From a5cf220c576852b1b32351aa04b3fca0119f59a2 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@matterlabs.dev>
Date: Thu, 20 Feb 2025 12:12:57 +0100
Subject: [PATCH] feat(tdx_google): add support for attestation in container

- Mount `/sys/kernel/config` to enable attestation for TDX containers.
- Ensures compatibility with TDX guest measurements during runtime.
---
 packages/tdx_google/container.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/tdx_google/container.nix b/packages/tdx_google/container.nix
index 07be8df..701e9f1 100644
--- a/packages/tdx_google/container.nix
+++ b/packages/tdx_google/container.nix
@@ -23,12 +23,14 @@
       echo "Measuring $DIGEST" >&2
       test -c /dev/tdx_guest && tdx-extend --digest "$DIGEST" --rtmr 3
 
+      # /sys/kernel/config is needed for attestation
       docker run -d --rm \
         --name tdx_container \
         --env "GOOGLE_METADATA=1" \
         --network=host \
         --init \
         --privileged \
+        -v /sys/kernel/config:/sys/kernel/config \
         "sha256:$DIGEST"
       exec docker wait tdx_container
     '';