DL380a Gen12/Enable Intel TDX feature with Ubuntu 24.04
Test System Information:
DL380a Gen12 (Intel Xeon 6710E x 2p, 256GB(32GB x 8 qty), 3.84TB NVMe, NVIDIA L40S x 4 qty, Intel E810 2p OCP)
1. Upgrade SW
a. System ROM 1.46
iLO7 - https://downloads.hpe.com/pub/softlib2/software1/fwpkg-sys/p561188268/v272864/U72_1.46_08_08_2025.fwpkg
iLO6 - https://downloads.hpe.com/pub/softlib2/software1/fwpkg-sys/p487894625/v272848/U70_1.46_08_08_2025.fwpkg
b. iLO6 1.70
https://downloads.hpe.com/pub/softlib2/software1/fwpkg-ilo/p788720876/v270443/ilo6_170.fwpkg
2. Configuration BIOS Settings
a. Restore Default Settings
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > System Default Options > Restore Default Manufacturing Settings - Yes
b. Set WLP to Virt-Max_Perf
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Workload Profile - Virtualization - Max Performance
c. Enable Intel VMD
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Storage Options > NVM Express Options > Intel(R) NVMe Options > Intel(R) CPU VMD Support - Enable All CPU NVMe Root Ports
3. Install Ubuntu 24.04
a. download
https://old-releases.ubuntu.com/releases/24.04/
https://old-releases.ubuntu.com/releases/24.04/ubuntu-24.04-live-server-amd64.iso
https://releases.ubuntu.com/24.04.3/ubuntu-24.04.3-live-server-amd64.iso
b. Install Ubuntu 24.04
- starting install 'e'
- adding parameter "nomodeset nvme_core.multipath=N"
- <Ctrl+X>
- Partitioning filesystem
c. blacklist nouveau
$ sudo vim /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="nouveau.modeset=0 nvme_core.multipath=N pci=realloc=off"
$ sudo update-grub2
$ sudo bash -c "echo blacklist nouveau > /etc/modprobe.d/blacklist-nvidia-nouveau.conf"
$ sudo bash -c "echo options nouveau modeset=0 >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf"
$ sudo bash -c "echo install nouveau /bin/false >> /etc/modprobe.d/blacklist-nvidia-nouveau.conf"
$ cat /etc/modprobe.d/blacklist-nvidia-nouveau.conf
$ sudo update-initramfs -u
4. Install python 3.x
$ sudo apt install python3
5. Enable TDX in Host OS
a. download tdx
https://github.com/canonical/tdx
https://github.com/canonical/tdx/archive/refs/tags/3.3.tar.gz
b. Extract tdx
# tar -zxvf tdx*
# mv tdx* tdx
c. customzie configuration
# vim ./setup-tdx-config
TDX_SETUP_ATTESTATION=1
d. Setup Host
# sudo ./setup-tdx-host.sh
Note. if met error, try to check/change repository
# vim /etc/apt/sources.list.d/ubuntu.sources
No VM guests are running outdated hypervisor (qemu) binaries on this host.
========================================================================
The host OS setup has been done successfully. Now, please enable Intel TDX in the BIOS.
========================================================================
6. Enable Intel TDX in BIOS
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Processor Options > Processor Physical Addressing - Default
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Memory Options > Memory Encryption Options > Total Memory Encryption (TME) - Enabled
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Memory Options > Memory Encryption Options > Total Memory Encryption Multi-Key(TME-MK) - Enabled
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Intel Security Options > Intel(R) Software Guard Extensions (SGX) - Enabled
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Intel Security Options > Trust Domain Extension (TDX) - Enabled
7. Verify Intel TDX on Host OS
# sudo dmesg | grep -i tdx
[ 1.525539] virt/tdx: BIOS enabled: private KeyID range [32, 64)
[ 1.525542] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.
[ 6.769657] virt/tdx: module not loaded
8. Set BIOS configuration additionally.
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Intel Security Options > Intel TXT Support - Enabled
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Intel Security Options > TDX Secure Arbitration Mode Loader (SEAM Loader) - Enabled
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Intel Security Options > TME-MT/TDX key split: 1
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Intel Security Options > PRMRR Size: 2G
System Utilities > System Configuration > BIOS/Platform Configuration (RBSU) > Server Security > Intel Security Options > Disable excluding Mem below 1MB in CMR - Disabled
9. Verify Intel TDX on Host OS
# sudo dmesg | grep -i tdx
[ 1.527397] virt/tdx: BIOS enabled: private KeyID range [32, 64)
[ 1.527400] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.
[ 6.594850] virt/tdx: TDX module: attributes 0x0, vendor_id 0x8086, major_version 1, minor_version 5, build_date 20250219, build_num 869
[ 6.594855] virt/tdx: CMR: [0x100000, 0x77800000)
[ 6.594857] virt/tdx: CMR: [0x100000000, 0x1ffe000000)
[ 6.594858] virt/tdx: CMR: [0x60e80000000, 0x62e00000000)
[ 7.625009] virt/tdx: 1034224 KB allocated for PAMT
[ 7.625016] virt/tdx: module initialized
Note. Next step may referring canonical guide
10. Create TD image
a. customzie configuration
# vim ./setup-tdx-config
TDX_SETUP_INTEL_KERNEL=1
b. create new TD image
# cd /var/tmp/tdx/guest-tools/image/
# sudo ./create-td-image.sh -v 24.04
Note. default root password is 123456
11. Boot TD
# cd /var/tmp/tdx/guest-tools
# ./run_td
Reference:
Intel® Trust Domain Extensions (TDX) on Ubuntu
https://github.com/canonical/tdx
Intel® TDX Enabling Guide
https://cc-enabling.trustedservices.intel.com/intel-tdx-enabling-guide/01/introduction/
Advisory: (Revision) Intel Virtual RAID on CPU (VROC) - HPE Platforms Running Ubuntu Server 20.04.1, 24.04 or 24.04.1, and Using Intel Virtual RAID on CPU (VROC) May Not Recognize the RAID Volume
https://support.hpe.com/hpesc/public/docDisplay?docId=a00117325en_us&docLocale=en_US
