This guide outlines the steps to generate a wasmtime.qcow2 image that includes the app-loader binary and is verified using dm-verity.
Before you begin, make sure you have:
- A built
/guest-tools/image/app-loaderbinary - The corresponding
app-loader.servicefile - The
create-wasmtime-td.shscript - Access to
sudoprivileges
(The script will prompt for your password when needed)
Run the script as a normal user:
./create-wasmtime-td.shThe script creates the following files:
| File | Description |
|---|---|
ubuntu-24.04-server-cloudimg-amd64.img |
Original Ubuntu cloud image |
tdx-guest-ubuntu-24.04-generic.qcow2 |
Modified Ubuntu image (created by create-td-image.sh) |
wasmtime.qcow2 |
Final image, includes app-loader and app-loader.service |
verity_hash_device |
Merkle tree for wasmtime-image |
verity_info.txt |
Contains root_hash and salt used in dm-verity verification |
uki-efi-24.04 |
UKI image bundling kernel, initrd, and kernel cmdline for dm-verity boot |
- The generated artifacts enable booting a confidential virtual machine (CVM) that uses dm-verity to verify the integrity of its root filesystem.
- On boot, the VM automatically starts the
app-loaderservice.- This service receives WebAssembly binaries over the network.
- It executes them inside a custom Wasmtime runtime with partial attestation support.
- Ensure both
app-loader(binary) andapp-loader.service(systemd unit) are present before running the script. - The resulting
uki-efi-24.04image bundles the kernel, initrd, and command-line parameters required to boot securely on TDX-compatible platforms. - Check
/tests/README.mdfor end-to-end execution flow