CUBE-135 - Enable tdx on cloud init local#139
Conversation
SammyOina
left a comment
SammyOina
left a comment
There was a problem hiding this comment.
test and add logs on the pr description showing the guest which agent detected
| # TDX Setup for Ubuntu 24.04+ | ||
| # Ubuntu 24.04 (Noble) has TDX guest support built into the kernel | ||
| # No additional kernel installation or module loading is required | ||
| # The kernel CONFIG_INTEL_TDX_GUEST is enabled by default |
There was a problem hiding this comment.
this is not true please test and check that the config actualluy works https://github.com/absmach/propeller/blob/main/hal/ubuntu/qemu.sh
| echo "Starting QEMU VM in regular mode (no CVM)..." | ||
|
|
||
| create_ovmf_vars_copy | ||
| create_seed_image "${SCRIPT_DIR}/user-data-tdx.yaml" |
There was a problem hiding this comment.
regular vm is using tdx?
|
add snp logs as well |
WashingtonKK
force-pushed
the
cube-135
branch
from
cd0d358 to
ce9044e
Compare
|
|
||
| **Kernel requirements:** | ||
|
|
||
| The custom kernel must be built with the following options: |
There was a problem hiding this comment.
Add CONFIG_TCG_PLATFORM=y This is required in order to use the vTPM.
| UV_CUBE_NEXTAUTH_URL=http://<ip-address>:${UI_PORT} | ||
| genisoimage -output seed.img -volid cidata -joliet -rock cidata/ |
There was a problem hiding this comment.
We can remove the -joliet option. My bad for that one.
Also, rename the cidata/ to the directory where the user-data and debs/ are. So hal/ubuntu/.
| genisoimage -output seed.img -volid cidata -joliet -rock cidata/ | ||
| ``` | ||
|
|
||
| Where the `cidata/` directory contains: |
There was a problem hiding this comment.
There should be instructions on how to build this directory. What to name as meta-data and user-data.
| modprobe ccp 2>/dev/null || echo "CCP module not available" | ||
| modprobe sev-guest 2>/dev/null || echo "sev-guest module not available" |
There was a problem hiding this comment.
this should not be done on cloud gcp/azure instructions need to be clear on what works local and on cloud
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
SammyOina
left a comment
SammyOina
left a comment
There was a problem hiding this comment.
the docs need to be clear on how an where each file is used, there are references to terraform, qemu, modprobe. Generally confusing for which environment cube is being deployed in
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
…SEV-SNP integration Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
… in deployment instructions Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
| For local development, update `docker/.env`: | ||
|
|
||
| ```bash | ||
| UV_CUBE_NEXTAUTH_URL=http://<vm-ip-address>:${UI_PORT} |
Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
| - SEV-SNP enabled in BIOS | ||
| - Host kernel with SEV-SNP/SVSM support | ||
| - `/dev/sev` device available | ||
| - Coconut SVSM QEMU binary at `/home/cocosai/bin/qemu-svsm/bin/qemu-system-x86_64` |
There was a problem hiding this comment.
This is the path to our qemu executable. Should we put here a generic path, something like:
<path-to-svsm-qemu-dir>/qemu-svsm/bin/qemu-system-x86_64
… path Signed-off-by: WashingtonKK <washingtonkigan@gmail.com>
4 participants
What type of PR is this?
What does this do?
Which issue(s) does this PR fix/relate to?
Have you included tests for your changes?
Did you document any new/modified features?
Notes
================================================
[ 0.000000] tdx: Guest detected
[ 0.000000] Linux version 6.8.0-90-generic (buildd@lcy02-amd64-092) (x86_64-linux-gnu-gcc-13 (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0, GNU ld (GNU Binutils for Ubuntu) 2.42) #91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025 (Ubuntu 6.8.0-90.91-generic 6.8.12)
[ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-6.8.0-90-generic root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0
[ 0.000000] KERNEL supported cpus:
[ 0.000000] Intel GenuineIntel
[ 0.000000] AMD AuthenticAMD
[ 0.000000] Hygon HygonGenuine
[ 0.000000] Centaur CentaurHauls
[ 0.000000] zhaoxin Shanghai
[ 0.000000] x86/split lock detection: #DB: warning on user-space bus_locks
[ 0.000000] BIOS-provided physical RAM map:
=================================================
[ 204.078813] cloud-init[1159]: Cube Agent (TDX) and Ollama services started.
[ OK ] Finished cloud-final.service - Cloud-init: Final Stage.
