Data

Tools

Indexes

Applications

Experiments

Open Source Science

https://github.com/confidential-containers/td-shim

Confidential Containers Shim Firmware

https://github.com/confidential-containers/td-shim

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (7.5%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Confidential Containers Shim Firmware

Basic Info
  • Host: GitHub
  • Owner: confidential-containers
  • License: other
  • Language: Rust
  • Default Branch: main
  • Size: 2.29 MB
Statistics
  • Stars: 113
  • Watchers: 14
  • Forks: 64
  • Open Issues: 42
  • Releases: 8
Created over 4 years ago · Last pushed 10 months ago
Metadata Files
Readme License Codeowners

README.md

Main Libray Crates Cargo Deny Cargo Fmt & Clippy Integration Test TDX Integration Test Fuzzing Test FOSSA Status

TD-shim - Confidential Containers Shim Firmware

Hardware virtualization-based containers are designed to launch and run containerized applications in hardware virtualized environments. While containers usually run directly as bare-metal applications, using TD or VT as an isolation layer from the host OS is used as a secure and efficient way of building multi-tenant Cloud-native infrastructures (e.g. Kubernetes).

In order to match the short start-up time and resource consumption overhead of bare-metal containers, runtime architectures for TD- and VT-based containers put a strong focus on minimizing boot time. They must also launch the container payload as quickly as possible. Hardware virtualization-based containers typically run on top of simplified and customized Linux kernels to minimize the overall guest boot time.

Simplified kernels typically have no UEFI dependencies and no ACPI ASL support. This allows guests to boot without firmware dependencies. Current VT-based container runtimes rely on VMMs that are capable of directly booting into the guest kernel without loading firmware.

TD Shim is a simplified TDX virtual firmware for the simplified kernel for TD container. This document describes a lightweight interface between the TD Shim and TD VMM and between the TD Shim and the simplified kernel.

Overview

Documents

Feature Introduction

This is a Shim Firmware to support Intel TDX.

The API specification is at td-shim specification.

The secure boot specification for td-shim is at secure boot specification

The design is at td-shim design.

The threat model analysis is at td-shim threat model.

How to build

Tools

  1. Install RUST

please use 1.83.0.

curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain 1.83.0 rustup target add x86_64-unknown-none

  1. Install NASM

Please make sure nasm can be found in PATH.

  1. Install LLVM

Please make sure clang can be found in PATH.

Set env:

``` export CC=clang export AR=llvm-ar

export CCx8664unknownnone=clang export ARx8664unknownnone=llvm-ar ```

Secure boot support

Please follow Secure Boot Guide

Before build

git submodule update --init --recursive ./sh_script/preparation.sh

Use xtask to build TdShim image

Build TdShim image to launch a payload support Linux Boot Protocol

