improvement setup configuration management (#104)

* improve setup scripts configuration

put all variables in a config file
clean up setup scripts in the guest at the end

* allow downgrade for attestation packages

README.md

@@ -23,7 +23,10 @@ As a result, it enhances a platform user’s control of data security and IP pro
 Cloud Service Providers’ (CSP) ability to provide managed cloud services without exposing tenant data to adversaries.
 For more information, see the [Intel TDX overview](https://www.intel.com/content/www/us/en/developer/tools/trust-domain-extensions/overview.html).
 
-This tech preview of TDX on Ubuntu 24.04 provides base host, guest, and remote attestation functionalities. Follow these instructions to setup the TDX host, create a TD guest, boot it, and attest the integrity of its execution environment.  
+This tech preview of TDX on Ubuntu 24.04 provides base host, guest, and remote attestation functionalities.
+Follow these instructions to setup the TDX host, create a TD guest, boot it, and attest the integrity of its execution environment.
+
+The setup can be customized by editing the global configuration file : `setup-tdx-config`
 
 <a id="report-an-issue"></a>
 ## 2. Report an Issue
@@ -45,14 +48,11 @@ the host into a TDX host, optionally install remote attestation components, and
 <a id="step-4-3"></a>
 3. Run the script. <br>
 
-NOTE 1: If you'd like to have the attestation components installed automatically, change the value 
-of `TDX_SETUP_ATTESTATION` from `0` to `1`.
-
-NOTE 2: If you're behind a proxy, use `sudo -E` to preserve user environment.
+NOTE: If you're behind a proxy, use `sudo -E` to preserve user environment.
 
 ```bash
 cd tdx
-sudo TDX_SETUP_ATTESTATION=0 ./setup-tdx-host.sh
+sudo ./setup-tdx-host.sh
 ```
 
 4. Reboot.
@@ -87,7 +87,7 @@ NOTE: The following is a sample BIOS configuration.  It may vary slightly from o
 sudo dmesg | grep -i tdx
 ```
 
-An example output:
+The message `virt/tdx: module initialized` proves that the tdx has been properly initialized. Here is an example output:
 
 ```
 ...
@@ -103,31 +103,16 @@ In this section, you will create an Ubuntu 24.04-based TD guest from scratch or
 
 ### Create a New TD Guest Image
 
-The base image is an Ubuntu 24.04 cloud image [`ubuntu-24.04-server-cloudimg-amd64.img`](https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img). You can be customized your preferences by setting these two environment variables before running the script:
-
-```bash
-export OFFICIAL_UBUNTU_IMAGE="https://cloud-images.ubuntu.com/noble/current/"
-export CLOUD_IMG="noble-server-cloudimg-amd64.img"
-```
+The base image is an Ubuntu 24.04 cloud image.
 
 1. Generate a TD guest image. <br>
 
-NOTE 1: If you'd like to have the attestation components installed automatically, change the value 
-of `TDX_SETUP_ATTESTATION` from `0` to `1`.
-NOTE 2: If you're behind a proxy, use `sudo -E` to preserve user environment.
+NOTE: If you're behind a proxy, use `sudo -E` to preserve user environment.
 
 ```bash
 cd tdx/guest-tools/image/
 # create tdx-guest-ubuntu-24.04-generic.qcow2
-sudo -E ./create-td-image.sh
-```
-
-The TD guest image uses the Ubuntu generic kernel by default, the intel kernel can be selected by using
-the environment variable `TDX_SETUP_INTEL_KERNEL`.
-
-```bash
-# create tdx-guest-ubuntu-24.04-intel.qcow2
-sudo TDX_SETUP_ATTESTATION=0 TDX_SETUP_INTEL_KERNEL=1 ./create-td-image.sh
+sudo ./create-td-image.sh
 ```
 
 Note that the kernel type (`generic` or `intel`) is automatically included in the image name so it is easy to distinguish.
@@ -144,12 +129,9 @@ If you have an existing Ubuntu 24.04 non-TD guest, you can enable the TDX featur
 
 3. Run the script. 
 
-NOTE: If you'd like to have the attestation components installed automatically, change the value 
-of `TDX_SETUP_ATTESTATION` from `0` to `1`.
-
 ```bash
 cd tdx
-sudo TDX_SETUP_ATTESTATION=0 ./setup-tdx-guest.sh
+sudo ./setup-tdx-guest.sh
 ```
 
 4. Shutdown the guest.

attestation/setup-attestation-guest.sh

@@ -9,7 +9,7 @@ apt install --yes software-properties-common
 add-apt-repository -y ppa:kobuk-team/tdx-release
 
 apt update
-apt install --yes libtdx-attest-dev trustauthority-cli
+apt install --yes --allow-downgrades libtdx-attest-dev trustauthority-cli
 
 # compile tdx-attest source
 apt install --yes build-essential

attestation/setup-attestation-host.sh

@@ -10,11 +10,11 @@ add-apt-repository -y ppa:kobuk-team/tdx-release
 
 apt update
 
-apt install --yes sgx-dcap-pccs tdx-qgs
+apt install --yes --allow-downgrades sgx-dcap-pccs tdx-qgs
 
 # using RA registration (direct registration method)
-apt install --yes sgx-ra-service
+apt install --yes --allow-downgrades sgx-ra-service
 
