New: add Intel TDX (Trust Domain eXtension) tests

[hector-cao]

Description

Since Ubuntu Questing 25.10, we have the support out of the box for Intel Confidential Computing solution
(Intel TDX - Trust Domain eXtension)

This PR adds tests for Intel TDX in Questing 25.10

Resolved issues

N/A

Documentation

https://github.com/canonical/tdx/tree/ubuntu-25.10

Tests

To be able to run these tests, you would need a hardware that supports Intel TDX

I run these tests and all the test pass with following output:

=========================[ Running Selected Test Plan ]=========================
==============[ Running job 1 / 5. Estimated time left: 0:00:09 ]===============
-----------------------------[ Hardware Manifest ]------------------------------
ID: com.canonical.plainbox::manifest
Category: com.canonical.plainbox::info
... 8< -------------------------------------------------------------------------
$PROVIDERPATH is defined, so following provider sources are ignored ['/usr/local/share/plainbox-providers-1', '/usr/share/plainbox-providers-1', '/root/.local/share/plainbox-providers-1', '/var/tmp/checkbox-providers-develop']
ns: com.canonical.certification
name: checkbox-provider-base
has_audio_playback: False
has_audio_capture: False
has_audio_loopback_connector: False
has_line_out: False
has_line_in: False
has_headset: False
has_internal_speakers: False
has_internal_microphone: False
has_bt_adapter: False
has_bt_smart: False
has_bt_obex_support: False
has_rpi_camera: False
has_camera: False
has_led_camera: False
has_md_raid: False
has_fde: False
has_dock_ethernet_adapter: False
has_dock_headset: False
has_dock_thunderbolt3: False
has_dock_usbc_data: False
has_dock_usbc_video: False
has_eeprom: False
has_ethernet_adapter: False
has_ethernet_wake_on_lan_support: False
_ignore_disconnected_ethernet_interfaces: False
has_fingerprint_reader: False
gpio_loopback: False
has_hdmi: False
has_dp: False
has_vga: False
has_dvi: False
has_i2c: False
_dangerous_grade_core_image: False
has_intel_tdx: True
has_ishtp: False
has_eclite: False
has_key_battery_info: False
has_key_brightness: False
has_key_fn_lock: False
has_key_hibernate: False
has_key_keyboard_backlight: False
has_key_keyboard_overhead_light: False
has_key_lock_screen: False
has_key_media_control: False
has_key_microphone_mute: False
has_key_audio_mute: False
has_key_sleep: False
has_key_super: False
has_key_touchpad: False
has_key_video_out: False
has_key_volume: False
has_key_wireless: False
has_led_gpio_sysfs: False
has_led_power: False
has_led_suspend: False
has_led_caps_lock: False
has_led_touchpad: False
has_led_wireless: False
has_led_audio_mute: False
has_led_microphone_mute: False
has_led_serial: False
has_led_fn_lock: False
has_led_numeric_keypad: False
has_card_reader: False
has_mei: False
has_secure_boot: False
has_sriov: False
has_muxpi_hdmi: False
has_airplane_mode: False
has_dvd_bluray_inserted: False
has_amd_pmf: False
has_dc_mode: False
has_qep: False
need_kernel_snap_update_test: False
need_snapd_snap_update_test: False
need_gadget_snap_update_test: False
socket_can_echo_server_running: False
has_socket_can_fd: False
has_thunderbolt: False
has_thunderbolt3: False
has_touchpad: False
has_touchscreen: False
has_tpm_chip: False
has_usb_dwc3_controller: False
has_usbc_data: False
has_usbc_video: False
has_usb_storage: False
has_usbc_otg: False
has_va_api: False
has_hardware_watchdog: False
has_wlan_adapter: False
has_wwan_module: False
has_sim_card: False

