Click on the link below and submit a request to reserve an Intel® TDX-enabled system. https://www.intel.com/content/www/us/en/forms/developer/tdx/request-instance-one-cloud.html
If the request is approved you will receive an email with subject "DevCloud - Instructions for remote access". This email will have all the details on how to access the TDX-enabled system remotely.
-
Click on the "SSH Public Key" link and copy the content of your SSH public key into the box and submit. Typically the SSH keys are located the following location
- Windows:
c:\users\<your windows user name>\.ssh\id_rsa.pub - Linux:
~/.ssh/id_rsa.pub
- Windows:
The following diagram shows how Intel DevCloud is set up to enable you to establish an SSH connection to your TDX-enabled system through a jump server.
If you are NOT behind corporate proxy, copy and paste the command provided in the email to connect to your assigned TDX-enabled system. See below an example command below.
ssh -J guest@146.152.205.59 -L 10022:192.168.14.2:22 sdp@192.168.14.2
NOTE: the password is provided in the email
If you are behind corporate Proxy, add the following lines into .ssh/config with your corporate PROXYSERVER and PROXYPORT, then run the above command. #For Linux Operating System:
Host 146.152.*.*
ProxyCommand /usr/bin/nc -x PROXYSERVER:PROXYPORT %h %p
#For Non-Linux Operating System: (Install gitforwindows.org)
Host 146.152.*.*
ProxyCommand "C:\Program Files\Git\mingw64\bin\connect.exe" -S PROXYSERVER:PROXYPORT %h %p
NOTE: For more details on how to configure ssh please refer the email or Intel SDP SSH Config.
You will also receive another email with subject "Intel® Trust Domain Extensions and Project Amber in Intel® DevCloud". The email will contain the Amber API key and Amber URL that you will need for attestation.
Once logged into the TDX-enabled system, clone the GitHub project and execute the initialization scripts.
git clone https://github.com/IntelConfidentialComputing/tdx-amber-idc-preview
cd tdx-amber-idc-preview/scripts
./init.sh
- Create a TD guest image from official Ubuntu 22.04 image as follows:
./create-guest-image.sh -o <image file name> -u <username> -p <password> -n <guest vm name>
Example
./create-guest-image.sh -o tdx-guest.qcow2 -u tdx -p 123TdVMTest -n my-guest
- Start TDVM via libvirt After creating the guest image, use the following command to create a TDVM
/start-virt.sh -i <image file name> -n <guest vm name>
Example
./start-virt.sh -i tdx-guest.qcow2 -n my-guest
- You can manage the TDVM using vrish toll with the commands below (optional)
# Examples of commands to manage VMs (should be run on the host)
#To escape out of TVDM use ^] (i.e. hit Ctrl+] keys)
# list all VMs created by current Linux account
virsh list --all
# Suspend a VM
virsh suspend my-guest
# Resume a VM
virsh resume my-guest
# Shutdown a VM
virsh shutdown my-guest
# To start a VM
virsh start my-guest
# To connect to the VM Console
virsh console my-guest
_NOTE: To exit a running VM please use ^] (Ctrl + ])
NOTE: please change my-guest to your guest's name.
NOTE: Please check chapter 3.2 at the Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0 v0.10
- Check TD Report
TDREPORT is a fixed-size data structure generated by the TDX module which contains guest-specific information (such as build and boot measurements), platform security version, and the MAC to protect the integrity of the TDREPORT. For more details on TDREPORT please refer to section 4.2 in the Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0 v0.10_
to generate the td report run the following command
tdx@tdx-guest:~$ tdx_tdreport
tdx@tdx-guest:~$ sudo amber-cli quote
Execute the following commands to perform the attestation.
tdx@tdx-guest:~$ export AMBER_URL=<AMBER URL String>
tdx@tdx-guest:~$ export AMBER_API_KEY=<AMBER API Key>
tdx@tdx-guest:~$ amber-cli create-key-pair -k key.pem
tdx@tdx-guest:~$ sudo -E amber-cli token
Note: Make cure there are no white space before or after the API key
Running workloads in a TDVM is exactly the same as you would run the workload in a non-confidential VM. For example, run the nginx web server in a container
tdx@tdx-guest:~$sudo docker run -it --rm -d -p 8080:80 --name web nginx
tdx@tdx-guest:~$curl http://localhost:8080