Is there a complete demo of how to build a kata container that shielded by Intel TDX?

[zibinpan]

Is there a complete demo of how to build a kata container that shielded by Intel TDX?

I have a cloud server that supports Intel TDX. But I need to create some guest containers for other users to use. How can I use kata-container to do that? And how can the users do the remote attestation to ensure that their container is built from a trusted image and is shielded by Intel TDX?

Thanks.

[fidencio]

Is there a complete demo of how to build a kata container that shielded by Intel TDX?

It depends is the best answer I can give you.
Do you know what's the host stack on your side? Depending on the host stack we'll be able to guide you further on this.

I'd be interested to know what is:

• Host OS
• Host OS kernel version
• TDX version

Once we know that, we can go into your other questions.

[zibinpan]

@fidencio Hi, it's on Ubuntu 22.04 OS in the kernel version of 6.5.0-28-generic. But my TDX version is unknown.

[fidencio]

@fidencio Hi, it's on Ubuntu 22.04 OS in the kernel version of 6.5.0-28-generic. But my TDX version is unknown.

For Ubuntu, I'd recommend you move to 24.04 and then set up TDX according to: https://github.com/canonical/tdx/tree/noble-24.04
I was not yet able to validate that Kata Containers will work on the distro as it is, but I'm in the process to do so (but I will be off till Thu next week, so responses will get delayed).

Let me know if you can follow those instructions, and then I will give you more instructions on how to deploy Kata Containers on that system (after TDX is fully enabled). Last but not least, I'm not sure if Canonical's shipped QEMU has full support for attestation, I'll need to double check that, and will let you know once I get my evaluation done.

[fidencio]

Also, please, subscribe to #9590, as that is of your interest as well.