[ OK ] Reached target cloud-init.target - Cloud-init target.
cube-ai-vm login: ultraviolet
Password:
ultraviolet@cube-ai-vm:~$ systemctl status cube-agent -l --no-pager
● cube-agent.service - Cube Agent Service
Loaded: loaded (/etc/systemd/system/cube-agent.service; enabled; preset: enabled)
Active: active (running) since Tue 2026-01-27 14:47:52 UTC; 2min 4s ago
Main PID: 10843 (cube-agent)
Tasks: 8 (limit: 17971)
Memory: 2.8M (peak: 3.6M)
CPU: 15ms
CGroup: /system.slice/cube-agent.service
└─10843 /usr/local/bin/cube-agent
Warning: some journal files were not opened due to insufficient permissions.
ultraviolet@cube-ai-vm:~$ systemctl status ollama -l --no-pager
● ollama.service - Ollama Service
Loaded: loaded (/etc/systemd/system/ollama.service; enabled; preset: enabled)
Active: active (running) since Tue 2026-01-27 14:47:52 UTC; 2min 12s ago
Main PID: 10774 (ollama)
Tasks: 19 (limit: 17971)
Memory: 2.5G (peak: 2.5G)
CPU: 1min 23.250s
CGroup: /system.slice/ollama.service
└─10774 /usr/local/bin/ollama serve
[ OK ] Started ollama.service - Ollama Service.
[ 224.658035] cloud-init[1023]: Created symlink /etc/systemd/system/multi-user.target.wants/cube-agent.service → /etc/systemd/system/cube-agent.service.
[ OK ] Started cube-agent.service - Cube Agent Service.
ci-info: no authorized SSH keys fingerprints found for user ultraviolet.
<14>Mar 6 08:26:09 cloud-init: #############################################################
<14>Mar 6 08:26:09 cloud-init: -----BEGIN SSH HOST KEY FINGERPRINTS-----
<14>Mar 6 08:26:09 cloud-init: 256 SHA256:de3UYj4mtFrmiU35B7nk+pLKLLtcFAgmfD2SDaOOyjg root@cube-ai-vm (ECDSA)
<14>Mar 6 08:26:09 cloud-init: 256 SHA256:US0lNyxI0l+xFdWABKlhxH5VBCl17OfIGfQSz7/12JQ root@cube-ai-vm (ED25519)
<14>Mar 6 08:26:09 cloud-init: 3072 SHA256:Z3Ufs3HZrfsqZqTFCar0JhvzEqyJ/6GlhMQuq37B1wU root@cube-ai-vm (RSA)
<14>Mar 6 08:26:09 cloud-init: -----END SSH HOST KEY FINGERPRINTS-----
<14>Mar 6 08:26:09 cloud-init: #############################################################
-----BEGIN SSH HOST KEY KEYS-----
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMyqA9l2gsvE7DdOF5UEJtp8A/yuwodK2K0zvyGUgnqpnUk+PdMn20Y2plT4Okz3X1NRggSqCsBZBAYYW3S+jFg= root@cube-ai-vm
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEfjIw2dB2aMPkMzt7cydgiIBc48WNAnOD7Qde4Dm4cy root@cube-ai-vm
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5nkfUjX6kYHlwQ8d3MKs85GysUJR30zU/iBQMYD1BlesxVcbVqfWN0u5ZKtjBhBK1GbXl+4w9mFEwjFWpmI04HoYcptfPThyPe3o0rcepeN175A2zN+5K9VV+2yFhyLTaJvh+yUkX2AH1num
-----END SSH HOST KEY KEYS-----
[ 224.863793] cloud-init[1023]: Cube Agent (SEV-SNP) and Ollama services started.
[ OK ] Finished cloud-final.service - Cloud-init: Final Stage.
[ OK ] Reached target cloud-init.target - Cloud-init target.
Password:
Ultra
Login incorrect
cube-ai-vm login: root
Password:
Login incorrect
cube-ai-vm login: ultraviolet
Password:
Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-90-generic x86_64)
System information as of Fri Mar 6 08:30:57 UTC 2026
System load: 0.02
Usage of /: 59.6% of 32.86GB
Memory usage: 13%
Swap usage: 0%
Processes: 101
Users logged in: 0
IPv4 address for ens3: 10.0.2.15
IPv6 address for ens3: fec0::5054:ff:fe12:3456
Expanded Security Maintenance for Applications is not enabled.
73 updates can be applied immediately.
48 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
*** System restart required ***
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
ultraviolet@cube-ai-vm:
$ ls$ systemctl status ollamaultraviolet@cube-ai-vm:
● ollama.service - Ollama Service
Loaded: loaded (/etc/systemd/system/ollama.service; enabled; preset: enabl>
Active: active (running) since Fri 2026-03-06 08:26:09 UTC; 5min ago
Main PID: 9734 (ollama)
Tasks: 18 (limit: 2315)
Memory: 1000.8M (peak: 1.2G)
CPU: 39.691s
CGroup: /system.slice/ollama.service
└─9734 /usr/local/bin/ollama serve
Warning: some journal files were not opened due to insufficient permissions.
ultraviolet@cube-ai-vm:~$ systemctl status cube-agent
● cube-agent.service - Cube Agent Service
Loaded: loaded (/etc/systemd/system/cube-agent.service; enabled; preset: e>
Active: active (running) since Fri 2026-03-06 08:26:09 UTC; 5min ago
Main PID: 9797 (cube-agent)
Tasks: 6 (limit: 2315)
Memory: 2.4M (peak: 2.6M)
CPU: 6ms
CGroup: /system.slice/cube-agent.service
└─9797 /usr/local/bin/cube-agent
Warning: some journal files were not opened due to insufficient permissions.
lines 1-11/11 (END)