Intel Trust Domain Extensions Ready For Linux 5.19 (Intel TDX)

Written by Michael Larabel in Intel on 23 May 2022 at 09:00 AM EDT. Add A Comment
INTEL
Sent in this morning for Linux 5.19 is AMD SEV-SNP support for that hardware feature introduced last year with AMD EPYC Milan 7003 series processors. Meanwhile Intel's alternative technology, Trust Domain Extensions (TDX) is coming with Xeon Scalable "Sapphire Rapids" and also with Linux 5.19 that functionality is being readied on the software side.

As another example of how Intel is generally ready to go with Linux support for new CPU features ahead of launch (granted, depending upon when you call Sapphire Rapids as launched already or ramping up later this year...), Intel TDX is ready to go in Linux 5.19 alongside many other Sapphire Rapids features already enabled with the mainline kernel.


Intel diagram on the Trust Domain Extensions stack.


Intel Trust Domain Extensions are for hardware-isolated, virtual machines in providing protection from the VMM/hypervisor and other non-Trust Domain software on the platform. TDX provides a Secure-Arbitration Mode (SEAM), a multi-key total-memory encryption engine, remote attestation, and other security features. See Intel.com for more background information on Trust Domain Extensions being introduced with Sapphire Rapids processors.

As expected since last month, the Linux 5.19 merge window is landing Intel TDX support. This Intel confidential computing solution was submitted this morning as the "x86/tdx" pull request.
Intel Trust Domain Extensions

This is the Intel version of a confidential computing solution called Trust Domain Extensions (TDX). This series adds support to run the kernel as part of a TDX guest. It provides similar guest protections to AMD's SEV-SNP like guest memory and register state encryption, memory integrity protection and a lot more.

Design-wise, it differs from AMD's solution considerably: it uses a software module which runs in a special CPU mode called (Secure Arbitration Mode) SEAM. As the name suggests, this module serves as sort of an arbiter which the confidential guest calls for services it needs during its lifetime.

Just like AMD's SNP set, this series reworks and streamlines certain parts of x86 arch code so that this feature can be properly accommodated.

In addition to a TDX-supported kernel, Trust Domain Extensions also requires alterations to QEMU, libvirt, Open-Source Virtual Firmware, GRUB2, and Shim code.
Add A Comment
Related News
Fedora 41 Aims For Out-Of-The-Box Webcam Support For Newer Intel Laptops
Intel Graphics Compiler 1.0.17193.4 Released With Initial Battlemage Support
Intel OSPRay 3.2 Further Advances This Open-Source Ray-Tracing Engine
Intel's Mesa Driver Upstreaming For Xe2 Support Appears Mostly Done
Performance Event Changes For Linux 6.11 Bring Several Additions For Intel Hardware
Intel oneAPI VPL 2024Q2 GPU Runtime Prepares For VVC Decode
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
EXT4 Has A Very Nice Performance Optimization For Linux 6.11
Microsoft's WSL 2.3.11 Brings "Hundreds Of New Kernel Modules" & New Features
systemd Talks Up Automatic Boot Assessment In Light Of The Crowdstrike-Microsoft Outage
XZ Patches For The Linux Kernel Updated, Drops "Jia Tan" As A Maintainer
New Linux Patches Enable The Snapdragon X1 Elite Powered Lenovo ThinkPad T14s Gen 6
KDE Developers Tackle The Five Most Common Plasma Crashes
USB & Thunderbolt Improvements Land In Linux 6.11
NVIDIA 560 Linux Driver Beta Released - Defaults To Open GPU Kernel Modules