Intel TDX Guest Driver Ready Ahead Of Linux 6.2
Back for the Linux 5.19 kernel the host code around Intel TDX was merged into the kernel while for Linux 6.2, the guest driver is set for introduction. Intel Trust Domain Extensions are for hardware-isolated, virtual machines in providing protection from the VMM/hypervisor and other non-Trust Domain software on the platform. TDX provides a Secure-Arbitration Mode (SEAM), a multi-key total-memory encryption engine, remote attestation, and other security features.
More technical information on TDX is available from Intel.com.
For Linux 6.2 the Intel TDX guest driver is going into the kernel for use within virtual machines for confidential computing.
TDX guest driver exposes IOCTL interfaces to service TDX guest user-specific requests. Currently, it is only used to allow the user to get the TDREPORT to support TDX attestation.
Details about the TDX attestation process are documented in Documentation/x86/tdx.rst, and the IOCTL details are documented in Documentation/virt/coco/tdx-guest.rst.
Operations like getting TDREPORT involves sending a blob of data as input and getting another blob of data as output. It was considered to use a sysfs interface for this, but it doesn't fit well into the standard sysfs model for configuring values. It would be possible to do read/write on files, but it would need multiple file descriptors, which would be somewhat messy. IOCTLs seem to be the best fitting and simplest model for this use case. The AMD sev-guest driver also uses the IOCTL interface to support attestation.
Attestation is used to verify the TDX guest trustworthiness to other entities before provisioning secrets to the guest. For example, a key server may want to use attestation to verify that the guest is the desired one before releasing the encryption keys to mount the encrypted rootfs or a secondary drive.
The TDX module records the state of the TDX guest in various stages of the guest boot process using the build time measurement register (MRTD) and runtime measurement registers (RTMR). Measurements related to the guest initial configuration and firmware image are recorded in the MRTD register. Measurements related to initial state, kernel image, firmware image, command line options, initrd, ACPI tables, etc are recorded in RTMR registers. For more details, as an example, please refer to TDX Virtual Firmware design specification, section titled "TD Measurement". At TDX guest runtime, the attestation process is used to attest to these measurements.
The attestation process consists of two steps: TDREPORT generation and Quote generation.
As of this past week the TDX guest driver was picked up in TIP's x86/tdx branch so from there -- barring any last minute snags -- will then be sent in for the Linux 6.2 merge window in December. See that link for the documentation portion of the patch with more information on the TDX Guest API and the TDX Guest Attestation capability. Intel TDX-enabled processors are expected to premiere with the Xeon Scalable "Sapphire Rapids" CPUs being announced in January.