⚠️ Disclaimer
This project is in a prototype/alpha stage and has not been audited.
It is intended for experimentation only and must not be used in production environments.
Use at your own risk.
This repository provides the base image and supporting tools for running a CVM with proper assistant tools that facilitate measurement for instance, such as Conker, a confidential container engine based on Intel TDX. It includes:
- A base image for Conker CVMs (Confidential Virtual Machines)
- Build scripts and configuration files
- CVM assistants such as the Secret Provider Agent for managing secrets in TDX-based confidential environments
High‑level overview of the top‑level directories. Each folder focuses on one logical part of the Conker base image and can be worked on independently.
| Directory | Purpose | Key Components |
|---|---|---|
apploader/ |
Loads user applications and embeds part of the Remote‑Attestation (RA) service. | • Docker‑based application loader • RA server module • Shared tooling libraries • Sample application |
cvmassistants/ |
Helpers that run inside the Confidential VM (CVM) to provide secrets, storage, network, and firewall setup. | • key‑provider • secret-provider • cvm‑disktool • net‑tool • firewall |
guest-kernel/tdx/ |
Scripts for building the custom Conker Linux kernel. | • Kernel config (.config)• Compile / packaging scripts |
base-image/ |
Produces the final Docker base image. | • Image build script • Dockerfile describing runtime environment |
Building:
- Docker for image building
- Development tools:
make,bash,gcc, etc.
Running:
- Host system with Intel TDX enabled in BIOS and Linux kernel support
- QEMU with TDX and KVM support (version >= 9.0.2 recommended)
To build the confidential VM base image:
cd base-image
bash release.sh buildimageThis will compile all necessary components (e.g., the secret provider agent) and produce a Docker image named cvm-base
You may customize the image by modifying the Dockerfile or the files/ directory.
⸻
This base image is intended to be used as a foundation for building conker as in the conker repo and running it via QEMU with TDX.
Note: Make sure you have appropriate permissions (KVM group), and that TDX is enabled and detected by the kernel.