GCP: Mark images as TDX_CAPABLE

[bgartzi]

I manually marked rhcos-419-96-202501191959-0-gcp-x86-64 on GCP as TDX_CAPABLE, and booted a TDX confidential VM instance. Serial port sample:

[    0.000000] tdx: Guest detected
...
[    1.444597] process: using TDX aware idle routine
...
[    1.524482] Memory Encryption Features active: Intel TDX
...
[    3.661927] systemd[1]: Detected virtualization kvm.
[    3.661938] systemd[1]: Detected confidential virtualization tdx.
[    3.661942] systemd[1]: Detected architecture x86-64.
[    3.661945] systemd[1]: Running in initrd.
...

Previous work: #3547
Previous work: #3871
Fixes: coreos/fedora-coreos-tracker#1814
Fixes: https://issues.redhat.com/browse/COS-3111

[openshift-ci]

Hi @bgartzi. Thanks for your PR.

I'm waiting for a coreos member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[travier]

Can you also add tdx to the list of options in mantle/cmd/kola/options.go? Thanks

[travier]

/ok-to-test

[bgartzi]

Can you also add tdx to the list of options in mantle/cmd/kola/options.go? Thanks

My bad

[openshift-ci]

@bgartzi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/rhcos	5f659ed	link	true	/test rhcos

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jlebon]

Prow job should be fixed soon but doesn't need to block this.

[jlebon]

For completeness, can you repeat your test for FCOS too?

[bgartzi]

/test ?

[openshift-ci]

@bgartzi: The following commands are available to trigger required jobs:

/test images

/test rhcos

Use /test all to run all jobs.

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bgartzi]

/test images

[bgartzi]

@jlebon I repeated the test for fcos too based on fedora-coreos-stable:

gcloud compute images create fcos-41-tdx \
    --source-image=fedora-coreos-41-20250105-3-0-gcp-x86-64 \
    --source-image-project=fedora-coreos-cloud \
    --guest-os-features="TDX_CAPABLE"

Then,

gcloud compute instances create bgartzia-fcos41-tdx \
    --confidential-compute-type=TDX \
    --machine-type=c3-standard-4 \
    --maintenance-policy="TERMINATE" \
    --zone=us-central1-a \
    --image=fcos-41-tdx \
    --image-project=<project-id> \
    --project=<project-id>

Serial console samples:

[    0.000000] tdx: Guest detected
...
[    1.540492] process: using TDX aware idle routine
...
[    1.629496] Memory Encryption Features active: Intel TDX
...
[    4.145134] systemd[1]: Detected confidential virtualization tdx.
...
bgartzia-fcos41-tdx login: 

Now I'm trying to figure out I could double confirm this, as I haven't found any public announcement on whether this is supported or not from the fedora-as-a-guest perspective.

[bgartzi]

/hold

[dustymabe]

Seems OK to me. Definitely want to add a test to confirm this continues to work over time in the pipeline.

[jlebon]

Seems good to me too. Thanks for testing!

Agree with Dusty on adding tests. This PR is marked as closing coreos/fedora-coreos-tracker#1814, but that tracker issue also has tests scoped in. To not waste CI, Let's leave the reference, but I'll reopen the issue manually.