gcloud: Enable TDX_CAPABLE

Previous work: #3547
Previous work: #3871
Fixes: coreos/fedora-coreos-tracker#1814
Fixes: https://issues.redhat.com/browse/COS-3111

Author: bgartzi

mantle/cmd/kola/options.go

@@ -125,7 +125,7 @@ func init() {
 	sv(&kola.GCPOptions.ServiceAcct, "gcp-service-account", "", "GCP service account to attach to instance (default project default)")
 	bv(&kola.GCPOptions.ServiceAuth, "gcp-service-auth", false, "for non-interactive auth when running within GCP")
 	sv(&kola.GCPOptions.JSONKeyFile, "gcp-json-key", "", "use a service account's JSON key for authentication (default \"~/"+auth.GCPConfigPath+"\")")
-	sv(&kola.GCPOptions.ConfidentialType, "gcp-confidential-type", "", "create confidential instances: sev, sev_snp")
+	sv(&kola.GCPOptions.ConfidentialType, "gcp-confidential-type", "", "create confidential instances: sev, sev_snp, tdx")
 
 	// openstack-specific options
 	sv(&kola.OpenStackOptions.ConfigPath, "openstack-config-file", "", "Path to a clouds.yaml formatted OpenStack config file. The underlying library defaults to ./clouds.yaml")
@@ -250,7 +250,11 @@ func syncOptionsImpl(useCosa bool) error {
 			if kola.GCPOptions.ConfidentialType != "" {
 				// https://cloud.google.com/compute/confidential-vm/docs/locations
 				fmt.Printf("Setting instance type for confidential computing\n")
-				kola.GCPOptions.MachineType = "n2d-standard-2"
+				if kola.GCPOptions.ConfidentialType == "tdx" {
+					kola.GCPOptions.MachineType = "c3-standard-4"
+				} else {
+					kola.GCPOptions.MachineType = "n2d-standard-2"
+				}
 			} else {
 				kola.GCPOptions.MachineType = "n1-standard-1"
 			}

mantle/platform/api/gcloud/compute.go

@@ -150,7 +150,7 @@ func (a *API) mkinstance(userdata, name string, keys []*agent.Key, opts platform
 	if a.options.ConfidentialType != "" {
 		ConfidentialType := strings.ToUpper(a.options.ConfidentialType)
 		ConfidentialType = strings.Replace(ConfidentialType, "-", "_", -1)
-		if ConfidentialType == "SEV" || ConfidentialType == "SEV_SNP" {
+		if ConfidentialType == "SEV" || ConfidentialType == "SEV_SNP" || ConfidentialType == "TDX" {
 			fmt.Printf("Using confidential type for confidential computing %s\n", ConfidentialType)
 			instance.ConfidentialInstanceConfig = &compute.ConfidentialInstanceConfig{
 				ConfidentialInstanceType: ConfidentialType,
@@ -159,7 +159,7 @@ func (a *API) mkinstance(userdata, name string, keys []*agent.Key, opts platform
 				OnHostMaintenance: "TERMINATE",
 			}
 		} else {
-			return nil, fmt.Errorf("Does not support confidential type %s, should be: sev, sev_snp\n", a.options.ConfidentialType)
+			return nil, fmt.Errorf("Does not support confidential type %s, should be: sev, sev_snp, tdx\n", a.options.ConfidentialType)
 		}
 	}
 	// metal instances can only have a TERMINATE maintenance policy

mantle/platform/api/gcloud/image.go

@@ -111,6 +111,10 @@ func (a *API) CreateImage(spec *ImageSpec, overwrite bool) (*compute.Operation,
 		{
 			Type: "IDPF",
 		},
+		// https://cloud.google.com/blog/products/identity-security/confidential-vms-on-intel-cpus-your-datas-new-intelligent-defense
+		{
+			Type: "TDX_CAPABLE",
+		},
 	}
 
 	if spec.Architecture == "" {