Yocto build for confidential virtual machine images running entropy-tss based on flashbots/yocto-manifests.
This uses the meta-entropy-tss layer which has the recipe for adding entropy-tss.
- Ensure docker and GNU make are installed, and that docker is running
make image-base
- Install dependencies, most of which are fairly standard (python, gcc, GNU make, etc), but notably you need repo.
mkdir entropy-tss-image-build && cd entropy-tss-image-build
repo init -u https://github.com/entropyxyz/yocto-build.git -b main -m tdx-base.xml
repo sync
source setup
cd ../..
DEBUG_TWEAKS_ENABLED=1 make build
There is a script included to do this: ./gcp-deploy which expects the first argument to be a name identifying the build, which is added as a suffix to the VM instance, and the second argument, which is optional, to be the path to the image file (defaults to an image built with this repo, assuming you run the script from the root of the repo).
Here is an explanation of what the script does:
gcloud storage buckets create gs://tss-cvm-images
gcloud storage cp srcs/poky/build/tmp/deploy/images/tdx-gcp/core-image-minimal-tdx-gcp.rootfs.wic.tar.gz gs://tss-cvm-images
gcloud compute images create core-image-minimal-tdx-gcp-3 --source-uri gs://cvm-images-flashbots/core-image-minimal-tdx-gcp.rootfs.wic.tar.gz --guest-os-features=UEFI_COMPATIBLE,VIRTIO_SCSI_MULTIQUEUE,GVNIC,TDX_CAPABLE
$ gcloud compute firewall-rules create allow-port-3001 \
--allow tcp:3001 \
--target-tags entropy-tss \
--description "Allow traffic on port 3001" \
--direction INGRESS \
--priority 1000 \
--network default
gcloud compute instances create core-image-minimal-tdx-gcp-3 --network=default --confidential-compute-type=TDX --machine-type=c3-standard-4 --maintenance-policy=TERMINATE --image core-image-minimal-tdx-gcp-3 --zone=europe-west4-b --metadata serial-port-enable=TRUE --tags entropy-tss