Add support for Intel Trust Domain Extensions (TDX)

Makefile

@@ -14,6 +14,8 @@ SNP_INIT_SRC =	init/tee/snp_attest.c		\
 		init/tee/snp_attest.h		\
 		$(KBS_INIT_SRC)			\
 
+TDX_INIT_SRC = $(KBS_INIT_SRC)
+
 KBS_LD_FLAGS =	-lcurl -lidn2 -lssl -lcrypto -lzstd -lz -lbrotlidec-static \
 		-lbrotlicommon-static
 
@@ -27,6 +29,14 @@ ifeq ($(SEV),1)
     INIT_SRC += $(SNP_INIT_SRC)
 	BUILD_INIT = 0
 endif
+ifeq ($(TDX),1)
+    VARIANT = -tdx
+    FEATURE_FLAGS := --features intel-tdx,tee,blk,kbs-types,serde,serde_json,curl
+    INIT_DEFS += -DTDX=1
+    INIT_DEFS += $(KBS_LD_FLAGS)
+    INIT_SRC += $(KBS_INIT_SRC)
+    BUILD_INIT = 0
+endif
 ifeq ($(GPU),1)
     FEATURE_FLAGS += --features gpu
 endif
@@ -91,6 +101,9 @@ $(LIBRARY_RELEASE_$(OS)): $(INIT_BINARY)
 ifeq ($(SEV),1)
 	mv target/release/libkrun.so target/release/$(KRUN_BASE_$(OS))
 endif
+ifeq ($(TDX),1)
+	mv target/release/libkrun.so target/release/$(KRUN_BASE_$(OS))
+endif
 ifeq ($(OS),Linux)
 	patchelf --set-soname $(KRUN_SONAME_$(OS)) --output $(LIBRARY_RELEASE_$(OS)) target/release/$(KRUN_BASE_$(OS))
 else
@@ -108,6 +121,9 @@ $(LIBRARY_DEBUG_$(OS)): $(INIT_BINARY)
 ifeq ($(SEV),1)
 	mv target/debug/libkrun.so target/debug/$(KRUN_BASE_$(OS))
 endif
+ifeq ($(TDX),1)
+	mv target/debug/libkrun.so target/debug/$(KRUN_BASE_$(OS))
+endif
 ifeq ($(OS),Linux)
 	patchelf --set-soname $(KRUN_SONAME_$(OS)) --output $(LIBRARY_DEBUG_$(OS)) target/debug/$(KRUN_BASE_$(OS))
 else

examples/Makefile

@@ -4,38 +4,54 @@ LDFLAGS_x86_64_Linux = -lkrun
 LDFLAGS_aarch64_Linux = -lkrun
 LDFLAGS_arm64_Darwin = -L/opt/homebrew/lib -lkrun
 LDFLAGS_sev = -lkrun-sev
+LDFLAGS_tdx = -L../target/debug -lkrun-tdx
 LDFLAGS_efi = -L/opt/homebrew/lib -lkrun-efi
 CFLAGS = -O2 -g -I../include
 ROOTFS_DISTRO := fedora
 ROOTFS_DIR = rootfs_$(ROOTFS_DISTRO)
 
 .PHONY: clean rootfs
 
-EXAMPLES := chroot_vm
+EXAMPLES := chroot_vm external_kernel
 ifeq ($(SEV),1)
     EXAMPLES := launch-tee
 endif
+ifeq ($(TDX),1)
+    EXAMPLES := launch-tee
+endif
 ifeq ($(EFI),1)
     EXAMPLES := boot_efi
 endif
 
 all: $(EXAMPLES)
 
 chroot_vm: chroot_vm.c
-	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_$(ARCH)_$(OS))
+	# gcc -o $@ $< $(CFLAGS) $(LDFLAGS_$(ARCH)_$(OS))
+	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_tdx)
 ifeq ($(OS),Darwin)
 	codesign --entitlements chroot_vm.entitlements --force -s - $@
 endif
 
 launch-tee: launch-tee.c
+ifeq ($(SEV),1)
 	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_sev)
+endif
+ifeq ($(TDX),1)
+	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_tdx)
+endif
 
 boot_efi: boot_efi.c
 	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_efi)
 ifeq ($(OS),Darwin)
 	codesign --entitlements chroot_vm.entitlements --force -s - $@
 endif
 
+external_kernel: external_kernel.c
+	gcc -o $@ $< $(CFLAGS) $(LDFLAGS_$(ARCH)_$(OS))
+ifeq ($(OS),Darwin)
+	codesign --entitlements chroot_vm.entitlements --force -s - $@
+endif
+
 # Build the rootfs to be used with chroot_vm.
 rootfs:
 	mkdir -p $(ROOTFS_DIR)
@@ -44,4 +60,4 @@ rootfs:
 	podman rm libkrun_chroot_vm
 
 clean:
-	rm -rf chroot_vm $(ROOTFS_DIR) launch-tee boot_efi
+	rm -rf chroot_vm $(ROOTFS_DIR) launch-tee boot_efi external_kernel

examples/chroot_vm.c

@@ -218,7 +218,7 @@ int main(int argc, char *const argv[])
     }
 
     // Set the log level to "off".
-    err = krun_set_log_level(0);
+    err = krun_set_log_level(4);
     if (err) {
         errno = -err;
         perror("Error configuring log level");
@@ -280,6 +280,12 @@ int main(int argc, char *const argv[])
         }
     }
 
+    if (err = krun_set_tee_config_file(ctx_id, "/home/jcorrent/libkrun/examples/tdx-config-noattest.json")) {
+        errno = -err;
+        perror("Error setting the TEE config file");
+        return -1;
+    }
+
     // Configure the rlimits that will be set in the guest
     if (err = krun_set_rlimits(ctx_id, &rlimits[0])) {
         errno = -err;