 # using indirect registration method
-apt install --yes sgx-pck-id-retrieval-tool
+apt install --yes --allow-downgrades sgx-pck-id-retrieval-tool
 

guest-tools/image/create-td-image.sh

@@ -16,9 +16,15 @@
 #
 # TODO : ask cloud init to run the TDX setup script
 
+CURR_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+# source config file
+if [ -f ${CURR_DIR}/../../setup-tdx-config ]; then
+    source ${CURR_DIR}/../../setup-tdx-config
+fi
+
 LOGFILE=/tmp/tdx-guest-setup.txt
 WORK_DIR=${PWD}
-CURR_DIR=$(dirname "$(realpath $0)")
 FORCE_RECREATE=false
 OFFICIAL_UBUNTU_IMAGE=${OFFICIAL_UBUNTU_IMAGE:-"https://cloud-images.ubuntu.com/releases/noble/release/"}
 CLOUD_IMG=${CLOUD_IMG:-"ubuntu-24.04-server-cloudimg-amd64.img"}
@@ -216,16 +222,14 @@ EOT
 }
 
 setup_guest_image() {
-    # export environment variables to guest
-    # all environment variables with prefix : TDX_SETUP_
-    declare -px | grep TDX_SETUP_ > ${CURR_DIR}/tdx-guest-setup-env
     virt-customize -a /tmp/${GUEST_IMG} \
-       --copy-in ${CURR_DIR}/setup.sh:/tmp/ \
-       --copy-in ${CURR_DIR}/../../setup-tdx-guest.sh:/tmp/ \
-       --copy-in ${CURR_DIR}/../../setup-tdx-common:/tmp/ \
-       --copy-in ${CURR_DIR}/../../attestation/:/tmp/ \
-       --copy-in ${CURR_DIR}/tdx-guest-setup-env:/tmp/ \
-       --run-command "/tmp/setup.sh"
+       --mkdir /tmp/tdx/ \
+       --copy-in ${CURR_DIR}/setup.sh:/tmp/tdx/ \
+       --copy-in ${CURR_DIR}/../../setup-tdx-guest.sh:/tmp/tdx/ \
+       --copy-in ${CURR_DIR}/../../setup-tdx-common:/tmp/tdx \
+       --copy-in ${CURR_DIR}/../../setup-tdx-config:/tmp/tdx \
+       --copy-in ${CURR_DIR}/../../attestation/:/tmp/tdx \
+       --run-command "/tmp/tdx/setup.sh"
     if [ $? -eq 0 ]; then
         ok "Setup guest image..."
     else

guest-tools/image/setup.sh

@@ -1,10 +1,5 @@
 #!/bin/bash
 
-# caller can set a list of environment variables by putting them into the file /tmp/tdx-guest-setup-env
-if [ -f /tmp/tdx-guest-setup-env ]; then
-  source /tmp/tdx-guest-setup-env
-fi
-
 apt update
 
 # Utilities packages for automated testing
@@ -18,4 +13,6 @@ sed -i 's|[#]*PermitRootLogin .*|PermitRootLogin yes|g' /etc/ssh/sshd_config
 sed -i 's|[#]*KbdInteractiveAuthentication .*|KbdInteractiveAuthentication yes|g' /etc/ssh/sshd_config
 
 # Enable TDX
-/tmp/setup-tdx-guest.sh
+/tmp/tdx/setup-tdx-guest.sh
+
+rm -rf /tmp/tdx || true

setup-tdx-config

@@ -0,0 +1,42 @@
+################################################################
+# GENERAL                                                      #
+################################################################
+
+################################################################
+# Enable the setup of attestation components
+# Set to 1 to enable
+# By default, the attestation components are not installed
+################################################################
+TDX_SETUP_ATTESTATION=0
+
+################################################################
+# HOST                                                         #
+################################################################
+
+
+################################################################
+# GUEST                                                        #
+################################################################
+
+################################################################
+# Enable the intel optimized kernel for the guest
+# Set to 1 to enable
+# By default, the generic kernel is used
+################################################################
+TDX_SETUP_INTEL_KERNEL=0
+
+################################################################
+# Image configuration
+# The base image is an Ubuntu 24.04 cloud image
+# You can use a different image setting these two environment
+# variables before running the setup script
+################################################################
+OFFICIAL_UBUNTU_IMAGE="https://cloud-images.ubuntu.com/releases/noble/release/"
+CLOUD_IMG="ubuntu-24.04-server-cloudimg-amd64.img"
+
+################################################################
+# Configure the guest credentials
+################################################################
+GUEST_USER="tdx"
+GUEST_PASSWORD="123456"
+GUEST_HOSTNAME="tdx-guest"

setup-tdx-guest.sh

@@ -2,11 +2,16 @@
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
+# source config file
+if [ -f ${SCRIPT_DIR}/setup-tdx-config ]; then
+    source ${SCRIPT_DIR}/setup-tdx-config
+fi
+
 # the kernel flavour/type we want to use
 KERNEL_TYPE=linux-image-generic
 
 # use can use -intel kernel by setting TDX_SETUP_INTEL_KERNEL
-if [ -n "${TDX_SETUP_INTEL_KERNEL}" ]; then
+if [[ "${TDX_SETUP_INTEL_KERNEL}" == "1" ]]; then
   KERNEL_TYPE=linux-image-intel
 fi
 

setup-tdx-host.sh

@@ -2,6 +2,11 @@
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 
+# source config file
+if [ -f ${SCRIPT_DIR}/setup-tdx-config ]; then
+    source ${SCRIPT_DIR}/setup-tdx-config
+fi
+
 on_exit() {
     rc=$?
     if [ ${rc} -ne 0 ]; then