/guest-tools/image/
# create tdx-guest-ubuntu-24.04-generic.qcow2
-sudo -E ./create-td-image.sh
-```
-
-The TD guest image uses the Ubuntu generic kernel by default, the intel kernel can be selected by using
-the environment variable `TDX_SETUP_INTEL_KERNEL`.
-
-```bash
-# create tdx-guest-ubuntu-24.04-intel.qcow2
-sudo TDX_SETUP_ATTESTATION=0 TDX_SETUP_INTEL_KERNEL=1 ./create-td-image.sh
+sudo ./create-td-image.sh
```
Note that the kernel type (`generic` or `intel`) is automatically included in the image name so it is easy to distinguish.
@@ -144,12 +129,9 @@ If you have an existing Ubuntu 24.04 non-TD guest, you can enable the TDX featur
3. Run the script.
-NOTE: If you'd like to have the attestation components installed automatically, change the value
-of `TDX_SETUP_ATTESTATION` from `0` to `1`.
-
```bash
cd tdx
-sudo TDX_SETUP_ATTESTATION=0 ./setup-tdx-guest.sh
+sudo ./setup-tdx-guest.sh
```
4. Shutdown the guest.
diff --git a/attestation/setup-attestation-guest.sh b/attestation/setup-attestation-guest.sh
index 596146e..44c5d6f 100755
--- a/attestation/setup-attestation-guest.sh
+++ b/attestation/setup-attestation-guest.sh
@@ -9,7 +9,7 @@ apt install --yes software-properties-common
add-apt-repository -y ppa:kobuk-team/tdx-release
apt update
-apt install --yes libtdx-attest-dev trustauthority-cli
+apt install --yes --allow-downgrades libtdx-attest-dev trustauthority-cli
# compile tdx-attest source
apt install --yes build-essential
diff --git a/attestation/setup-attestation-host.sh b/attestation/setup-attestation-host.sh
index bea8107..29d5463 100755
--- a/attestation/setup-attestation-host.sh
+++ b/attestation/setup-attestation-host.sh
@@ -10,11 +10,11 @@ add-apt-repository -y ppa:kobuk-team/tdx-release
apt update
-apt install --yes sgx-dcap-pccs tdx-qgs
+apt install --yes --allow-downgrades sgx-dcap-pccs tdx-qgs
# using RA registration (direct registration method)
-apt install --yes sgx-ra-service
+apt install --yes --allow-downgrades sgx-ra-service
# using indirect registration method
-apt install --yes sgx-pck-id-retrieval-tool
+apt install --yes --allow-downgrades sgx-pck-id-retrieval-tool
diff --git a/guest-tools/image/create-td-image.sh b/guest-tools/image/create-td-image.sh
index 0191fb0..0d6de5e 100755
--- a/guest-tools/image/create-td-image.sh
+++ b/guest-tools/image/create-td-image.sh
@@ -16,9 +16,15 @@
#
# TODO : ask cloud init to run the TDX setup script
+CURR_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+# source config file
+if [ -f ${CURR_DIR}/../../setup-tdx-config ]; then
+ source ${CURR_DIR}/../../setup-tdx-config
+fi
+
LOGFILE=/tmp/tdx-guest-setup.txt
WORK_DIR=${PWD}
-CURR_DIR=$(dirname "$(realpath $0)")
FORCE_RECREATE=false
OFFICIAL_UBUNTU_IMAGE=${OFFICIAL_UBUNTU_IMAGE:-"https://cloud-images.ubuntu.com/releases/noble/release/"}
CLOUD_IMG=${CLOUD_IMG:-"ubuntu-24.04-server-cloudimg-amd64.img"}
@@ -216,16 +222,14 @@ EOT
}
setup_guest_image() {
- # export environment variables to guest
- # all environment variables with prefix : TDX_SETUP_
- declare -px | grep TDX_SETUP_ > ${CURR_DIR}/tdx-guest-setup-env
virt-customize -a /tmp/${GUEST_IMG} \
- --copy-in ${CURR_DIR}/setup.sh:/tmp/ \
- --copy-in ${CURR_DIR}/../../setup-tdx-guest.sh:/tmp/ \
- --copy-in ${CURR_DIR}/../../setup-tdx-common:/tmp/ \
- --copy-in ${CURR_DIR}/../../attestation/:/tmp/ \
- --copy-in ${CURR_DIR}/tdx-guest-setup-env:/tmp/ \
- --run-command "/tmp/setup.sh"
+ --mkdir /tmp/tdx/ \
+ --copy-in ${CURR_DIR}/setup.sh:/tmp/tdx/ \
+ --copy-in ${CURR_DIR}/../../setup-tdx-guest.sh:/tmp/tdx/ \
+ --copy-in ${CURR_DIR}/../../setup-tdx-common:/tmp/tdx \
+ --copy-in ${CURR_DIR}/../../setup-tdx-config:/tmp/tdx \
+ --copy-in ${CURR_DIR}/../../attestation/:/tmp/tdx \
+ --run-command "/tmp/tdx/setup.sh"
if [ $? -eq 0 ]; then
ok "Setup guest image..."
