Yocto build for confidential virtual machine images running entropy-tss based on flashbots/yocto-manifests.

This uses the meta-entropy-tss layer which has the recipe for adding entropy-tss.

To build with docker:

• Ensure docker and GNU make are installed, and that docker is running
• make image-base

To build without docker:

• Install dependencies, most of which are fairly standard (python, gcc, GNU make, etc), but notably you need repo.

mkdir entropy-tss-image-build && cd entropy-tss-image-build
repo init -u https://github.com/entropyxyz/yocto-build.git -b main -m tdx-base.xml
repo sync
source setup
DEBUG_TWEAKS_ENABLED=1 make build

To deploy to Google Cloud Platform:

Copy the build image to a GCP bucket:

gcloud storage buckets create gs://tss-cvm-images
gcloud storage cp srcs/poky/build/tmp/deploy/images/tdx-gcp/core-image-minimal-tdx-gcp.rootfs.wic.tar.gz gs://tss-cvm-images

Create a GCP image from the image file:

gcloud compute images create core-image-minimal-tdx-gcp-3 --source-uri gs://cvm-images-flashbots/core-image-minimal-tdx-gcp.rootfs.wic.tar.gz --guest-os-features=UEFI_COMPATIBLE,VIRTIO_SCSI_MULTIQUEUE,GVNIC,TDX_CAPABLE

Setup a GCP firewall rule to allow traffic to port 3001

$ gcloud compute firewall-rules create allow-port-3001 \
  --allow tcp:3001 \
  --target-tags entropy-tss \
  --description "Allow traffic on port 3001" \
  --direction INGRESS \
  --priority 1000 \
  --network default

Start a GCP instance using the image:

gcloud compute instances create core-image-minimal-tdx-gcp-3 --network=default --confidential-compute-type=TDX --machine-type=c3-standard-4 --maintenance-policy=TERMINATE --image core-image-minimal-tdx-gcp-3 --zone=europe-west4-b --metadata serial-port-enable=TRUE --tags entropy-tss