Release 3.3

release.md

Overview

This release provides Intel© Trust Domain Extensions (TDX) with base host, guest, and remote attestation functionalities for Ubuntu.

The new release delivers the following major changes:

⭐ Add support for NVIDIA H100 Tensor Core GPU on Ubuntu 25.04
🔚 End of Life (EOL) for Ubuntu 24.10

1. Ubuntu Plucky 25.04

⚠️ For the best user experience, it’s recommended to perform a fresh installation of Ubuntu 25.04 and then setup TDX per the README. Do not upgrade from a previous Ubuntu TDX installation.

The philosophy and practice of this project going forward is to use what has been upstreamed at a point in time (in this case 6.14 kernel) and add additional out-of-tree patches to produce a minimal viable product (MVP). Previous Ubuntu releases were based on an out-of-tree patchset, aka V19, that provided more features than this release. This release is rebased to some upstreamed and some out-of-tree kernel patches and out-of-tree qemu and libvirt patches. As such, some features from previous releases were removed in this release (but will be added again when they get upstreamed) and some bugs from previous releases are fixed in this release.

Bugfixes:

• TD guest with more than 255 VCPUs won’t boot.
• TD guest doesn't support more than 1 socket/die CPU topology.

Features removed:

• Host kexec/kdump
• Transparent Huge Page

1.1. Feature Highlights

• Device pass-through support for NVIDIA H100 Tensor Core GPU
• Kernel version: 6.14.0-1004. Source link.
• QEMU version: 9.2.1. Source link.
• Libvirt version: 11.0.0. Source link.
• OVMF/EDK2 version: 2025.02. Source link.
• Supported Ubuntu guests:
  • Ubuntu Plucky 25.04 (kernel: 6.14 linux-intel)
  • Ubuntu Noble 24.04 (kernel: 6.8 linux-generic)
  • Ubuntu Noble 24.04 (kernel: 6.8 linux-intel)
• Remote attestation components:
  • Intel DCAP 1.21 - Refer to upstream source for more details
  • Intel Trust Authority Client 1.9.0 - Refer to upstream source for more details

1.2. Test Configurations

• CPU: 5th Gen Intel® Xeon® Scalable Processors
  TDX Module: TDX_1.5.06, build 744
  GPU: NVIDIA H100 Tensor Core using Ubuntu Noble 24.04 6.8 linux-generic TD guest

• CPU: Intel® Xeon® 6 Processors with P-Cores
  TDX Module: TDX_2.0.02, build 786
  GPU: NVIDIA H100 Tensor Core using Ubuntu Noble 24.04 6.8 linux-generic TD guest

• CPU: Intel® Xeon® 6 Processors with E-Cores
  TDX Module: TDX_1.5.06, build 744

1.3. Known Issues/Current Limitations

• Nested virtualization is not supported (#200)
• PMU (Performance Monitoring Unit) is currently not supported and it is disabled by default. (#182)
• Graphics support is disabled (graphic and remote access like VNC are all not supported). (#202)
• Guest Kexec is currently not supported (#204)
• Failure to boot TD guest with console=hvc0 in kernel command line and QEMU cmd -serial stdio.
• TD with large VCPU and memory configuration takes longer to boot.
• I/O device pass-through is not fully supported (#137)

2. Ubuntu Noble 24.04

2.1. Feature Highlights

• Kernel version: 6.8.0-1028-intel. Source link.
  • Expose TDX host keys IDs in cgroup v2 miscellaneous subsystem. Bug link.
• Intel Trust Authority Client 1.9.0 - Refer to upstream source for more details.

2.2. Bugfixes

• TD guest with more than 255 VCPUs won’t boot. Bug link

2.3. Test Configurations

• CPU: 5th Gen Intel® Xeon® Scalable Processors
  TDX Module: TDX_1.5.06, build 744
• CPU: Intel® Xeon® 6 Processors with P-Cores
  TDX Module: TDX_2.0.02, build 786
• CPU: Intel® Xeon® 6 Processors with E-Cores
  TDX Module: TDX_1.5.06, build 744

2.4. Known Issues/Current Limitations

• Nested virtualization is not supported (#200)
• PMU (Performance Monitoring Unit) is currently not supported and it is disabled by default. (#182)
• Graphics support is disabled (graphic and remote access like VNC are all not supported). (#202)
• Guest Kexec is currently not supported (#204)
• Failure to boot TD guest with console=hvc0 in kernel command line and QEMU cmd -serial stdio.
• TD with large VCPU and memory configuration takes longer to boot.
• I/O device pass-through is not fully supported (#137)

3. Bugfixes

• add support for PPA outside of kobuk team by @hector-cao in canonical/tdx#345
• tdtest : fix argument passing to pytest via tox by @hector-cao in canonical/tdx#347
• Fix upgrade for the kernel by @hector-cao in canonical/tdx#356
• Add kobuk prefix to apt configuration files by @hector-cao in canonical/tdx#357
• create-td-uki : fix permission denied issue by @hector-cao in canonical/tdx#358

Full Changelog: https://github.com/canonical/tdx/compare/3.2...3.3

"Previous releases were based on an out-of-tree patchset, aka V19" --> "Previous Ubuntu releases were based on an out-of-tree patchset, aka V19"

Since we're including 24.04 in this release, it might be a little confusing. So adding "Ubuntu" is more explicit.

Section 2.3 doesn't match what I have in the Google doc.

Could you add link to "README"? https://github.com/canonical/tdx

Could you add link to "README"? https://github.com/canonical/tdx

Fixed

"Previous releases were based on an out-of-tree patchset, aka V19" --> "Previous Ubuntu releases were based on an out-of-tree patchset, aka V19"

Since we're including 24.04 in this release, it might be a little confusing. So adding "Ubuntu" is more explicit.

Fixed

Could you add link to "README"? https://github.com/canonical/tdx

Done

Could you change "Bugs fixes:" to "Bugfixes:" to be consistent with the rest of the document?

Please Change "Features Highlights" to "Feature Highlights"

Could you change "Bugs fixes:" to "Bugfixes:" to be consistent with the rest of the document?

Fixed

Please Change "Features Highlights" to "Feature Highlights"

Fixed