else
diff --git a/guest-tools/image/setup.sh b/guest-tools/image/setup.sh
index 0968cb5..16c4f3c 100755
--- a/guest-tools/image/setup.sh
+++ b/guest-tools/image/setup.sh
@@ -1,10 +1,5 @@
#!/bin/bash
-# caller can set a list of environment variables by putting them into the file /tmp/tdx-guest-setup-env
-if [ -f /tmp/tdx-guest-setup-env ]; then
- source /tmp/tdx-guest-setup-env
-fi
-
apt update
# Utilities packages for automated testing
@@ -18,4 +13,6 @@ sed -i 's|[#]*PermitRootLogin .*|PermitRootLogin yes|g' /etc/ssh/sshd_config
sed -i 's|[#]*KbdInteractiveAuthentication .*|KbdInteractiveAuthentication yes|g' /etc/ssh/sshd_config
# Enable TDX
-/tmp/setup-tdx-guest.sh
+/tmp/tdx/setup-tdx-guest.sh
+
+rm -rf /tmp/tdx || true
diff --git a/setup-tdx-config b/setup-tdx-config
new file mode 100644
index 0000000..1e41b5f
--- /dev/null
+++ b/setup-tdx-config
@@ -0,0 +1,42 @@
+################################################################
+# GENERAL #
+################################################################
+
+################################################################
+# Enable the setup of attestation components
+# Set to 1 to enable
+# By default, the attestation components are not installed
+################################################################
+TDX_SETUP_ATTESTATION=0
+
+################################################################
+# HOST #
+################################################################
+
+
+################################################################
+# GUEST #
+################################################################
+
+################################################################
+# Enable the intel optimized kernel for the guest
+# Set to 1 to enable
+# By default, the generic kernel is used
+################################################################
+TDX_SETUP_INTEL_KERNEL=0
+
+################################################################
+# Image configuration
+# The base image is an Ubuntu 24.04 cloud image
+# You can use a different image setting these two environment
+# variables before running the setup script
+################################################################
+OFFICIAL_UBUNTU_IMAGE="https://cloud-images.ubuntu.com/releases/noble/release/"
+CLOUD_IMG="ubuntu-24.04-server-cloudimg-amd64.img"
+
+################################################################
+# Configure the guest credentials
+################################################################
+GUEST_USER="tdx"
+GUEST_PASSWORD="123456"
+GUEST_HOSTNAME="tdx-guest"
diff --git a/setup-tdx-guest.sh b/setup-tdx-guest.sh
index d7e1c46..13f62fd 100755
--- a/setup-tdx-guest.sh
+++ b/setup-tdx-guest.sh
@@ -2,11 +2,16 @@
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# source config file
+if [ -f ${SCRIPT_DIR}/setup-tdx-config ]; then
+ source ${SCRIPT_DIR}/setup-tdx-config
+fi
+
# the kernel flavour/type we want to use
KERNEL_TYPE=linux-image-generic
# use can use -intel kernel by setting TDX_SETUP_INTEL_KERNEL
-if [ -n "${TDX_SETUP_INTEL_KERNEL}" ]; then
+if [[ "${TDX_SETUP_INTEL_KERNEL}" == "1" ]]; then
KERNEL_TYPE=linux-image-intel
fi
diff --git a/setup-tdx-host.sh b/setup-tdx-host.sh
index a0b9e82..7b5c151 100755
--- a/setup-tdx-host.sh
+++ b/setup-tdx-host.sh
@@ -2,6 +2,11 @@
SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+# source config file
+if [ -f ${SCRIPT_DIR}/setup-tdx-config ]; then
+ source ${SCRIPT_DIR}/setup-tdx-config
+fi
+
on_exit() {
rc=$?
if [ ${rc} -ne 0 ]; then