** Changed in: edk2 (Ubuntu)
Status: New => In Progress
** Description changed:
Intel Confidential Computing (Intel TDX) is now available with Questing 25.10
components : kernel and qemu.
While we can boot a Intel confidential VM (TD - Trust Domain) with
the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are
2 drawbacks:
- default OVMF.fd has several security limitations for Intel TDX [1].
- secure boot is not enabled since TDX VM does not allow to use -pflash with
QEMU
for the UEFI vars that contains the necessary certificates for secure boot.
To address these 2 limitations:
1) we can build a customized OVMF file as we already did for AMD-SEV (LP:
#2106771)
the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
We will name the OVMF file as OVMF.inteltdx.fd
2) we enable secure boot for this firmware : -DSECURE_BOOT_ENABLE=TRUE
3) we create a variant image named OVMF.tdxintel.secboot.fd with the
certificates we copy over from OVMF_VARS_4M.ms.fd to enable secure boot.
Since we are delivering a new OVMF images, the regression risk is
minimized.
+
+ [1]
+ https://github.com/tianocore/edk2/tree/master/OvmfPkg/IntelTdx#configurations-
+ and-features
** Description changed:
Intel Confidential Computing (Intel TDX) is now available with Questing 25.10
components : kernel and qemu.
While we can boot a Intel confidential VM (TD - Trust Domain) with
the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are
2 drawbacks:
- default OVMF.fd has several security limitations for Intel TDX [1].
- secure boot is not enabled since TDX VM does not allow to use -pflash with
QEMU
for the UEFI vars that contains the necessary certificates for secure boot.
To address these 2 limitations:
1) we can build a customized OVMF file as we already did for AMD-SEV (LP:
#2106771)
the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
We will name the OVMF file as OVMF.inteltdx.fd
2) we enable secure boot for this firmware : -DSECURE_BOOT_ENABLE=TRUE
3) we create a variant image named OVMF.tdxintel.secboot.fd with the
certificates we copy over from OVMF_VARS_4M.ms.fd to enable secure boot.
- Since we are delivering a new OVMF images, the regression risk is
+ Since we are delivering new OVMF images, the regression risk is
minimized.
[1]
https://github.com/tianocore/edk2/tree/master/OvmfPkg/IntelTdx#configurations-
and-features
** Description changed:
Intel Confidential Computing (Intel TDX) is now available with Questing 25.10
components : kernel and qemu.
While we can boot a Intel confidential VM (TD - Trust Domain) with
the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are
2 drawbacks:
- default OVMF.fd has several security limitations for Intel TDX [1].
- secure boot is not enabled since TDX VM does not allow to use -pflash with
QEMU
for the UEFI vars that contains the necessary certificates for secure boot.
To address these 2 limitations:
1) we can build a customized OVMF file as we already did for AMD-SEV (LP:
#2106771)
the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
We will name the OVMF file as OVMF.inteltdx.fd
- 2) we enable secure boot for this firmware : -DSECURE_BOOT_ENABLE=TRUE
+ 2) we create a variant image named OVMF.tdxintel.secboot.fd with secure
+ bootsupport : -DSECURE_BOOT_ENABLE=TRUE
- 3) we create a variant image named OVMF.tdxintel.secboot.fd with the
- certificates we copy over from OVMF_VARS_4M.ms.fd to enable secure boot.
+ 3) we copy the certificates in OVMF_VARS_4M.ms.fd over to
+ OVMF.tdxintel.secboot.fd to enable secure boot.
+
Since we are delivering new OVMF images, the regression risk is
minimized.
[1]
https://github.com/tianocore/edk2/tree/master/OvmfPkg/IntelTdx#configurations-
and-features
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2125123
Title:
add firmware for Intel tdx with secure boot capability
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2125123/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
