Intel Publishes Latest TDX Support Patches For Linux

Last year Intel detailed Trust Domain Extensions (TDX) as a new means of better protecting virtual machines with hardware-assisted isolation between VMs as well as from the VMM/hypervisor. Shortly after that Intel began posting TDX enablement patches and that work has continued while is still ongoing.

Intel landed the new TDX instructions within the open-source code compilers and then still ongoing is the Linux kernel enablement. Intel already had sent out their initial Trust Domain Extensions enablement and various other related patch series. Now though they have posted their latest patches around shared memory management support. With all of these published patch series, at this point it is then enough to get a fully-functional TDX guest when running on unrelated Intel Xeon processors.

The shared memory management patches sent out last week is supporting a means to securely share guest memory with the VMM (hypervisor) when needed by the guest. The VMM is considered an untrusted entity by TDX and thus does not allow it by default to access VMM memory so special changes are needed for the Trust Domain Extensions handling.

Given the timing and not much apparent rush around the Linux TDX enablement, it's not clear that all of these patches will be ready in time for the upcoming 5.14 cycle and thus may get dragged into a later kernel release. I also haven't seen Intel confirm whether TDX will be found in Sapphire Rapids this year or a generation later with Granite Rapids, so the kernel timing may still end up working out fine.