Build a TDX confidential computing environment and verify remote attestation

更新时间:
复制 MD 格式

Set up Intel® TDX on an ECS instance and verify it with remote attestation sample code.

Background

Intel® TDX is a hardware-based protection technology for ECS instances. In a TDX instance, CPU registers, memory data, interrupt handling, and other runtime states are confidentially protected by the CPU hardware. Neither cloud providers nor external attackers can monitor or tamper with the internal runtime state of a TDX instance, such as running processes and sensitive data during computation. See Intel® Trusted Domain Extension (Intel® TDX).

Intel® TDX secures instances and applications by default. Existing applications can migrate to TDX instances without redevelopment.

image

Prerequisites

Console

Creating a TDX instance is similar to creating a standard instance. Only TDX-specific configurations are described here. For general configurations, see Create an instance on a custom basis.

  1. Go to ECS console - Instances.

  2. In the upper-left corner of the page, select a region and resource group.地域

  3. Click Create Instance and configure the following parameters.

    Parameter

    Description

    Region and zone

    Supported regions and zones vary by instance type. See Supported regions, instance types, and images.

    This example uses China (Beijing) Zone I and ecs.g8i.xlarge.

    Instance type

    Image

    Select the Confidential VM checkbox, and then select the Alibaba Cloud Linux 3.2104 LTS 64-bit image.

    image

  4. Complete the remaining configurations to create the instance.

CLI and API

Call the RunInstances operation or use Alibaba Cloud CLI to create a TDX-enabled ECS instance. Configure the following parameters.

Parameter

Description

Example

RegionId

China (Beijing)

cn-beijing

ZoneId

Available only in specific zones. Instance types vary by zone. See Supported regions, instance types, and images.

cn-beijing-i

InstanceType

ecs.g8i.2xlarge

ImageId

ID of a TDX-supported image. Only Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI images with kernel 5.10.134-16.al8.x86_64 or later are supported.

aliyun_3_x64_20G_alibase_20241218.vhd

SecurityOptions.ConfidentialComputingMode

The confidential computing mode.

TDX

CLI example

aliyun ecs RunInstances \
  --SecurityOptions.ConfidentialComputingMode TDX \
  --Region cn-beijing \
  --ZoneId cn-beijing-i \
  --SystemDisk.Category cloud_essd \
  --ImageId 'aliyun_3_x64_20G_alibase_20241218.vhd' \
  --InstanceType 'ecs.g8i.2xlarge' \
  --SecurityGroupId 'sg-<YourSecurityGroupId>' \
  --VSwitchId 'vsw-<YourVSwitchId>' \
  --KeyPairName <YourKeyPairName> \
  

Procedure

Step 1: Verify that TDX is enabled

Verify that TDX is enabled on your instance before proceeding.

  1. Check if TDX is enabled.

    lscpu |grep -i tdx_guest

    If the output contains tdx_guest, TDX is enabled.tdx-install

  2. Check if the TDX drivers are installed.

    ls -l /dev/tdx_guest

    If the output contains /dev/tdx_guest, the TDX drivers are installed.image

Step 2: Build the TDX environment

Note

Most applications can migrate to TDX instances without redevelopment. To fully leverage TDX security, use the features described below.

A TDX Report is a CPU-generated data structure that represents the identity of a TDX instance. It contains key information, such as ATTRIBUTES, Runtime-extendable Measurement Registers (RTMRs), and Trusted Computing Base Security Version Numbers (TCB SVNs), and uses cryptographic methods to protect its integrity. See Intel TDX Module.

  1. Add the Alibaba Cloud confidential computing yum repository.

    • Public endpoint format: https://enclave-[Region-ID].oss-[Region-ID].aliyuncs.com/repo/alinux/enclave-expr.repo.

    • VPC endpoint format: https://enclave-[Region-ID].oss-[Region-ID]-internal.aliyuncs.com/repo/alinux/enclave-expr.repo.

      Replace [Region-ID] with the region ID of the TDX instance. The following example uses instance metadata to dynamically obtain the region ID:

      token=$(curl -s -X PUT -H "X-aliyun-ecs-metadata-token-ttl-seconds: 5" "http://100.100.100.200/latest/api/token")
      region_id=$(curl -s -H "X-aliyun-ecs-metadata-token: $token" http://100.100.100.200/latest/meta-data/region-id)
      
      sudo yum install -y yum-utils
      sudo yum-config-manager --add-repo https://enclave-${region_id}.oss-${region_id}-internal.aliyuncs.com/repo/alinux/enclave-expr.repo
  2. Install build tools and sample code.

    sudo yum groupinstall -y "Development Tools"
    sudo yum install -y sgxsdk libtdx-attest-devel
  3. Build the TDXReportParse sample.

    1. Go to the TDXReportParse directory.

      cd /opt/alibaba/teesdk/intel/sgxsdk/SampleCode/TDXReportParse
    2. Build TDXReportParse.

      sudo make
  4. Run the compiled executable file.

    sudo ./tdx_report_parse

    NO_DEBUG in the attributes field indicates non-debug mode (secure mode).image

Verify TDX remote attestation

In an Alibaba Cloud TDX environment, remote attestation verifies the platform's trustworthiness and the integrity and confidentiality of the code that runs on it. See Remote attestation service.

  • Platform: the hardware and virtualization stack that Alibaba Cloud uses.

  • Code that runs on the platform: the operating system (such as Alibaba Cloud Linux) and applications (such as Nginx and Java) in the TDX environment.

  1. Install TDX remote attestation dependencies.

    sudo yum install -y gcc gcc-c++ make openssl-devel git jq
    sudo yum install -y tdx-quote-generation-sample tee-appraisal-tool libsgx-dcap-ql-devel libsgx-dcap-quote-verify-devel libsgx-dcap-default-qpl-devel tdx-quote-verification-sample
  2. Configure the Alibaba Cloud TDX remote attestation service.

    Set PCCS_URL in /etc/sgx_default_qcnl.conf. The following example uses instance metadata to dynamically obtain the region ID and configure the DCAP service:

    token=$(curl -s -X PUT -H "X-aliyun-ecs-metadata-token-ttl-seconds: 5" "http://100.100.100.200/latest/api/token")
    region_id=$(curl -s -H "X-aliyun-ecs-metadata-token: $token" http://100.100.100.200/latest/meta-data/region-id)
    
    sudo sed -i.$(date "+%m%d%y") 's|PCCS_URL=.*|PCCS_URL=https://sgx-dcap-server.${region_id}.aliyuncs.com/sgx/certification/v4/|' /etc/sgx_default_qcnl.conf
  3. Go to the tdx-quote-generation-sample directory and build the application.

    cd /opt/alibaba/tdx-quote-generation-sample
    sudo make
  4. Generate a quote.

    • Randomly generate report_data and issue a quote:

      sudo ./app
    • Specify report_data and issue a quote:

      sudo ./app -d <report_data_in_hex>
        Note
        • <report_data_in_hex> is a 64-byte hexadecimal string.

        • Custom data in report_data_in_hex is included in the generated quote.

        • Due to its limited length, report_data_in_hex is typically a hash value, such as a public key hash for key agreement.

        For example:

        sudo ./app -d 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef
        sudo ./app -d $(cat data.dat | xxd -p)

    If similar output is returned, the quote is generated.

    image

  5. Verify the quote.

    1. Configure and sign an appraisal policy.

      Important

      Perform this operation in a trusted, secure environment, not in a production environment.

      Define your security appraisal policy in JSON format.

      • For example, the following policy verifies that your TDX ECS instance runs in an encrypted, non-debuggable state (secure mode).

      • You can also add parameters to verify OS and application integrity. See Intel DCAP Appraisal Engine Developer Guide.

        {
            "policy_array":[
                {
                    "environment":{
                        "class_id":"45b734fc-aa4e-4c3d-ad28-e43d08880e68",
                        "description":"Application TD TCB 1.5"
                    },
                    "reference":{
                        "tdx_attributes":"0000000010000000",
                        "#NOTE": "0000000010000000 means for NO_DEBUG and SPTE_VE_DISABLE"
                    }
                }
            ]
        }

      Use the default policy (at /opt/alibaba/tdx-quote-verification-sample/Policies/tenant_td_policy.json) or write a custom policy to generate a Policy Token for verification. This token can be transferred to any environment where remote attestation is needed.

      cd /opt/alibaba/tdx-quote-verification-sample
      sudo make Policies/tenant_td_policy.jwt

      If similar output is returned, a Policy Token is generated.

      image

    2. Build the remaining components for TDX remote attestation.

      cd /opt/alibaba/tdx-quote-verification-sample
      sudo make all

      If similar output is returned, the components are built.

      image

    3. Verify the quote.

      Important

      Replace <path_to_quote> with the actual quote path, such as /opt/alibaba/tdx-quote-generation-sample/quote.dat.

      • Verify the quote against the policy in Policies/tenant_td_policy.json. The result is output to stdout as a JWT.

        ./verifier -quote <path_to_quote>

        Sample output:

        image

      • Use RelyingParty to verify the JWT signature.

        ./verifier -quote <path_to_quote> |./relying_party -v |grep "json payload" |awk -F 'payload:' '{print $2}'|jq 
        Note
        • Check the overall_appraisal_result field in appraisal_result to confirm whether the attester meets your appraisal policy.

          ./verifier -quote <path_to_quote> |./relying_party -v |grep "json payload" |awk -F 'payload:' '{print $2}'|jq '.[0].result.overall_appraisal_result'
        • The report_data specified during quote generation also appears in the verification result (in the tdx_reportdata field). Use this value for business logic such as key exchange.

          ./verifier -quote <path_to_quote> |./relying_party -v -a|grep "json payload" |awk -F 'payload:' '{print $2}'|jq '.. | .tdx_reportdata? | select(. != null)'

        Sample output (some fields omitted):

        [
          {
            "result": {
              "appraisal_check_date": 1710400829000000000,
              "nonce": 502551065253582,
              "certification_data": [
                {
                  "certification_data": {
                    "qe_identity_issuer_chain": "LS0t...",
                    "root_ca_crl": "MzA4...",
                    "pck_crl": "LS0t...",
                    "pck_crl_issuer_chain": "LS0t...",
                    "tcb_info": "eyJ0...",
                    "qe_identity": "eyJl...",
                    "tcb_info_issuer_chain": "LS0t..."
                  }
                }
              ],
              "overall_appraisal_result": 1,
              "appraised_reports": [
                {
                  "appraisal_result": 1,
                  "detailed_result": [
                    {
                      "td_mrownerconfig_check": true,
                      "td_xfam_check": true,
                      "td_mrservicetd_check": true,
                      "td_attributes_check": true,
                      "td_rtmr3_check": true,
                      "td_mrtd_check": true,
                      "td_mrowner_check": true,
                      "td_rtmr0_check": true,
                      "td_mrconfigid_check": true,
                      "td_rtmr1_check": true,
                      "td_rtmr2_check": true
                    }
                  ],
                  "policy": {
                    "environment": {
                      "description": "Application TD TCB 1.5",
                      "class_id": "45b734fc-aa4e-4c3d-ad28-e43d08880e68"
                    },
                    "signature": "-6C0-...",
                    "reference": {
                      ...
                    },
                    "signing_key": {
                      "kty": "EC",
                      "crv": "P-384",
                      "alg": "ES384",
                      "y": "CeW8...",
                      "x": "NmSa..."
                    }
                  },
                  "report": {
                    "environment": {
                      "Description": "Application TD TCB",
                      "class_id": "45b734fc-aa4e-4c3d-ad28-e43d08880e68"
                    },
                    "measurement": {
                      "tdx_mrownerconfig": "0000...",
                      "tdx_mrservicetd": "3D03...",
                      "tdx_xfam": "00000000000642E7",
                      "tdx_mrtd": "0A40...",
                      "tdx_mrowner": "0000...",
                      "tdx_attributes": "0000000010000000",
                      "tdx_mrconfigid": "0000...",
                      "tdx_reportdata": "D98B...",
                      "tdx_rtmr3": "0000...",
                      "tdx_rtmr2": "0000...",
                      "tdx_rtmr1": "6368...",
                      "tdx_rtmr0": "D0FD..."
                    }
                  }
                },
                {
                  "appraisal_result": 1,
                  "detailed_result": [
                    {
                      "platform_provider_id_check": true,
                      "sgx_types_check": true,
                      "cached_keys_check": true,
                      "smt_enabled_check": true,
                      "accepted_tcb_level_date_tag_check": true,
                      "advisory_ids_check": true,
                      "expiration_date_check": true,
                      "tcb_eval_num_check": true,
                      "earliest_accepted_tcb_level_date_tag_check": true,
                      "tcb_status_check": true,
                      "dynamic_platform_check": true
                    }
                  ],
                  "policy": {
                    "environment": {
                      "description": "Alibaba Cloud Evaluation Num Policy for TDX Platform",
                      "class_id": "f708b97f-0fb2-4e6b-8b03-8a5bcd1221d3"
                    },
                    "signature": "l00p...",
                    "reference": {
                      "accepted_tcb_status": [
                        "UpToDate"
                      ],
                      "allow_dynamic_plaform": true,
                      "min_eval_num": 16
                    },
                    "signing_key": {
                      "kty": "EC",
                      "crv": "P-384",
                      "alg": "ES384",
                      "y": "7hlr...",
                      "x": "OSbD..."
                    }
                  },
                  "report": {
                    "environment": {
                      "description": "TDX Platform TCB",
                      "class_id": "f708b97f-0fb2-4e6b-8b03-8a5bcd1221d3"
                    },
                    "measurement": {
                      "earliest_issue_date": "2018-05-21T10:45:10Z",
                      "is_cached_keys_policy": true,
                      "fmspc": "90C06F000000",
                      "is_smt_enabled": true,
                      "earliest_expiration_date": "2024-04-02T10:22:51Z",
                      "root_ca_crl_num": 1,
                      "root_key_id": "9309...",
                      "pck_crl_num": 1,
                      "tcb_eval_num": 16,
                      "latest_issue_date": "2024-03-13T15:45:02Z",
                      "tcb_status": [
                        "UpToDate"
                      ],
                      "tcb_level_date_tag": "2023-08-09T00:00:00Z",
                      "is_dynamic_platform": true,
                      "sgx_types": 1
                    }
                  }
                },
                {
                  "appraisal_result": 1,
                  "detailed_result": [
                    {
                      "td_qe_expiration_date_check": true,
                      "td_qe_tcb_eval_num_check": true,
                      "td_qe_earliest_accepted_tcb_level_date_tag_check": true,
                      "td_qe_tcb_status_check": true,
                      "td_qe_accepted_tcb_level_date_tag_check": true
                    }
                  ],
                  "policy": {
                    "environment": {
                      "description": "Alibaba Cloud Num Policy for Verified TDQE",
                      "class_id": "3769258c-75e6-4bc7-8d72-d2b0e224cad2"
                    },
                    "signature": "l00p...",
                    "reference": {
                      "accepted_tcb_status": [
                        "UpToDate"
                      ],
                      "min_eval_num": 16
                    },
                    "signing_key": {
                      "kty": "EC",
                      "crv": "P-384",
                      "alg": "ES384",
                      "y": "7hlr...",
                      "x": "OSbD..."
                    }
                  },
                  "report": {
                    "environment": {
                      "Description": "RAW TDX QE Report",
                      "class_id": "3769258c-75e6-4bc7-8d72-d2b0e224cad2"
                    },
                    "measurement": {
                      "earliest_expiration_date": "2025-05-21T10:50:10Z",
                      "earliest_issue_date": "2018-05-21T10:45:10Z",
                      "root_key_id": "9309...",
                      "tcb_eval_num": 16,
                      "latest_issue_date": "2018-05-21T10:50:10Z",
                      "tcb_status": [
                        "UpToDate"
                      ],
                      "tcb_level_date_tag": "2023-08-09T00:00:00Z"
                    }
                  }
                }
              ]
            }
          }
        ]

