Hardware virtualization-based containers are designed to launch and run containerized applications in hardware virtualized environments. While containers usually run directly as bare-metal applications, using TD or VT as an isolation layer from the host OS is used as a secure and efficient way of building multi-tenant Cloud-native infrastructures (e.g. Kubernetes).
In order to match the short start-up time and resource consumption overhead of bare-metal containers, runtime architectures for TD- and VT-based containers put a strong focus on minimizing boot time. They must also launch the container payload as quickly as possible. Hardware virtualization-based containers typically run on top of simplified and customized Linux kernels to minimize the overall guest boot time.
Simplified kernels typically have no UEFI dependencies and no ACPI ASL support. This allows guests to boot without firmware dependencies. Current VT-based container runtimes rely on VMMs that are capable of directly booting into the guest kernel without loading firmware.
TD Shim is a simplified TDX virtual firmware for the simplified kernel for TD container. This document describes a lightweight interface between the TD Shim and TD VMM and between the TD Shim and the simplified kernel.
-
Introduction PDF and conference talk
This is a Shim Firmware to support Intel TDX.
The API specification is at td-shim specification.
The secure boot specification for td-shim is at secure boot specification
The design is at td-shim design.
The threat model analysis is at td-shim threat model.
- Install RUST
please use 1.83.0.
curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain 1.83.0
rustup target add x86_64-unknown-none
- Install NASM
Please make sure nasm can be found in PATH.
- Install LLVM
Please make sure clang can be found in PATH.
Set env:
export CC=clang
export AR=llvm-ar
export CC_x86_64_unknown_none=clang
export AR_x86_64_unknown_none=llvm-ar
Please follow Secure Boot Guide
git submodule update --init --recursive
./sh_script/preparation.sh
Build TdShim image to launch a payload support Linux Boot Protocol
cargo image --release
Build TdShim image to launch an executable payload
cargo image -t executable -p /path/to/payload_binary --release
Build TdShim image to launch the example payload
cargo image --example-payload --release
Build TdShim to launch a payload support Linux Boot Protocol
cargo build -p td-shim --target x86_64-unknown-none --release --features=main,tdx
cargo run -p td-shim-tools --bin td-shim-ld --features=linker -- target/x86_64-unknown-none/release/ResetVector.bin target/x86_64-unknown-none/release/td-shim -o target/release/final.bin
Build TdShim to launch a executable payload
cargo build -p td-shim --target x86_64-unknown-none --release --features=main,tdx --no-default-features
Build Elf format payload
cargo build -p td-payload --target x86_64-unknown-none --release --bin example --features=tdx,start,cet-shstk,stack-guard
cargo run -p td-shim-tools --bin td-shim-ld -- target/x86_64-unknown-none/release/ResetVector.bin target/x86_64-unknown-none/release/td-shim -t executable -p target/x86_64-unknown-none/release/example -o target/release/final-elf.bin
To build the debug TdShim, please use dev-opt
profile to build td-shim
binary. For example:
cargo build -p td-shim --target x86_64-unknown-none --profile dev-opt --features=main,tdx
cargo run -p td-shim-tools --bin td-shim-ld --features=linker -- target/x86_64-unknown-none/dev-opt/ResetVector.bin target/x86_64-unknown-none/dev-opt/td-shim -o target/debug/final.bin
REF: https://github.com/tianocore/edk2-staging/tree/TDVF
./launch-rust-td.sh
Reproducible build of td-shim binary requires same system user and source code path (see confidential-containers#604).
The Dockerfile is provided to build the docker image with
the td-shim
compilation environment for reproducible build. You can use
the docker.sh to build and run the docker container:
./sh_script/docker.sh -f devtools/dev_container
- install pre-commit
- run
pre-commit install
- when you run
git commit
, pre-commit will do check-code things.