Hardware virtualization-based containers are designed to launch and run containerized applications in hardware virtualized environments. While containers usually run directly as bare-metal applications, using TD or VT as an isolation layer from the host OS is used as a secure and efficient way of building multi-tenant Cloud-native infrastructures (e.g. Kubernetes).
In order to match the short start-up time and resource consumption overhead of bare-metal containers, runtime architectures for TD- and VT-based containers put a strong focus on minimizing boot time. They must also launch the container payload as quickly as possible. Hardware virtualization-based containers typically run on top of simplified and customized Linux kernels to minimize the overall guest boot time.
Simplified kernels typically have no UEFI dependencies and no ACPI ASL support. This allows guests to boot without firmware dependencies. Current VT-based container runtimes rely on VMMs that are capable of directly booting into the guest kernel without loading firmware.
TD Shim is a simplified TDX virtual firmware for the simplified kernel for TD container. This document describes a lightweight interface between the TD Shim and TD VMM and between the TD Shim and the simplified kernel.
This is a Shim Firmware to support Intel TDX.
The API specification is at td-shim specification.
The secure boot specification for td-shim is at secure boot specification
The design is at td-shim design.
The threat model analysis is at td-shim threat model.
- Install RUST
please use nightly-2022-04-07.
NOTE: We need install nightly version because we use cargo-xbuild.
1.1. Install xbuild
cargo install cargo-xbuild
Please reinstall cargo-xbuild, after you update the rust toolchain.
- Install NASM
Please make sure nasm can be found in PATH.
- Install LLVM
Please make sure clang can be found in PATH.
Set env:
set CC_x86_64_unknown_uefi=clang
set AR_x86_64_unknown_uefi=llvm-ar
Please follow Secure Boot Guide
cargo xbuild -p td-shim --target x86_64-unknown-uefi --release --features=main,tdx
cargo run -p td-shim-tools --bin td-shim-ld -- target/x86_64-unknown-uefi/release/ResetVector.bin target/x86_64-unknown-uefi/release/td-shim.efi -o target/x86_64-unknown-uefi/release/final.bin
cargo xbuild -p td-payload --target x86_64-unknown-uefi --release --features=main,tdx
cargo run -p td-shim-tools --bin td-shim-ld --no-default-features --features=linker -- target/x86_64-unknown-uefi/release/ResetVector.bin target/x86_64-unknown-uefi/release/td-shim.efi -p target/x86_64-unknown-uefi/release/td-payload.efi -o target/x86_64-unknown-uefi/release/final-pe.bin
cargo xbuild -p td-payload --target devtools/rustc-targets/x86_64-unknown-none.json --release --features=main,tdx
cargo run -p td-shim-tools --bin td-shim-ld --no-default-features --features=linker -- target/x86_64-unknown-uefi/release/ResetVector.bin target/x86_64-unknown-uefi/release/td-shim.efi -p target/x86_64-unknown-none/release/td-payload -o target/x86_64-unknown-uefi/release/final-elf.bin
REF: https://github.com/tianocore/edk2-staging/tree/TDVF
./launch-rust-td.sh
- install pre-commit
- run
pre-commit install - when you run
git commit, pre-commit will do check-code things.
This package is only the sample code to show the concept. It does not have a full validation such as robustness functional test and fuzzing test. It does not meet the production quality yet. Any codes including the API definition, the library and the drivers are subject to change.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent