Confidential Containers Shim Firmware
This is a Shim Firmware to support Intel TDX.
The API specification is at td-shim specification.
The secure boot specification for td-shim is at secure boot specification
The design is at td-shim design.
The threat model analysis is at td-shim threat model.
- Install RUST
please use nightly-2022-04-07.
NOTE: We need install nightly version because we use cargo-xbuild.
1.1. Install xbuild
cargo install cargo-xbuild
Please reinstall cargo-xbuild, after you update the rust toolchain.
- Install NASM
Please make sure nasm can be found in PATH.
- Install LLVM
Please make sure clang can be found in PATH.
Set env:
set CC_x86_64_unknown_uefi=clang
set AR_x86_64_unknown_uefi=llvm-ar
Please follow Secure Boot Guide
cargo xbuild -p td-shim --target x86_64-unknown-uefi --release --features=main,tdx
cargo run -p td-shim-tools --bin td-shim-ld -- target/x86_64-unknown-uefi/release/ResetVector.bin target/x86_64-unknown-uefi/release/td-shim.efi -o target/x86_64-unknown-uefi/release/final.bin
cargo xbuild -p td-payload --target x86_64-unknown-uefi --release --features=main,tdx
cargo run -p td-shim-tools --bin td-shim-ld --no-default-features --features=linker -- target/x86_64-unknown-uefi/release/ResetVector.bin target/x86_64-unknown-uefi/release/td-shim.efi -p target/x86_64-unknown-uefi/release/td-payload.efi -o target/x86_64-unknown-uefi/release/final-pe.bin
cargo xbuild -p td-payload --target devtools/rustc-targets/x86_64-unknown-none.json --release --features=main,tdx
cargo run -p td-shim-tools --bin td-shim-ld --no-default-features --features=linker -- target/x86_64-unknown-uefi/release/ResetVector.bin target/x86_64-unknown-uefi/release/td-shim.efi -p target/x86_64-unknown-none/release/td-payload -o target/x86_64-unknown-uefi/release/final-elf.bin
REF: https://github.com/tianocore/edk2-staging/tree/TDVF
./launch-rust-td.sh
- install pre-commit
- run
pre-commit install - when you run
git commit, pre-commit will do check-code things.
This package is only the sample code to show the concept. It does not have a full validation such as robustness functional test and fuzzing test. It does not meet the production quality yet. Any codes including the API definition, the library and the drivers are subject to change.