- Sign up for an Intel® Unified Login account with your corporate email address (if not already signed up).
- Signin at the Intel® Developer Cloud Beta.
Setting up SSH Keys is an one time task.
WARNING: Never share your private keys with anyone. Never create a SSH Private key without a passphrase.
-
Launch a Terminal/Command Prompt on your local system.
-
Copy & Paste the following to your terminal/command prompt to generate SSH Keys.
- Linux*/macOS*:
ssh-keygen -t ed25519 -f ~/.ssh/id_rsa- Windows*:
mkdir %USERPROFILE%\.ssh ssh-keygen -t ed25519 -f %USERPROFILE%\.ssh\id_rsa -
If you are prompted to overwrite, select no to use the existing keys
-
Copy & Paste the following to your terminal/command prompt to open your public key.
- Linux*/macOS*:
vi ~/.ssh/id_rsa.pub- Windows*:
notepad %USERPROFILE%\.ssh\id_rsa.pubNote: The public key must be in your Intel® Developer Cloud profile before starting an instance. The instance will need to be relaunched if the public key was updated after a virtual machine is launched.
-
Copy the entire content of the file id_rsa.pub
-
Click Profile Icon from the top blue navigation bar and click Profile. You must login to Intel® Developer Cloud Management Console to see Profile Icon.
-
Paste the copied content in the text box SSH RSA 4096 Public Key and Click Save Key
Note: If your key is not in default path/name, you must add IdentityFile parameter in SSH config file.
Once the SSH keys are created and the public key uploaded, proceed to request access to the TDX System. TDX Systems are available upon request only so follow the instructions below to request one.
-
Go to https://scheduler.cloud.intel.com and Sign In (if not already)
-
Click Instances from top blue navigation bar
-
Click on check box for "Beta - Intel® Trust Domain Extensions (Intel® TDX) with 4th Generation Intel® Xeon® Scalable processors"
-
Click on the "Launch Instance" blue button at the bottom of the list
-
Review the details and Click 'Request Instance'
-
Complete the "Request Instance" form and click the "Request Instance" button at the bottom right to submit.
-
If your request is approved, Intel® Developer Cloud Customer Response Team will respond within 2-3 business days.
After receiving the approval email follow these below steps to launch the TDX System.
-
Go to https://scheduler.cloud.intel.com and Sign In (if not already)
-
Click Instances from top blue navigation bar
-
Click on check box for "Beta - Intel® Trust Domain Extensions (Intel® TDX) with 4th Generation Intel® Xeon® Scalable processors"
-
Click on the "Launch Instance" blue button at the bottom of the list
-
Review the agreement, and if you agree, select the "I agree" checkbox, then click "Launch Instance"
-
Please wait (2 minutes) for the instance to be provisioned and launched.
-
On successful launch, you will be redirected to "View Instances" tab as shown below.
Note: Only your current public key will be authorized to access this instance. Note: If you have multiple keys to be authorized to access your reserved instances, or you have changed your public key in profile, you need add those keys in each reserved instance separately.
WARNING: All reserved TDX Systems will be terminated after 7 days.
-
To access a launched TDX System Instance, from 'View Instances', Click on 'Click here to copy the SSH command' and paste in your terminal or command prompt.
Note: If you are connecting to TDX System from your company Corporate Network (behind a proxy), you will need to follow the section Access from Corporate Network (optional) below.
-
User will be shown a password and prompted to enter the password. Enter the shown password.
-
After entering the password, you will be logged into the launched TDX System.
-
If you have multiple keys to be authorized to access your reserved instances, you can add those additional keys by following the next step without relaunching instance.
-
In View Instances, on a launched instance, Click on Click here to add additional SSH Keys, to add your additional SSH keys.
- If you have changed your public key in profile after you launched an instance, you can add your new key by following the next step without relaunching instance.
- In View Instances, on a launched instance, Click on Click here to add additional SSH Keys, to add your additional SSH keys.
Note To upload a file to TDX system, open a new terminal on your local system and use the following cmd.
scp -P 10022 [LOCAL_FILE_NAME] devcloud@localhost:[PATH_TO_DESTINATION]
To copy the same file in to TDVM use the following cmd from the TDX system
scp [LOCAL_FILE_NAME] devcloud@[TDVM_IP_ADDRESS]:[PATH_TO_DESTINATION]
Note To download a file from TDX system, open a new terminal on your local system and use the follwoing cmd.
scp -P 10022 devcloud@localhost:[PATH_TO_REMOTE_FILE] .
