Intel Trust Domain Extensions Ready For Linux 5.19 (Intel TDX)
Sent in this morning for Linux 5.19 is AMD SEV-SNP support for that hardware feature introduced last year with AMD EPYC Milan 7003 series processors. Meanwhile Intel's alternative technology, Trust Domain Extensions (TDX) is coming with Xeon Scalable "Sapphire Rapids" and also with Linux 5.19 that functionality is being readied on the software side.
As another example of how Intel is generally ready to go with Linux support for new CPU features ahead of launch (granted, depending upon when you call Sapphire Rapids as launched already or ramping up later this year...), Intel TDX is ready to go in Linux 5.19 alongside many other Sapphire Rapids features already enabled with the mainline kernel.
Intel Trust Domain Extensions are for hardware-isolated, virtual machines in providing protection from the VMM/hypervisor and other non-Trust Domain software on the platform. TDX provides a Secure-Arbitration Mode (SEAM), a multi-key total-memory encryption engine, remote attestation, and other security features. See Intel.com for more background information on Trust Domain Extensions being introduced with Sapphire Rapids processors.
As expected since last month, the Linux 5.19 merge window is landing Intel TDX support. This Intel confidential computing solution was submitted this morning as the "x86/tdx" pull request.
In addition to a TDX-supported kernel, Trust Domain Extensions also requires alterations to QEMU, libvirt, Open-Source Virtual Firmware, GRUB2, and Shim code.
As another example of how Intel is generally ready to go with Linux support for new CPU features ahead of launch (granted, depending upon when you call Sapphire Rapids as launched already or ramping up later this year...), Intel TDX is ready to go in Linux 5.19 alongside many other Sapphire Rapids features already enabled with the mainline kernel.
Intel diagram on the Trust Domain Extensions stack.
Intel Trust Domain Extensions are for hardware-isolated, virtual machines in providing protection from the VMM/hypervisor and other non-Trust Domain software on the platform. TDX provides a Secure-Arbitration Mode (SEAM), a multi-key total-memory encryption engine, remote attestation, and other security features. See Intel.com for more background information on Trust Domain Extensions being introduced with Sapphire Rapids processors.
As expected since last month, the Linux 5.19 merge window is landing Intel TDX support. This Intel confidential computing solution was submitted this morning as the "x86/tdx" pull request.
Intel Trust Domain Extensions
This is the Intel version of a confidential computing solution called Trust Domain Extensions (TDX). This series adds support to run the kernel as part of a TDX guest. It provides similar guest protections to AMD's SEV-SNP like guest memory and register state encryption, memory integrity protection and a lot more.
Design-wise, it differs from AMD's solution considerably: it uses a software module which runs in a special CPU mode called (Secure Arbitration Mode) SEAM. As the name suggests, this module serves as sort of an arbiter which the confidential guest calls for services it needs during its lifetime.
Just like AMD's SNP set, this series reworks and streamlines certain parts of x86 arch code so that this feature can be properly accommodated.
In addition to a TDX-supported kernel, Trust Domain Extensions also requires alterations to QEMU, libvirt, Open-Source Virtual Firmware, GRUB2, and Shim code.
Add A Comment