Skip to content
This repository has been archived by the owner on Jun 4, 2024. It is now read-only.

2. Attestation

Jump to bottom
LeiZhou edited this page Nov 22, 2023 · 1 revision

KubeVirt-TDX supports both vosck and tdvmcall to do attestation.

The detailed steps about how to config attestation environment, please refer Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0 Section 4

1. VSOCK

Assume that the environment required for attestation has been configured correctly.

The VSOCK feature gate needs to be enabled when uses vsock to get quote. TDVMCALL do not need to activate it.

kubectl edit kubevirt -n kubevirt

    ...
    spec:
      configuration:
        developerConfiguration:
          featureGates:
            - VSOCK

2. TDVMCALL

Edit the VMI yaml file, and add the QGS parameter into the launchSecurity.tdx.

This parameter has been added into the VMI template, just needs to uncomment it.

domain:
    launchSecurity:
      tdx:
        QGS: vsock:2:4050

3. Specify vsock port for attestation

Create file at /etc/tdx-attest.conf in TDVM

port=4050

TDVMCALL depends on vsock, so this step is also required.

Clone this wiki locally