Supported regions, instance types, and images

Region and instance type limitations

Confidential computing is available only in specific zones. Supported instance types vary by zone.

Region and zone

Instance types

China (Beijing) Zone L

ecs.g8i.xlarge and larger

China (Beijing) Zone I

  • ecs.g8i.xlarge and larger

  • ecs.g9i.xlarge, ecs.c9i.xlarge, ecs.r9i.xlarge, and larger

  • ebmg8i instance family

China (Hangzhou) Zone J

ecs.r9i.xlarge and larger

China (Hong Kong) Zone B

ecs.g8i.xlarge and larger

China (Hong Kong) Zone C

ecs.g8i.xlarge and larger

China (Hong Kong) Zone D

ecs.g8i.xlarge and larger

Singapore Zone B

ecs.g8i.xlarge and larger

Images

Important

We recommend that you use Alibaba Cloud Linux 3.

  • Debian 13.1 or later: Debian 13.1, Debian 13.2, Debian 13.3.

  • Rocky 9.5 or later: Rocky 9.5, Rocky 9.6, Rocky 9.7, Rocky 10.0, Rocky 10.1.

  • Ubuntu 24.04 or later: Ubuntu 24.04.

  • Alibaba Cloud Linux 3 or later: Alibaba Cloud Linux 3, Alibaba Cloud Linux 4.

Limitations

  • TDX instances may have lower performance than regular instances because CPU registers and memory data are encrypted by CPU hardware.

  • Due to RTMR resets, interrupt protection, and register state recovery, TDX instances do not support in-OS reboots. You cannot run the reboot command inside the OS.

  • VNC logon is not supported. Use SSH via Workbench or a third-party client instead. For runtime logs, see View instance system logs and screenshots or GetInstanceConsoleOutput.

  • Image limitations:

    • Only UEFI images are supported.

    • Windows is not supported.

    • Images with outdated kernels are not supported. Kernel version must be 5.10.134-16.al8.x86_64 or later.

  • eRDMA and various types of accelerators are not supported.

  • Known issues with the Linux guest kernel SWIOTLB buffer:

    • Less memory is visible to the OS compared to a regular instance. A TDX instance reserves unencrypted memory (SWIOTLB) for peripheral communication. By default, this area is 6% of available memory, up to 1 GiB.

    • Attaching multiple elastic network interfaces (ENIs) to a large instance may cause a crash due to insufficient SWIOTLB memory in multi-queue network card scenarios. Stop the instance on the console and detach ENIs to recover.

    • High-I/O workloads may experience performance degradation from insufficient SWIOTLB. Check with:

      dmesg| grep 'swiotlb buffer is full'
      Important

      Incorrect SWIOTLB settings may cause boot failure. Create a snapshot before proceeding so you can roll back if errors occur.

      If this issue occurs, increase the SWIOTLB size:

      • Set the SWIOTLB size to 1 GiB.

        grubby --update-kernel=ALL --args=swiotlb=524288
      • For kernel versions later than 5.10.134-18.al8.x86_64, add the any parameter to support larger SWIOTLB sizes:

        grubby --update-kernel=ALL --args=swiotlb=2097152,any   # Sets SWIOTLB to 4 GiB.
        Note

        Calculate the SWIOTLB parameter value: Target size (in MiB) × 512. See The kernel's command-line parameters.