[Bug 2125123] [NEW] add firmware for Intel tdx with secure boot capability

Hector CAO 2125123 at bugs.launchpad.net
Thu Sep 18 14:21:29 UTC 2025 

Public bug reported:

Intel Confidential Computing (Intel TDX) is now available with Questing 25.10
components : kernel and qemu.

While we can boot a Intel confidential VM (TD - Trust Domain) with
the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are
2 drawbacks:

- default OVMF.fd has several security limitations for Intel TDX [1].

- secure boot is not enabled since TDX VM does not allow to use -pflash with QEMU
  for the UEFI vars that contains the necessary certificates for secure boot.

To address these 2 limitations:

1) we can build a customized OVMF file as we already did for AMD-SEV (LP: #2106771)
   the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
   We will name the OVMF file as OVMF.tdx.fd

2) we enable secure boot for this firmware : -DSECURE_BOOT_ENABLE=TRUE

3) we copy the necessary certificates from OVMF_VARS_4M.ms.fd over to
the OVMF.tdx.fd

Since we are delivering a new OVMF file, the regression risk is
minimized.

** Affects: edk2 (Ubuntu)
     Importance: Undecided
     Assignee: Hector CAO (hectorcao)
         Status: New

** Changed in: edk2 (Ubuntu)
     Assignee: (unassigned) => Hector CAO (hectorcao)

** Description changed:

- 
  Intel Confidential Computing (Intel TDX) is now available with Questing 25.10
  components : kernel and qemu.
  
- While we can boot a Intel confidential VM (TD - Trust Domain) with 
+ While we can boot a Intel confidential VM (TD - Trust Domain) with
  the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are
  2 drawbacks:
  
  - default OVMF.fd has several security limitations for Intel TDX [1].
  
  - secure boot is not enabled since TDX VM does not allow to use -pflash with QEMU
-   for the UEFI vars that contains the necessary certificates for secure boot. 
+   for the UEFI vars that contains the necessary certificates for secure boot.
  
  To address these 2 limitations:
  
- 1) we can build a customized OVMF file as we already did for AMD-SEV
-    the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
-    We will name the OVMF file as OVMF.tdx.fd
+ 1) we can build a customized OVMF file as we already did for AMD-SEV (LP: #2106771)
+    the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
+    We will name the OVMF file as OVMF.tdx.fd
  2) we enable secure boot for this firmware : -DSECURE_BOOT_ENABLE=TRUE
  
  3) we copy the necessary certificates from OVMF_VARS_4M.ms.fd over to
  the OVMF.tdx.fd
  
  Since we are delivering a new OVMF file, the regression risk is
  minimized.

** Description changed:

  Intel Confidential Computing (Intel TDX) is now available with Questing 25.10
  components : kernel and qemu.
  
  While we can boot a Intel confidential VM (TD - Trust Domain) with
  the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are
  2 drawbacks:
  
  - default OVMF.fd has several security limitations for Intel TDX [1].
  
  - secure boot is not enabled since TDX VM does not allow to use -pflash with QEMU
    for the UEFI vars that contains the necessary certificates for secure boot.
  
  To address these 2 limitations:
  
  1) we can build a customized OVMF file as we already did for AMD-SEV (LP: #2106771)
     the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
     We will name the OVMF file as OVMF.tdx.fd
+ 
  2) we enable secure boot for this firmware : -DSECURE_BOOT_ENABLE=TRUE
  
  3) we copy the necessary certificates from OVMF_VARS_4M.ms.fd over to
  the OVMF.tdx.fd
  
  Since we are delivering a new OVMF file, the regression risk is
  minimized.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to edk2 in Ubuntu.
https://bugs.launchpad.net/bugs/2125123

Title:
  add firmware for Intel tdx  with secure boot capability

Status in edk2 package in Ubuntu:
  New

Bug description:
  Intel Confidential Computing (Intel TDX) is now available with Questing 25.10
  components : kernel and qemu.

  While we can boot a Intel confidential VM (TD - Trust Domain) with
  the EDK2 default OVMF.fd (config: OvmfPkg/OvmfPkgX64.dsc), there are
  2 drawbacks:

  - default OVMF.fd has several security limitations for Intel TDX [1].

  - secure boot is not enabled since TDX VM does not allow to use -pflash with QEMU
    for the UEFI vars that contains the necessary certificates for secure boot.

  To address these 2 limitations:

  1) we can build a customized OVMF file as we already did for AMD-SEV (LP: #2106771)
     the config file is OvmfPkg/IntelTdx/IntelTdxX64.dsc.
     We will name the OVMF file as OVMF.tdx.fd

  2) we enable secure boot for this firmware : -DSECURE_BOOT_ENABLE=TRUE

  3) we copy the necessary certificates from OVMF_VARS_4M.ms.fd over to
  the OVMF.tdx.fd

  Since we are delivering a new OVMF file, the regression risk is
  minimized.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2125123/+subscriptions

More information about the foundations-bugs mailing list