Skip to content

as: ear: tdx policy updates#1224

Draft
mythi wants to merge 3 commits intoconfidential-containers:mainfrom
mythi:tdx-policy-updates
Draft

as: ear: tdx policy updates#1224
mythi wants to merge 3 commits intoconfidential-containers:mainfrom
mythi:tdx-policy-updates

Conversation

@mythi
Copy link
Contributor

@mythi mythi commented Mar 13, 2026

No description provided.

mythi added 3 commits March 13, 2026 10:45
@mythi
as: policy: drop TDX Module detailed checks from default_cpu
35d13be 
tcb_svn is checked by the DCAP verifier against TcbInfo collateral
and the result is reflected in tcb_status so the redundant test
can be dropped. This also saves users from having to add a reference
value for tcb_svn.

Similarly, drop mr_seam (TDX Module hash) and rely on tcb_status for
this case too (see above). While some TDX Module versions have sources/
reference values available to do reproducible builds checks, that is
not the case for all environments. For now, help users and not require
a reference value in RVPS for mr_seams.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
@mythi
as: policy: check tcb_status in az_tdx_vtpm
7e49945 
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
@mythi
as: policy: add TDX example about tcb_date
9be4da2 
As Trustee moved to use 'early' PCS TcbInfo collateral,
users started seeing OutOfDate tcb_status more often.

While we prefer to keep tcb_status == UpToDate as the
default, give an alternative example how to relax that
with an alternative check that defines a minimum acceptable
TCB date.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mythi