Giters

wenhuizhang / tdx-amber-idc-preview

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Intel Developer Cloud (IDC) TDX Amber Preview

1. Customer On-Board Workflow

1.1 Fill out Request Form

Click on the link below and submit a request to reserve an Intel® TDX-enabled system. https://www.intel.com/content/www/us/en/forms/developer/tdx/request-instance-one-cloud.html

1.2 Remote access

If the request is approved you will receive an email with subject "DevCloud - Instructions for remote access". This email will have all the details on how to access the TDX-enabled system remotely.

  • Click on the "SSH Public Key" link and copy the content of your SSH public key into the box and submit. Typically the SSH keys are located the following location

    • Windows: c:\users\<your windows user name>\.ssh\id_rsa.pub
    • Linux: ~/.ssh/id_rsa.pub

1.3 Login to TDX-enabled dedicated instance

The following diagram shows how Intel DevCloud is set up to enable you to establish an SSH connection to your TDX-enabled system through a jump server.

No Proxy:

If you are NOT behind corporate proxy, copy and paste the command provided in the email to connect to your assigned TDX-enabled system. See below an example command below.

ssh -J guest@146.152.205.59 -L 10022:192.168.14.2:22 sdp@192.168.14.2

NOTE: the password is provided in the email

Behind Proxy:

If you are behind corporate Proxy, add the following lines into .ssh/config with your corporate PROXYSERVER and PROXYPORT, then run the above command. #For Linux Operating System:

Host 146.152.*.*
ProxyCommand /usr/bin/nc -x PROXYSERVER:PROXYPORT %h %p

#For Non-Linux Operating System: (Install gitforwindows.org)

Host 146.152.*.*
ProxyCommand "C:\Program Files\Git\mingw64\bin\connect.exe" -S PROXYSERVER:PROXYPORT %h %p

NOTE: For more details on how to configure ssh please refer the email or Intel SDP SSH Config.

1.4 Intel Project Amber info

You will also receive another email with subject "Intel® Trust Domain Extensions and Project Amber in Intel® DevCloud". The email will contain the Amber API key and Amber URL that you will need for attestation.

1.5 Initial setup

Once logged into the TDX-enabled system, clone the GitHub project and execute the initialization scripts.

git clone https://github.com/IntelConfidentialComputing/tdx-amber-idc-preview
cd tdx-amber-idc-preview/scripts
./init.sh

1.6 Create TDVM

  • Create a TD guest image from official Ubuntu 22.04 image as follows:
./create-guest-image.sh -o <image file name> -u <username> -p <password> -n <guest vm name>

Example

./create-guest-image.sh -o tdx-guest.qcow2 -u tdx -p 123TdVMTest -n my-guest
  • Start TDVM via libvirt After creating the guest image, use the following command to create a TDVM
/start-virt.sh -i <image file name> -n <guest vm name>

Example

./start-virt.sh -i tdx-guest.qcow2 -n my-guest
  • You can manage the TDVM using vrish toll with the commands below (optional)
# Examples of commands to manage VMs (should be run on the host)
#To escape out of TVDM use ^] (i.e. hit Ctrl+] keys)

# list all VMs created by current Linux account
virsh list --all

# Suspend a VM
virsh suspend my-guest

# Resume a VM
virsh resume my-guest

# Shutdown a VM
virsh shutdown my-guest

# To start a VM
virsh start my-guest

# To connect to the VM Console
virsh console my-guest

_NOTE: To exit a running VM please use ^] (Ctrl + ]) NOTE: please change my-guest to your guest's name.

NOTE: Please check chapter 3.2 at the Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0 v0.10

1.7 Check Trusted Execution Environment (TEE) environment

  1. Check TD Report

TDREPORT is a fixed-size data structure generated by the TDX module which contains guest-specific information (such as build and boot measurements), platform security version, and the MAC to protect the integrity of the TDREPORT. For more details on TDREPORT please refer to section 4.2 in the Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0 v0.10_

to generate the td report run the following command
tdx@tdx-guest:~$ tdx_tdreport

1.8 Use Amber client to generate quote

tdx@tdx-guest:~$ sudo amber-cli quote

1.9 Attestation

Execute the following commands to perform the attestation.

tdx@tdx-guest:~$ export AMBER_URL=<AMBER URL String>
tdx@tdx-guest:~$ export AMBER_API_KEY=<AMBER API Key>
tdx@tdx-guest:~$ amber-cli create-key-pair -k key.pem
tdx@tdx-guest:~$ sudo -E amber-cli token

Note: Make cure there are no white space before or after the API key

2. Run workload without attestation in TDVM

Running workloads in a TDVM is exactly the same as you would run the workload in a non-confidential VM. For example, run the nginx web server in a container

tdx@tdx-guest:~$sudo docker run -it --rm -d -p 8080:80 --name web nginx
tdx@tdx-guest:~$curl http://localhost:8080

3. Further Reading

About

Languages

Language:Shell 100.0%