AMD Takes SEV-SNP Hypervisor To v10, Intel TDX Host Support Up To 14 Revisions
Both AMD and Intel engineers have experienced a lengthy journey getting their latest virtualization security features into the mainline Linux kernel -- and one that is still ongoing.
Yesterday AMD engineers sent out their v10 patches consisting of 50 patches needed to get AMD Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) hypervisor support into the mainline kernel. AMD has been working on various elements of SEV-SNP support for a while with the functionality being found in their server processors going back to the EPYC 7003 series. They've been maintaining an out-of-tree kernel build with their various SEV-related kernel patches while the SEV-SNP hypervisor support is one of the last big portions still left for upstreaming.
This SEV-SNP hypervisor support also depends upon some KVM GMEM patches that have yet to be mainlined. The v10 patches have experienced quite a bit of code churn still and it's not clear yet if any further iterations will be needed but given the timing it's looking increasingly less likely that it will be mainlined for the upcoming Linux v6.7 merge window.
SEV-SNP adds various extra security features for AMD Zen 3 and newer processors for better securing virtualized environments.
Meanwhile this morning Intel sent out their v14 patches for their Trust Domain Extensions (TDX) host kernel support. With the Intel TDX v14 host patches is handling for S3/hibernation since TDX cannot survive S3 and lower power states so will be completely reset. Plus the v14 patches have some other small changes.
Intel TDX is about providing hardware-backed isolation and integrity for confidential computing inside VMs. Intel TDX was introduced with Sapphire Rapids but just enabled for selected cloud deployments. Intel continues actively pushing a lot of Linux TDX patches so hopefully by the time Trust Domain Extensions support is more widespread all of the necessary kernel bits will be upstreamed.
Due to being new security features and ensuring the design is right and coding standards meant, getting all of these AMD SEV-SNP and Intel TDX bits upstream is taking quite a bit of time but that's all part of the proven Linux upstreaming process.
Yesterday AMD engineers sent out their v10 patches consisting of 50 patches needed to get AMD Secure Encrypted Virtualization Secure Nested Paging (SEV-SNP) hypervisor support into the mainline kernel. AMD has been working on various elements of SEV-SNP support for a while with the functionality being found in their server processors going back to the EPYC 7003 series. They've been maintaining an out-of-tree kernel build with their various SEV-related kernel patches while the SEV-SNP hypervisor support is one of the last big portions still left for upstreaming.
This SEV-SNP hypervisor support also depends upon some KVM GMEM patches that have yet to be mainlined. The v10 patches have experienced quite a bit of code churn still and it's not clear yet if any further iterations will be needed but given the timing it's looking increasingly less likely that it will be mainlined for the upcoming Linux v6.7 merge window.
SEV-SNP adds various extra security features for AMD Zen 3 and newer processors for better securing virtualized environments.
Meanwhile this morning Intel sent out their v14 patches for their Trust Domain Extensions (TDX) host kernel support. With the Intel TDX v14 host patches is handling for S3/hibernation since TDX cannot survive S3 and lower power states so will be completely reset. Plus the v14 patches have some other small changes.
Intel TDX is about providing hardware-backed isolation and integrity for confidential computing inside VMs. Intel TDX was introduced with Sapphire Rapids but just enabled for selected cloud deployments. Intel continues actively pushing a lot of Linux TDX patches so hopefully by the time Trust Domain Extensions support is more widespread all of the necessary kernel bits will be upstreamed.
Due to being new security features and ensuring the design is right and coding standards meant, getting all of these AMD SEV-SNP and Intel TDX bits upstream is taking quite a bit of time but that's all part of the proven Linux upstreaming process.
Add A Comment