ns: com.canonical.certification
name: checkbox-provider-resource

------------------------------------------------------------------------- >8 ---
Outcome: job passed
==============[ Running job 2 / 5. Estimated time left: 0:00:08 ]===============
-----------------------------[ Check Host support ]-----------------------------
ID: com.canonical.certification::intel-tdx-common/host_hardware
Category: com.canonical.certification::intel-tdx
... 8< -------------------------------------------------------------------------
------------------------------------------------------------------------- >8 ---
Outcome: job passed
==============[ Running job 3 / 5. Estimated time left: 0:00:06 ]===============
------------------------[ Check kernel support on Host ]------------------------
ID: com.canonical.certification::intel-tdx-common/host_kernel
Category: com.canonical.certification::intel-tdx
... 8< -------------------------------------------------------------------------
Y
Y
------------------------------------------------------------------------- >8 ---
Outcome: job passed
==============[ Running job 4 / 5. Estimated time left: 0:00:04 ]===============
---------------------------[ Check Host CPU support ]---------------------------
ID: com.canonical.certification::intel-tdx-common/host_cpu
Category: com.canonical.certification::intel-tdx
... 8< -------------------------------------------------------------------------
------------------------------------------------------------------------- >8 ---
Outcome: job passed
==============[ Running job 5 / 5. Estimated time left: 0:00:02 ]===============
--------------------------[ Boot an Intel TDX Guest ]---------------------------
ID: com.canonical.certification::intel-tdx-common/boot_guest
Category: com.canonical.certification::intel-tdx
... 8< -------------------------------------------------------------------------

QemuMachine created.
qemu-system-x86_64 -cpu host -smp 16,sockets=1 -accel kvm -nographic -nodefaults -no-user-config -m 2G -bios /usr/share/ovmf/OVMF.fd -chardev file,id=c1,path=/tmp/tdxtest-default-5g628fou/serial.log,signal=off -device isa-serial,chardev=c1 -object {'qom-type': 'tdx-guest', 'id': 'tdx'} -machine q35,kernel_irqchip=split,confidential-guest-support=tdx -drive file=/tmp/tdxtest-default-5g628fou/image.qcow2,if=none,id=virtio-disk0 -device virtio-blk-pci,drive=virtio-disk0 -pidfile /tmp/tdxtest-default-5g628fou/qemu.pid -monitor unix:/tmp/tdxtest-default-5g628fou/monitor.sock,server,nowait -qmp unix:/tmp/tdxtest-default-5g628fou/qmp.sock,server=on,wait=off -device virtio-net-pci,netdev=nic0_td -netdev user,id=nic0_td,hostfwd=tcp::45375-:22 -D /tmp/tdxtest-default-5g628fou/qemu-log.txt
Try to connect to qemu : /tmp/tdxtest-default-5g628fou/monitor.sock
Exception [Errno 2] No such file or directory
Try to connect to qemu : /tmp/tdxtest-default-5g628fou/monitor.sock
Connected : /tmp/tdxtest-default-5g628fou/monitor.sock, wait for prompt.
Exception timed out
Try to connect to qemu : /tmp/tdxtest-default-5g628fou/monitor.sock
Connected : /tmp/tdxtest-default-5g628fou/monitor.sock, wait for prompt.
Exception timed out
[QEMU>>] system_powerdown
Exception timed out
[QEMU<<] system_powerdown

