Intel Engineers Begin Landing Open-Source Support For TDX, Intel Key Locker

Last month Intel published a whitepaper on TDX as Trust Domain Extensions as a means of better securing virtual machines. TDX allows for isolating VMs from the hypervisor and other non-VMM system software. Intel TDX builds off other recent work around MKTME memory encryption and other features. We are now beginning to see that software side support roll-out along with the also-new Key Locker instructions.

Last night hitting LLVM 12 Git was TDX instructions support. New instructions added are SEAMCALL for calling the SEAM VMX-root operation module, SEAMRET to return to the legacy VMX-root operation, SEAMOPS for SEAM operations, and TDCALL to call the SEAM module functions.

Similarly, hitting the GNU Assembler code-base overnight was also the TDX instructions being added. The patches nor comments reveal yet what CPU generation where we might see these TDX instructions supported, but given Intel's usual Linux/open-source patch timing, it wouldn't be until Sapphire Rapids at the very earliest but as much of the Sapphire Rapids enablement already happened I am guessing TDX might not debut until Granite Rapids.

Also new this week in the assembler land is Intel landing Key Locker instructions within the GNU repository.

Last week Intel published a white paper on Key Locker. Key Locker allows encrypting/decrypting data with an AES key without having access to the raw key. This Key Locker encryption is performed by converting AES keys into handles and work only on that system and until they are revoked. Intel aims with Key Locker to prevent hackers from obtaining actual AES keys by ensuring they are off-limits after the AES handles are created. Key Locker brings the AESENC128KL, AESENCWIDE128KL, AESDEC128KL, AESDECWIDE128KL, AESENC256KL, AESENCWIDE256KL, AESDEC256KL, AESDECWIDE256KL instructions for Key Locker for encrypt/decrypt with various key sizes and block configurations.