** Description changed: Intel Confidential Computing (Intel TDX) is now available with Questing 25.10 components : kernel and qemu. While we can boot a Intel confidential VM (TD - Trust Domain) with the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are 2 drawbacks: - default OVMF.fd has several security limitations for Intel TDX [1]. - secure boot is not enabled since TDX VM does not allow to use -pflash with QEMU for the UEFI vars that contains the necessary certificates for secure boot. To address these 2 limitations: 1) we can build a customized OVMF file as we already did for AMD-SEV (LP: #2106771) the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc. - We will name the OVMF file as OVMF.tdx.fd + We will name the OVMF file as OVMF.inteltdx.fd 2) we enable secure boot for this firmware : -DSECURE_BOOT_ENABLE=TRUE - 3) we copy the necessary certificates from OVMF_VARS_4M.ms.fd over to - the OVMF.tdx.fd + 3) we create a variant image named OVMF.tdxintel.secboot.fd with the + certificates we copy over from OVMF_VARS_4M.ms.fd to enable secure boot. - Since we are delivering a new OVMF file, the regression risk is + Since we are delivering a new OVMF images, the regression risk is minimized.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2125123 Title: add firmware for Intel tdx with secure boot capability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2125123/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