``` cargo image --release

``` Build TdShim image to launch an executable payload

cargo image -t executable -p /path/to/payload_binary --release

Build TdShim image to launch the example payload

cargo image --example-payload --release

Build TdShim manually

Build TdShim to launch a payload support Linux Boot Protocol

cargo build -p td-shim --target x86_64-unknown-none --release --features=main,tdx cargo run -p td-shim-tools --bin td-shim-ld --features=linker -- target/x86_64-unknown-none/release/ResetVector.bin target/x86_64-unknown-none/release/td-shim -o target/release/final.bin

Build TdShim to launch a executable payload

cargo build -p td-shim --target x86_64-unknown-none --release --features=main,tdx --no-default-features

Build Elf format payload

cargo build -p td-payload --target x86_64-unknown-none --release --bin example --features=tdx,start,cet-shstk,stack-guard cargo run -p td-shim-tools --bin td-shim-ld -- target/x86_64-unknown-none/release/ResetVector.bin target/x86_64-unknown-none/release/td-shim -t executable -p target/x86_64-unknown-none/release/example -o target/release/final-elf.bin

To build the debug TdShim, please use dev-opt profile to build td-shim binary. For example:

cargo build -p td-shim --target x86_64-unknown-none --profile dev-opt --features=main,tdx cargo run -p td-shim-tools --bin td-shim-ld --features=linker -- target/x86_64-unknown-none/dev-opt/ResetVector.bin target/x86_64-unknown-none/dev-opt/td-shim -o target/debug/final.bin

Run

REF: https://github.com/tianocore/edk2-staging/tree/TDVF

./launch-rust-td.sh

Reproducible Build

Reproducible build of td-shim binary requires same system user and source code path (see https://github.com/confidential-containers/td-shim/issues/604).

The Dockerfile is provided to build the docker image with the td-shim compilation environment for reproducible build. You can use the docker.sh to build and run the docker container:

./sh_script/docker.sh -f devtools/dev_container

Code Contributions

  1. install pre-commit
  2. run pre-commit install
  3. when you run git commit, pre-commit will do check-code things.

License

FOSSA Status

Owner

  • Name: Confidential Containers
  • Login: confidential-containers
  • Kind: organization

GitHub Events

Total
  • Create event: 6
  • Commit comment event: 1
  • Issues event: 16
  • Watch event: 20
  • Delete event: 5
  • Issue comment event: 48
  • Push event: 35
  • Pull request review comment event: 24
  • Pull request review event: 52
  • Pull request event: 97
  • Fork event: 10
Last Year
  • Create event: 6
  • Commit comment event: 1
  • Issues event: 16
  • Watch event: 20
  • Delete event: 5
  • Issue comment event: 48
  • Push event: 35
  • Pull request review comment event: 24
  • Pull request review event: 52
  • Pull request event: 97
  • Fork event: 10

Issues and Pull Requests

Last synced: 10 months ago

All Time
  • Total issues: 39
  • Total pull requests: 111
  • Average time to close issues: 17 days
  • Average time to close pull requests: 7 days
  • Total issue authors: 19
  • Total pull request authors: 16
  • Average comments per issue: 0.87
  • Average comments per pull request: 0.45
  • Merged pull requests: 75
  • Bot issues: 0
  • Bot pull requests: 12
Past Year
  • Issues: 10
  • Pull requests: 50
  • Average time to close issues: 21 days
  • Average time to close pull requests: 4 days
  • Issue authors: 8
  • Pull request authors: 11
  • Average comments per issue: 0.1
  • Average comments per pull request: 0.44
  • Merged pull requests: 32
  • Bot issues: 0
  • Bot pull requests: 8
View more stats
Top Authors
Issue Authors
  • liuw1 (6)
  • vijaydhanraj (4)
  • mythi (4)
  • jyao1 (4)
  • gaojiaqi7 (4)
  • OuyangHang33 (3)
  • yzhu53 (2)
  • jinankjain (1)
  • arronwy (1)
  • dimakuv (1)
  • Martinits (1)
  • NK-fengsf (1)
  • jiazhang0 (1)
  • BenDHillier (1)
  • yilingxu (1)
Pull Request Authors
  • gaojiaqi7 (37)
  • sgrams (15)
  • OuyangHang33 (15)
  • dependabot[bot] (12)
  • liuw1 (11)
  • zlukwins (4)
  • xiaoyuxlu (3)
  • peterfang (3)
  • dabron (3)
  • dingelish (2)
  • mgudaram (1)
  • vijaydhanraj (1)
  • Freax13 (1)
  • jinankjain (1)
  • mythi (1)
Top Labels
Issue Labels
bug (5) question (1)
Pull Request Labels
dependencies (12) github_actions (12) enhancement (1)

Packages

  • Total packages: 3
  • Total downloads:
    • cargo 5,927 total
  • Total dependent packages: 0
    (may contain duplicates)
  • Total dependent repositories: 0
    (may contain duplicates)
  • Total versions: 13
  • Total maintainers: 1
proxy.golang.org: github.com/confidential-containers/td-shim
  • Versions: 8
  • Dependent Packages: 0
  • Dependent Repositories: 0
Rankings
Dependent packages count: 7.3%
Average: 7.6%
Dependent repos count: 7.8%
Last synced: 10 months ago
crates.io: td-shim-interface

TD-shim metadata data structures and related functions. UEFI Platform Initializaiton data structures and accessors

  • Versions: 2
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Downloads: 2,453 Total
