Skip to content

iExecBlockchainComputing/provision-tdx

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
host_setup
host_setup
 
 
td_setup
td_setup
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

provision-tdx

Scripts to provision an Intel TDX (Trusted Domain Extensions) host and guest environment on Ubuntu 24.04.

Prerequisites

  • Ubuntu 24.04 (Noble) on a TDX-capable machine
  • Internet access (Intel SGX repository, GitHub, Intel registration API)
  • sudo privileges

Architecture overview

Host machine (bare metal)
├── TDX kernel + firmware        ← enable_tdx_host.sh
├── QGS (Quote Generation)       ← install_qgs.sh
├── PCCS (cert caching)          ← install_pccs.sh
├── Platform registration        ← register_platform.sh
└── TD guest image               ← create_td.sh
    └── TD guest (VM)
        └── Remote attestation   ← td_setup/install_ra.sh

Phase 1 — Host setup

All scripts below run on the host machine.

Step 1 — Enable TDX on the host

bash host_setup/enable_tdx_host.sh

Clones the Canonical TDX repository and runs setup-tdx-host.sh to configure the kernel, BIOS settings, and required packages.

Reboot the machine before continuing.

sudo reboot

Step 2 — Install QGS (Quote Generation Service)

bash host_setup/install_qgs.sh

Installs tdx-qgs, libsgx-dcap-default-qpl, and libsgx-dcap-ql from the Intel SGX repository. Configures the qgsd systemd service to expose the service over vsock on port 4050.

Step 3 — Install PCCS (Provisioning Certification Caching Service)

bash host_setup/install_pccs.sh

Installs Node.js 20 and sgx-dcap-pccs, disables strict certificate validation in /etc/sgx_default_qcnl.conf, then restarts pccs.service and qgsd.service. Verifies connectivity on 127.0.0.1:8081 at the end.

During the PCCS interactive setup you will be prompted for an Intel PCS API key and a local admin password.

Step 4 — Register the platform with Intel

bash host_setup/register_platform.sh

Installs sgx-pck-id-retrieval-tool, extracts the Platform Manifest (PM) into a .bin file, and POSTs it to the Intel Trusted Services registration API (https://api.trustedservices.intel.com/sgx/registration/v1/platform).

If the tool reports a missing 6th column, perform an SGX Factory Reset in the BIOS to expose the full provisioning data.

Step 5 — Create the TD guest image

bash host_setup/create_td.sh

Runs create-td-image.sh -v 24.04 inside the Canonical TDX guest-tools directory to build an Ubuntu 24.04 TD image. Also patches the run_td launch script to bind host-forwarded ports to 127.0.0.1 only.

Phase 2 — TD guest setup

The script below runs inside the TD guest VM.

Step 6 — Install remote attestation libraries

bash td_setup/install_ra.sh

Installs libtdx-attest and libtdx-attest-dev from the Intel SGX repository. Appends port=4050 to /etc/tdx-attest.conf so the attestation library connects to the QGS vsock exposed by the host.

Installation order summary

Step Script Where Reboot
1 host_setup/enable_tdx_host.sh Host Yes
2 host_setup/install_qgs.sh Host No
3 host_setup/install_pccs.sh Host No
4 host_setup/register_platform.sh Host No
5 host_setup/create_td.sh Host No
6 td_setup/install_ra.sh TD guest No

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages