在 Intel TDX 環境中執行作業系統

OSDK 支援讓您的作業系統便捷地在 Intel TDX 環境中執行。Intel TDX 能為您的作業系統提供更安全的環境。

準備 Intel TDX 環境

請確保您的伺服器支援 Intel TDX。

See this guide or other materials to enable Intel TDX in host OS.

若要驗證 TDX 主機狀態，您可以輸入：

dmesg | grep "TDX module initialized"

The following result is an example:

[   20.507296] tdx: TDX module initialized.

如果您看到「TDX module initialized」訊息，代表 TDX 模組已成功載入。

The Intel TDX environment requires TDX-enhanced versions of QEMU, KVM, GRUB, and other essential software for running an OS. Therefore, it is recommended to use a Docker image to deploy the environment.

Run a TDX Docker container:

docker run -it --privileged --network=host -v /dev:/dev asterinas/osdk:0.17.1-20260319

Edit OSDK.toml for Intel TDX support

As Intel TDX has extra requirements or restrictions for VMs, it demands adjusting the OSDK configurations accordingly. This can be easily achieved with the scheme feature of the OSDK, which provides a convenient way to override the default OSDK configurations for a specific environment.

For example, you can append the following TDX-specific scheme to your OSDK.toml file.

[scheme."tdx"]
supported_archs = ["x86_64"]
boot.method = "grub-qcow2"
grub.mkrescue_path = "~/tdx-tools/grub"
grub.boot_protocol = "linux"
qemu.args = '''\
    -accel kvm \
    -m 8G \
    -vga none \
    -monitor pty \
    -nodefaults \
    -drive file=target/osdk/asterinas/asterinas.qcow2,if=virtio,format=qcow2 \
    -monitor telnet:127.0.0.1:9001,server,nowait \
    -bios /root/ovmf/release/OVMF.fd \
    -object '{ \"qom-type\": \"tdx-guest\", \"id\": \"tdx0\", \"sept-ve-disable\": true, \"quote-generation-socket\": { \"type\": \"vsock\", \"cid\": \"2\", \"port\": \"4050\" } }' \
    -cpu host,-kvm-steal-time,pmu=off \
    -machine q35,kernel-irqchip=split,confidential-guest-support=tdx0 \
    -smp 1 \
    -nographic \
'''

若要選擇 TDX 方案所指定的組態而非預設組態，請在 build、run 或 test 命令中增添 --scheme 引數。

cargo osdk build --scheme tdx
cargo osdk run --scheme tdx
cargo osdk test --scheme tdx