Skip to content

Releases: canonical/tdx

3.0

09 Dec 08:28
7d26524
Compare
Choose a tag to compare

Overview

This release provides Intel© Trust Domain Extensions (TDX) with base host, guest, and remote attestation functionalities for
Ubuntu.

The new release delivers following major changes:

  • Add support for Ubuntu Oracular (24.10) Host OS

  • Extend the list of supported guest OS:

    • Ubuntu Oracular 24.10 (kernel: 6.11 linux-generic) 🆕
    • Ubuntu Oracular 24.10 (kernel: 6.11 linux-intel) 🆕
    • Ubuntu Noble 24.04 (kernel: 6.8 linux-generic)

    ❗For that purpose, create-td-image.sh has been modified to allow users to specify the
    guest version for the guest image.

  • Attestation & measurements : add boot scripts to do direct boot (+ Unified Kernel Image) and instructions to inspect the boot event log

1. Ubuntu 24.10

⚠️ For the best user experience, it’s not recommended to do an upgrade from Ubuntu 24.04 with TDX. Perform a fresh installation of Ubuntu 24.10 + TDX components instead.

1.1. TDX Components

  • Kernel:
    Version: 6.11.0-1003-intel
    Source link.
  • QEMU:
    Version: 9.0.2
  • Libvirt:
    Version: 10.6.0
  • OVMF/EDK2:
    Version: 2024.05
  • Remote attestation components:
    • Intel DCAP
      Version: 1.21
    • Intel Trust Authority Client
      Version: 1.6.1

1.2. Test Configurations

  • CPU: 4th Gen Intel® Xeon® Scalable Processors
    TDX Module: TDX_1.5.05, build 698
  • CPU: 5th Gen Intel® Xeon® Scalable Processors
    TDX Module: TDX_1.5.06, build 744
  • CPU: Intel® Xeon® 6 Processors with P-Cores
    TDX Module: TDX_2.0.01, build 785

1.3. Known Issues/Current Limitations

  • Nested virtualization is not supported (#200)
  • TD guest doesn't support more than 1 socket/die CPU topology
  • PMU (Performance Monitoring Unit) is currently not supported and it is disabled by default. (#182)
  • Drop of performance if TD guest’s memory is not 2M aligned for Transparent Huge Page.
  • Graphics support is disabled (graphic and remote access like VNC are all not supported). (#202)
  • I/O device pass-through is not fully supported. (#137)
  • Guest Kexec is currently not supported. (#204)
  • TD guest with large VCPU and memory configuration takes longer to boot.
  • TD guest with more than 255 VCPUs won’t boot.
  • Failure to boot TD guest with console=hvc0 in kernel command line and QEMU cmd -serial stdio. This bug is being tracked here.

2. Ubuntu 24.04

None

3. Bugfixes

4. Testing

  • tests : fix intel trust authority quote generation tests by @hector-cao in #290
  • tests : extend ssh connection timeout for test tsc_deadline disable by @hector-cao in #280
  • several improvements for tests in Ubuntu 24.10 by @hector-cao in #276

5. Minor improvements

6. New Contributors

Full Changelog: 2.2...3.0

2.2

15 Nov 09:13
5c3ac23
Compare
Choose a tag to compare
2.2

This is a new release for TDX on Ubuntu 24.04

It brings in some bug fixes for TDX software stack and also for setup scripts and tooling.

What's Changed

TDX bugfixes

  • libtdxattest : quote generation fails with vsock method #252
  • TD VM reboot with virsh reboot is not working #233

Setup tools and utilities

Bugs

Improvements

Testing

New Contributors

Full Changelog: 2.1...2.2

2.1

27 Aug 14:41
1f9e94d
Compare
Choose a tag to compare
2.1

Overview

This release adds new features and bug fixes for IntelⓇ Trust Domain Extensions (TDX) on Ubuntu 24.04.

To install this release, you can either do it on a freshly installed 24.04 system or on your existing setup.

TDX Components

  • Kernel:
    • Version: 6.8.0-1010-intel
    • Add host kexec / kdump support
    • Fix TDMR reserved areas that may exceed the limit of 16 which can result in TDX module initialization failure
    • Source link
  • QEMU:
    • Version: 8.2.2
    • Updated to 8.2.2 to be in sync with Ubuntu 24.04 mainline QEMU
  • Libvirt:
  • OVMF/EDK2:
  • Remote attestation components:

Project Tools and Support

  • Change the project license to GPLv3 (#110)
  • Remove support for the package tdx-tools
  • Move remote attestation packages into a separate PPA to avoid conflicts with Intel’s upstream SGX/DCAP (#158)
  • Add system-report.sh script to collect system’s TDX readiness status to help with debugging (#188)
  • Minor bug fixes and enhancements for various shell scripts

Known Issues/Current Limitations:

  • Nested virtualization is not supported (#200)
  • TD doesn't support more than 1 socket/die CPU topology
  • Drop of performance if TD’s RAM is not 2M aligned for Transparent Huge Page
  • PMU (Performance Monitoring Unit) is currently not supported and it is disabled by default. (#182)
  • Graphics support is disabled (graphic and remote access like VNC are all not supported). (#202)
  • I/O device pass-through is not fully supported (#137)
  • Guest Kexec is currently not supported (#204)

2.0

10 May 16:25
4f4ff28
Compare
Choose a tag to compare
2.0

Overview

This is the release of Intel© Trust Domain Extensions (TDX) with base host, guest, and remote attestation functionalities on Ubuntu 24.04. If you already have an ongoing engagement with Canonical, please reach out to your Canonical contact to confirm whether this is the appropriate version.

Features

  • The host kernel, known as -intel, is based on 6.8 with the TDX v19 KVM patchset. Source link.
  • QEMU version: 8.2.1
  • libvirt version: 10.0.0
  • Supported Ubuntu guests are:
    • Ubuntu 24.04 6.8 linux-generic
    • Ubuntu 24.04 6.8 linux-intel
  • Remote attestation components:
    • Intel DCAP 1.20
    • Intel Trust Authority Client 1.2.0
  • Improved virsh wrapper tool called tdvirsh, which handles the creation of domain XML files and overlay images for TDs.

Test Configuration

  • CPU: Intel 4th Gen (only TDX SKUs) and 5th Gen Xeon Scalable Processors
  • TDX Module: TDX_1.5.05.46.698

Known Issues/Limitations

  • Failure to boot TD with console=hvc0 in kernel command line and QEMU cmd -serial stdio. This bug is being tracked here.
  • Transparent Hugepage won’t work if memory configuration of TD guest is not 2M aligned.
  • TD doesn't support more than 1 socket CPU topology.
  • TD with large VCPU and memory configuration takes longer to boot.
  • virtio-net in the TD guest may stop working at some point after bootup if the host enables numad service. This bug is being tracked here.

1.2

11 Apr 15:38
74bd27a
Compare
Choose a tag to compare
1.2

Overview

This release fixes an issue with a missing package and also adds a new flag to the TD libvirt tool for Intel© Trust Domain Extensions (TDX) on Ubuntu 23.10.

Bug Fix

  • Install missing networking module during host provisioning (#53)

Feature

  • Add support to td_virsh_tool.sh for listing SSH ports of running TDs (#55)

1.1

04 Apr 19:02
894703d
Compare
Choose a tag to compare
1.1

Overview

This release introduces remote attestation functionality and other improvements for Intel© Trust Domain Extensions (TDX) on Ubuntu 23.10.

Features

  • Add remote attestation functionality along with detailed usage instructions (#51)
  • Improve host robustness by ensuring the TDX-enabled kernel is used by grub for subsequent reboots (#47)
  • Add support for running multiple TDs simultaneously with libvirt (#43)
  • Add missing dependencies to script responsible for creating TD image (diff)
  • Update source download instructions (#41)

Known Issues

  • Failure to boot TD with console=hvc0 in kernel command line and QEMU cmd -serial stdio. This bug is being tracked here.
  • KVM missing symbol version for __seamcall_saved_ret. See issue #33 for details and a suggested fix.

1.0

18 Mar 14:08
645db8a
Compare
Choose a tag to compare
1.0

Overview

This is the initial release of Intel© Trust Domain Extensions (TDX) with base host and guest functionalities on Ubuntu 23.10.

The section below lists tools to setup the TDX host, create a TD guest, and boot it.

Tools

setup-tdx-host.sh: provisions a Ubuntu 23.10 host with TDX-enabled 6.5 kernel and packages
create-tdx-image.sh: creates a TD QEMU guest image
setup-tdx-guest.sh: converts a non-TD guest image to a TD-enabled guest
run_td.sh: boots a TD guest with QEMU
run_td_virsh.sh: boots a TD guest with virsh (libvirt)
README.md: describes the purpose, usage, and typical results of various scripts