feat: new kernel with rtmr3 support

.gitignore

@@ -1,4 +1,5 @@
 apploader/conf/local.yml
 cvmassistants/quote-generator/target
+guest-kernel/tdx/linux
 
 .vscode

cvmassistants/firewall/setfirewall.sh

@@ -9,7 +9,8 @@
 # Requirements:
 #   - Must be run as root
 #   - Must run on Ubuntu
-#   - iptables and UFW must be installed
+#   - UFW must be installed
+#   - Uses nftables backend (modern approach)
 #
 ###############################################################################
 
@@ -33,13 +34,13 @@ if ! grep -q "ID=ubuntu" /etc/os-release; then
     log_fatal "This script supports only Ubuntu. Aborting."
 fi
 
-# Load ip_tables module
-log_info "Loading ip_tables module..."
-modprobe ip_tables 2>/dev/null
+# Load nftables modules (if not built-in)
+log_info "Loading nftables modules..."
+modprobe nf_tables 2>/dev/null
 if [ $? -ne 0 ]; then
-    log_warn "Could not load ip_tables (module missing or already loaded)."
+    log_warn "Could not load nf_tables (module missing or already loaded)."
 else
-    log_info "ip_tables loaded successfully."
+    log_info "nf_tables loaded successfully."
 fi
 
 # Enable UFW

guest-kernel/ReadMe.md

@@ -0,0 +1,34 @@
+# Guest Kernel
+
+This folder contains the build scripts and configuration for building a TDX-enabled guest kernel.
+
+## Building the Kernel
+
+To build the kernel, execute the build script from the `guest-kernel` directory:
+
+```bash
+cd tdx
+./build.sh
+```
+
+The script will:
+1. Clone the Ubuntu HWE 6.17 kernel source (with RTMR extend built-in)
+2. Apply the TDX configuration
+3. Enable required kernel options (TDX guest, VSOCK, netfilter, dm-crypt, etc.)
+4. Compile the kernel
+
+## Kernel Image Location
+
+After a successful build, the kernel image can be found at:
+
+```
+linux/arch/x86/boot/bzImage
+```
+
+## Make the kernel image exploitable by Conker
+
+```
+cp linux/arch/x86/boot/bzImage /opt/cvm/kernel
+cd /opt/cvm/kernel
+mv bzImage bzImage-hwe-6.17-next
+```

guest-kernel/tdx/build.sh

@@ -1,22 +1,53 @@
 set -e
-git clone -b master --single-branch --depth 1 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble linux
+
+# Clone Ubuntu HWE 6.17 (has RTMR extend built-in)
+git clone -b hwe-6.17-next --single-branch --depth 1 \
+    https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble linux
+
 cd linux
-cp ../config .config
+cp ../tdx/config .config
 
 apt install -y libelf-dev zstd flex bison libssl-dev bc
 
-# virt coco，for enable tdx and sev
+# virt coco，for enable tdx 
+./scripts/config --enable CONFIG_VIRT_DRIVERS # important to enable: parent menu that gates all confidential computing drivers
 ./scripts/config --enable CONFIG_EFI_SECRET
 ./scripts/config --enable CONFIG_INTEL_TDX_GUEST
-./scripts/config --enable CONFIG_SEV_GUEST
 ./scripts/config --enable CONFIG_TDX_GUEST_DRIVER
 #enable dmcrypt for encrypt disk
 ./scripts/config --enable CONFIG_DM_CRYPT
-
 #enable ramfs and initrd for all in ram
 ./scripts/config --enable CONFIG_BLK_DEV_INITRD
 ./scripts/config --enable CONFIG_BLK_DEV_RAM
+# VSOCK modules
+./scripts/config --enable CONFIG_VSOCKETS        # required for communication with QGS (quote generation)
+./scripts/config --enable CONFIG_VIRTIO_VSOCKETS  
+./scripts/config --enable CONFIG_VIRTIO_VSOCKETS_COMMON
+./scripts/config --enable CONFIG_VSOCKETS_LOOPBACK
+# Netfilter / nftables (IPv4 only, for ufw with iptables-nft backend)
+./scripts/config --enable CONFIG_NETFILTER
+./scripts/config --enable CONFIG_NETFILTER_ADVANCED
+./scripts/config --enable CONFIG_NETFILTER_XTABLES
+./scripts/config --enable CONFIG_NF_CONNTRACK
+./scripts/config --enable CONFIG_NF_TABLES
+./scripts/config --enable CONFIG_NFT_COMPAT
+./scripts/config --enable CONFIG_NFT_CT
+./scripts/config --enable CONFIG_NFT_LOG
+./scripts/config --enable CONFIG_NFT_LIMIT
+./scripts/config --enable CONFIG_NFT_NAT
+./scripts/config --enable CONFIG_NFT_MASQ
+./scripts/config --enable CONFIG_NFT_REDIR
+./scripts/config --enable CONFIG_NFT_REJECT
+./scripts/config --enable CONFIG_NFT_FIB
+# IPv4 nftables
+./scripts/config --enable CONFIG_NF_TABLES_IPV4
+./scripts/config --enable CONFIG_NFT_REJECT_IPV4
+./scripts/config --enable CONFIG_NFT_FIB_IPV4
+./scripts/config --enable CONFIG_NFT_DUP_IPV4
+./scripts/config --enable CONFIG_NF_NAT
+./scripts/config --enable CONFIG_IP_NF_IPTABLES
+./scripts/config --enable CONFIG_IP_NF_TARGET_REJECT
+./scripts/config --enable CONFIG_IP_NF_TARGET_MASQUERADE
 
 yes "" | make olddefconfig
-make -j$(nproc) bzImage 
-
+make -j$(nproc) bzImage