[QEMU<<]
Exception Command '['qemu-system-x86_64', '-cpu', 'host', '-smp', '16,sockets=1', '-accel', 'kvm', '-nographic', '-nodefaults', '-no-user-config', '-m', '2G', '-bios', '/usr/share/ovmf/OVMF.fd', '-chardev', 'file,id=c1,path=/tmp/tdxtest-default-5g628fou/serial.log,signal=off', '-device', 'isa-serial,chardev=c1', '-object', "{'qom-type': 'tdx-guest', 'id': 'tdx'}", '-machine', 'q35,kernel_irqchip=split,confidential-guest-support=tdx', '-drive', 'file=/tmp/tdxtest-default-5g628fou/image.qcow2,if=none,id=virtio-disk0', '-device', 'virtio-blk-pci,drive=virtio-disk0', '-pidfile', '/tmp/tdxtest-default-5g628fou/qemu.pid', '-monitor', 'unix:/tmp/tdxtest-default-5g628fou/monitor.sock,server,nowait', '-qmp', 'unix:/tmp/tdxtest-default-5g628fou/qmp.sock,server=on,wait=off', '-device', 'virtio-net-pci,netdev=nic0_td', '-netdev', 'user,id=nic0_td,hostfwd=tcp::45375-:22', '-D', '/tmp/tdxtest-default-5g628fou/qemu-log.txt']' timed out after 60 seconds
Qemu process did not shutdown properly, terminate it ... (/tmp/tdxtest-default-5g628fou)
------------------------------------------------------------------------- >8 ---
Outcome: job passed
Finalizing session that hasn't been submitted anywhere: checkbox-run-2025-10-24T11.46.53
==================================[ Results ]===================================
☑ : Hardware Manifest
☑ : Check Host support
☑ : Check kernel support on Host
☑ : Check Host CPU support
☑ : Boot an Intel TDX Guest

[codecov]

Codecov Report

❌ Patch coverage is 0% with 430 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.02%. Comparing base (5f08d3c) to head (d6ae8cd).
⚠️ Report is 43 commits behind head on main.

Files with missing lines	Patch %	Lines
providers/base/bin/cc_tdx_test.py	0.00%	430 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2175      +/-   ##
==========================================
- Coverage   52.24%   52.02%   -0.22%     
==========================================
  Files         391      395       +4     
  Lines       41966    42683     +717     
  Branches     7774     7866      +92     
==========================================
+ Hits        21924    22206     +282     
- Misses      19266    19698     +432     
- Partials      776      779       +3     

Flag	Coverage Δ
provider-base	28.57% <0.00%> (+0.48%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mreed8855]

Hi Hector,

I see a couple things that need fixing.

• A unit test will be needed for providers/base/bin/cc_tdx_test.py
• check the black formatting
• I listed some of the f-strings that will cause one of the checks to break but there are several more.
• Overall the code is well structured and easy to follow.
• Are any results submitted to C3? I am mostly curious here as we probably do not have any systems in C3 that are TDX capable.

[bladernr]

Please address the CI check failures, and you will likely need to rebase this on the latest checkbox source at this point.

[bladernr]

Any updates on this?

[mreed8855]

Hi Hector,

I see a couple things that need fixing.

A unit test will be needed for providers/base/bin/cc_tdx_test.py
check the black formatting
I listed some of the f-strings that will cause one of the checks to break but there are several more.
Overall the code is well structured and easy to follow.
Are any results submitted to C3? I am mostly curious here as we probably do not have any systems in C3 that are TDX capable.

[mreed8855]

enum.auto() was introduced in 3.6. I think you will need to set the values.

  QEMU_MACHINE_PORT_FWD = 1
  QEMU_MACHINE_MONITOR = 2
  QEMU_MACHINE_QMP = 3

[mreed8855]

I think f-strings were introduced in 3.6 you may need to change the line to fdobj = os.open('/dev/cpu/{}/msr'.format(cpu), os.O_RDONLY)

I don't see where the file descriptor fdobj was closed

Lastly, I would suggest a try/except handling around opening the file.

[mreed8855]

This check is failing due to the f-strings used. F-strings were introduced in 3.6 "Tox and push to codecov core components / Tox providers/base (3.5)"

[mreed8855]

This check is failing due to the f-strings used. F-strings were introduced in 3.6

[mreed8855]

This check is failing due to the f-strings used. F-strings were introduced in 3.6

[mreed8855]

This check is failing due to the f-strings used. F-strings were introduced in 3.6

[mreed8855]

This check is failing due to the f-strings used. F-strings were introduced in 3.6

[mreed8855]

This check is failing due to the f-strings used. F-strings were introduced in 3.6

[mreed8855]

This check is failing due to the f-strings used. F-strings were introduced in 3.6

[mreed8855]

This check is failing due to the f-strings used. F-strings were introduced in 3.6