Rankings
Dependent repos count: 28.8%
Dependent packages count: 34.0%
Average: 53.1%
Downloads: 96.5%
Maintainers (1)
OuyangHang33
Last synced: 10 months ago
crates.io: tdx-tdcall

Constants, stuctures and wrappers to access TDCALL services

  • Versions: 3
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Downloads: 3,474 Total
Rankings
Dependent repos count: 27.2%
Dependent packages count: 36.0%
Average: 53.2%
Downloads: 96.4%
Maintainers (1)
OuyangHang33
Last synced: 10 months ago

Dependencies

devtools/td-benchmark/Cargo.toml cargo
  • linked_list_allocator 0.9.0
  • log 0.4.13
  • scroll 0.10
  • x86 0.47.0
devtools/td-layout-config/Cargo.toml cargo
  • clap 3.0
  • json5 0.3.0
  • scroll 0.10
  • serde 1.0
devtools/test-runner-client/Cargo.toml cargo
  • linked_list_allocator 0.9.0
  • spin 0.9.2
  • uart_16550 0.2.17
  • x86_64 0.14.9
devtools/test-runner-server/Cargo.toml cargo
  • bootloader-locator 0.0.4
  • clap 3.0
  • locate-cargo-manifest 0.2.0
  • runner-utils 0.0.2
td-exception/Cargo.toml cargo
  • bitflags 1.2.1
  • lazy_static 1.0
  • log 0.4.13
  • spin 0.9.2
  • x86_64 0.14.9
td-layout/Cargo.toml cargo
  • log 0.4.13
  • scroll 0.10
td-loader/Cargo.toml cargo
  • log 0.4.13
  • scroll 0.10
td-loader/fuzz/Cargo.toml cargo
  • afl *
  • libfuzzer-sys 0.4
  • log 0.4.13
td-logger/Cargo.toml cargo
  • lazy_static 1.0
  • log 0.4.13
  • spin 0.9.2
  • x86 0.47.0
td-paging/Cargo.toml cargo
  • bitfield 0.13.2
  • log 0.4.13
  • spin 0.9.2
  • x86 0.47.0
  • x86_64 0.14.9
td-payload/Cargo.toml cargo
  • linked_list_allocator 0.9.0
  • log 0.4.13
  • r-efi 3.2.0
  • scroll 0.10
  • serde 1.0
  • serde_json 1.0
  • zerocopy 0.6.0
td-shim/Cargo.toml cargo
  • der 0.4.5
  • lazy_static 1.4.0
  • linked_list_allocator 0.9.0
  • log 0.4.13
  • r-efi 3.2.0
  • scroll 0.10
  • spin 0.9.2
  • x86 0.47.0
  • x86_64 0.14.9
  • zerocopy 0.6.0
td-shim/fuzz/Cargo.toml cargo
  • afl *
  • libfuzzer-sys 0.4
  • r-efi 3.2.0
td-shim-tools/Cargo.toml cargo
  • argparse 0.2.2
  • byteorder 1.4.3
  • clap 3.0
  • der 0.4.5
  • env_logger 0.9.0
  • hex 0.4
  • log 0.4.5
  • r-efi 3.2.0
  • regex 1
  • scroll 0.10
  • serde 1.0
  • serde_json 1.0
  • sha2 0.10.2
  • zeroize 1.5.4
td-uefi-pi/Cargo.toml cargo
  • log 0.4.13
  • r-efi 3.2.0
  • scroll 0.10
td-uefi-pi/fuzz/Cargo.toml cargo
  • afl *
  • libfuzzer-sys 0.4
  • r-efi 3.2.0
tdx-tdcall/Cargo.toml cargo
  • lazy_static 1.0
  • log 0.4.13
  • scroll 0.10
  • spin 0.9.2
tests/test-td-exception/Cargo.toml cargo
  • bootloader 0.10.12
tests/test-td-paging/Cargo.toml cargo
  • bootloader 0.10.12
tests/test-td-payload/Cargo.toml cargo
  • lazy_static 1.0
  • linked_list_allocator 0.9.0
  • log 0.4.13
  • r-efi 3.2.0
  • scroll 0.10.0
  • serde 1.0
  • serde_json 1.0
  • spin 0.9.2
  • x86 0.47.0
  • zerocopy 0.6.0
.github/workflows/deny.yml actions
  • EmbarkStudios/cargo-deny-action v1 composite
  • actions/checkout v2 composite
.github/workflows/devtools.yml actions
  • KyleMayes/install-llvm-action v1 composite
  • Swatinem/rust-cache v1 composite
  • actions-rs/toolchain v1 composite
  • actions/checkout v2 composite
  • ilammy/setup-nasm v1 composite
.github/workflows/format.yml actions
  • KyleMayes/install-llvm-action v1 composite
  • actions-rs/cargo v1 composite
  • actions-rs/toolchain v1 composite
  • actions/checkout v2 composite
  • ilammy/setup-nasm v1 composite
.github/workflows/fuzz.yml actions
  • actions-rs/cargo v1 composite
  • actions-rs/toolchain v1 composite
  • actions/checkout v2 composite
  • ilammy/setup-nasm v1 composite
.github/workflows/integration-tdx.yml actions
  • KyleMayes/install-llvm-action v1 composite
  • actions-rs/cargo v1 composite
  • actions-rs/toolchain v1 composite
  • actions/checkout v2 composite
.github/workflows/integration.yml actions
  • KyleMayes/install-llvm-action v1 composite
  • Swatinem/rust-cache v1 composite
  • actions-rs/cargo v1 composite
  • actions-rs/toolchain v1 composite
  • actions/checkout v2 composite
  • ilammy/setup-nasm v1 composite
.github/workflows/library.yml actions
  • KyleMayes/install-llvm-action v1 composite
  • Swatinem/rust-cache v1 composite
  • actions-rs/toolchain v1 composite
  • actions/checkout v2 composite
  • ilammy/setup-nasm v1 composite
.github/workflows/main.yml actions
  • KyleMayes/install-llvm-action v1 composite
  • Swatinem/rust-cache v1 composite
  • actions-rs/cargo v1 composite
  • actions-rs/toolchain v1 composite
  • actions/checkout v2 composite
  • ilammy/setup-nasm v1 composite
.github/workflows/release.yaml actions
  • KyleMayes/install-llvm-action v1 composite
  • Swatinem/rust-cache v1 composite
  • actions-rs/cargo v1 composite
  • actions-rs/toolchain v1 composite
  • actions/checkout v2 composite
  • actions/create-release v1 composite
  • actions/upload-release-asset v1 composite
  • ilammy/setup-nasm v1 composite
devtools/dev_container/Dockerfile docker
  • ubuntu 20.04 build
Cargo.lock cargo
  • 180 dependencies
Cargo.toml cargo
cc-measurement/Cargo.toml cargo
xtask/Cargo.toml cargo