[Bug 2125123] Re: add firmware for Intel tdx with secure boot capability

Launchpad Bug Tracker 2125123 at bugs.launchpad.net
Thu Oct 2 13:50:45 UTC 2025 

This bug was fixed in the package edk2 - 2025.02-8ubuntu2

---------------
edk2 (2025.02-8ubuntu2) questing; urgency=medium

  * Add firmware for Intel TDX with secure boot capability (LP: #2125123)
    - d/rules : Build OVMF.tdx.fd and OVMF.tdx.secboot.fd
    - d/control : add deps on jq and python3-virt-firmware for keys
      import in OVMF.tdx.secboot.fd
    - d/descriptors : add Tdx firmware json files
    - d/ovmf.README.Debian : add doc for OVMF.tdx.*.fd

 -- Hector Cao <hector.cao at canonical.com>  Mon, 22 Sep 2025 12:05:25
+0000

** Changed in: edk2 (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to edk2 in Ubuntu.
https://bugs.launchpad.net/bugs/2125123

Title:
  add firmware for Intel tdx  with secure boot capability

Status in edk2 package in Ubuntu:
  Fix Released

Bug description:
  Intel Confidential Computing (Intel TDX) is now available with Questing 25.10
  components : kernel and qemu.

  While we can boot a Intel confidential VM (TD - Trust Domain) with
  the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are
  2 drawbacks:

  - default OVMF.fd has several security limitations for Intel TDX [1].

  - secure boot is not enabled since TDX VM does not allow to use -pflash with QEMU
    for the UEFI vars that contains the necessary certificates for secure boot.

  To address these 2 limitations:

  1) we can build a customized OVMF file as we already did for AMD-SEV (LP: #2106771)
     the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
     We will name the OVMF file as OVMF.inteltdx.fd

  2) we create a variant image named OVMF.tdxintel.secboot.fd with
  secure bootsupport : -DSECURE_BOOT_ENABLE=TRUE

  3) we copy the certificates in OVMF_VARS_4M.ms.fd over to
  OVMF.tdxintel.secboot.fd to enable secure boot.


  Since we are delivering new OVMF images, the regression risk is
  minimized.

  [1]
  https://github.com/tianocore/edk2/tree/master/OvmfPkg/IntelTdx#configurations-
  and-features

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2125123/+subscriptions

More information about the foundations-bugs mailing list