WARNING: If you are connecting (SSH) to TDX system from your company's Corporate Network (dehid a proxy), you will need to update SSH config file.
Note: If you connect using Command Prompt on Microsoft* Windows* Operating System, you must install gitforwindows.
-
Setting up SSH Configuration is an one time task.
-
Your SSH configuration file is located in a folder named .ssh under your user's home folder. If the file is not present, create one.
-
Copy & Paste the following to SSH config file (~/.ssh/config).
- Linux*/macOS*:
Host 146.152.*.* idcbetabatch.eglb.intel.com ProxyCommand /usr/bin/nc -x PROXYSERVER:PROXYSPORT %h %p- Windows*:
Host 146.152.*.* idcbetabatch.eglb.intel.com ProxyCommand "C:\Program Files\Git\mingw64\bin\connect.exe" -S PROXYSERVER:PROXYSPORT %h %p -
From your Lab Administrator, get PROXYSERVER and PROXYPORT in your Corporate Network for SSH, NOT for HTTP/HTTPS Proxy.
-
Replace PROXYSERVER and PROXYPORT with the information you received from your lab administrator and save the SSH Config file.
-
Go back to section Access a Bare Metal Instance
You will also receive another email with subject "Intel® Trust Domain Extensions and Project Amber in Intel® DevCloud". The email will contain the Amber API key and Amber URL that you will need for attestation.
Once logged into the TDX-enabled system, clone the GitHub project and execute the initialization scripts.
git clone https://github.com/IntelConfidentialComputing/tdx-amber-idc-preview
cd tdx-amber-idc-preview/scripts
./init.sh
- Create a TD guest image from official Ubuntu 22.04 image as follows:
./create-guest-image.sh -o <image file name> -u <username> -p <password> -n <guest vm name>
Example
./create-guest-image.sh -o tdx-guest.qcow2 -u tdx -p 123TdVMTest -n my-guest
- Start TDVM via libvirt After creating the guest image, use the following command to create a TDVM
/start-virt.sh -i <image file name> -n <guest vm name>
Example
./start-virt.sh -i tdx-guest.qcow2 -n my-guest
- You can manage the TDVM using vrish toll with the commands below (optional)
# Examples of commands to manage VMs (should be run on the host)
#To escape out of TVDM use ^] (i.e. hit Ctrl+] keys)
# list all VMs created by current Linux account
virsh list --all
# Suspend a VM
virsh suspend my-guest
# Resume a VM
virsh resume my-guest
# Shutdown a VM
virsh shutdown my-guest
# To start a VM
virsh start my-guest
# To connect to the VM Console
virsh console my-guest
_NOTE: To exit a running VM please use ^] (Ctrl + ])
NOTE: please change my-guest to your guest's name.
NOTE: Please check chapter 3.2 at the Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0 v0.10
- Check TD Report
TDREPORT is a fixed-size data structure generated by the TDX module which contains guest-specific information (such as build and boot measurements), platform security version, and the MAC to protect the integrity of the TDREPORT. For more details on TDREPORT please refer to section 4.2 in the Whitepaper: Linux* Stacks for Intel® Trust Domain Extension 1.0 v0.10_
to generate the td report run the following command
tdx@tdx-guest:~$ tdx_tdreport
tdx@tdx-guest:~$ sudo amber-cli quote
Execute the following commands to perform the attestation.
tdx@tdx-guest:~$ export AMBER_URL=<AMBER URL String>
tdx@tdx-guest:~$ export AMBER_API_KEY=<AMBER API Key>
tdx@tdx-guest:~$ amber-cli create-key-pair -k key.pem
tdx@tdx-guest:~$ sudo -E amber-cli token
Note: Make cure there are no white space before or after the API key
Running workloads in a TDVM is exactly the same as you would run the workload in a non-confidential VM. For example, run the nginx web server in a container
tdx@tdx-guest:~$sudo docker run -it --rm -d -p 8080:80 --name web nginx
tdx@tdx-guest:~$curl http://localhost:8080