[Meta-issue] Production blockers

[dimakuv]

• Add testing infrastructure (CI) for VM/TDX

  • Currently we trigger runs of our Bash-scripts-Frankenstein manually.
  • Currently we need to apply patches to some Makefiles/Gramine manifest templates (ideally must use unmodified CI-Examples and Examples).

• Implement typical ring-0 protections

  • KASLR
  • SMAP/SMEP
  • Tighter page permissions
  • CET / Shadow Stack
  • Mitigations of Spectre v1

• Move away from TD-Shim vBIOS

  • This will be easier in terms of building/deployment/controlling the code if we won't have such an unconventional dependency.
  • TD-Shim is minimal, but still has a lot of features not required by Gramine
  • It's better if Gramine has full control over TDMR and RTMRs (currently TD-Shim populates most of them)
  • Because of TD-Shim's initial state (page tables, GDTs, IDTs), Gramine PAL must re-initialize all those
  • Because TD-Shim loads the initial executable (Gramine PAL), we have no control over its base address (prevents us from easily doing KASLR) and over relocations (which requires the commit "[PAL] Allow to skip relocations in setup_pal_binary()")
  • Our own vBIOS could better control which TD pages are accepted initially

• Move from the MVP Linux stack to the mid-stream Linux stack

[kailun-qin]

Currently, Gramine-TDX is based on Linux Stack for Intel TDX 1.0 (P.S. this piece of info seems to be missing -- should we note it somewhere?).

Do we have plan to support other versions e.g. tdx-mid-stream?

[dimakuv]

Do we have plan to support other versions e.g. tdx-mid-stream?

What is this branch exactly? Is it Intel TDX 1.5?

[kailun-qin]

Do we have plan to support other versions e.g. tdx-mid-stream?

What is this branch exactly? Is it Intel TDX 1.5?

Not really, TDX 1.5 is in on another branch: https://github.com/intel/tdx-tools/tree/tdx-1.5. tdx-mid-stream refers to support TDX features via mid-stream distros (RH, Ubuntu etc.).