feat: add TDX kernel flag and enable intel-dcap for baremetal

butler54 · claude · butler54 · commit 708c94c3cab8 · 2026-03-10T19:02:16.000+09:00
Add tdx.enabled flag (default true) to baremetal chart to conditionally
set kvm_intel.tdx=1 kernel argument. Without this, the kvm_intel module
does not activate TDX and NFD cannot detect it.

Enable intel-dcap application in values-baremetal.yaml for PCCS/QGS
attestation services.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/charts/all/baremetal/templates/vsock-mco.yaml b/charts/all/baremetal/templates/vsock-mco.yaml
@@ -9,6 +9,9 @@ metadata:
 spec:
   kernelArguments:
   - nohibernate
+{{- if $.Values.tdx.enabled }}
+  - kvm_intel.tdx=1
+{{- end }}
   config:
     ignition:
       version: 3.2.0
diff --git a/charts/all/baremetal/values.yaml b/charts/all/baremetal/values.yaml
@@ -1 +1,2 @@
-# No configurable values — platform resources use fixed configurations.
+tdx:
+  enabled: true
diff --git a/values-baremetal.yaml b/values-baremetal.yaml
@@ -19,6 +19,7 @@ clusterGroup:
   - openshift-storage
   - openshift-nfd
   - baremetal
+  - intel-dcap
 
   subscriptions:
     acm:
@@ -146,6 +147,17 @@ clusterGroup:
           value: "false"
 
 
+    intel-dcap:
+      name: intel-dcap
+      namespace: intel-dcap
+      project: hub
+      path: charts/all/intel-dcap
+      overrides:
+        - name: secretStore.name
+          value: vault-backend
+        - name: secretStore.kind
+          value: ClusterSecretStore
+
     sandbox-policies:
       name: sandbox-policies
       namespace: openshift-sandboxed-containers-operator

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`		`-# No configurable values — platform resources use fixed configurations.`
	`1`	`+tdx:`
	`2`	`+ enabled: true`