The only TEE currently supported is AMD-SEV. I've been working on adding AMD SEV-ES support[1][2] and was planning to support AMD SEV-SNP on top of SEV-ES support, but the proposed patches to AMD SEV-ES support have been stuck due to limited review bandwidth in nova. [1] https://blueprints.launchpad.net/nova/+spec/amd-sev-es-libvirt-support [2] https://review.opendev.org/q/topic:bp/amd-sev-es-libvirt-support I've not yet looked into TDX quite in detail because it was not really upstream-ed at the time when I was working on SEV-ES support, but as far as I know TDX is based on similar concepts as SEV. So I think the good approach is to land SEV-ES support first and start working on adding SEV-SNP support as well as Intel TDX support based on the base mechanism added as part of SEV-ES support. Honestly speaking I've been struggling to gather attention about the work but if there are anyone also interested in this area and are willing to help, that would be really helpful to move forward these works. There was a discussion in the past nova PTG about adding support for Intel SGX, but unfortunately I've seen no progress about it. However I think we can leave it now assuming you are more interested in vm-based TEE, rather than application-based TEE. On 2/25/25 12:55 PM, Ildiko Vancsa wrote:
Hi,
I'm reaching out about a topic that came up in the Kata Containers / Confidential Containers communities related to a feature in Kata that is called remote hypervisor and also referred to as peer pods.
Kata provides an API that allows users to implement a function to run Kata Containers pods in a remote location, which can include a different host machine or cloud environment. The Cloud API Adaptor in the Confidential Containers project is an implementation of the Kata remote hypervisor interface: https://github.com/confidential-containers/cloud-api-adaptor
It recently came up to add support for OpenStack to be a cloud option to run Kata remote VMs in. In order to implement that, OpenStack would need to support the creation of Confidential VMs (CVM) along with things like TDX. I looked around and found 3rd-party implementation to add TDX support to Nova, but the repo has been archived: https://github.com/intel/secured-cloud-management-stack/blob/main/scm3.0/nov...
Does anyone know if the CVM support along with supporting Intel TDX or related technologies have been added to OpenStack already? Or if there's anyone in the community planning for adding these in the future?
Thanks and Best Regards, Ildikó