Intel Posts New TDX Guest Attestation Patches To Verify Trustworthiness From 3rd Party Servers

Written by Michael Larabel in Intel on 23 February 2022 at 06:09 AM EST. 7 Comments
INTEL
Intel's open-source Linux engineers have been working a lot recently on the kernel's support for Trust Domain Extensions (TDX). Intel TDX has similarities to AMD's Secure Encrypted Virtualization (SEV) and is ultimately about better protecting virtual machines. The latest patch series published for Linux is the Intel TDX Guest Attestation support for being able to verify a TDX VM's trustworthiness via a third-party server.

Intel TDX aims to provide hardware-isolated, secure virtual machines for protecting against the host system / hypervisor and other non Trust Domain software. Intel engineers have been busy preparing the Linux kernel for supporting the various TDX features like hardware memory encryption and other security services.


TDX also supports the notion of remote attestation, which is being worked on with the newest patch series on the Linux kernel mailing list. TDX Remote Attestation provides increased confidence around ensuring software is running inside a genuine, Trusted Domain.


Learn more about Trust Domain Extensions capabilities via the Intel.com documentation.


There has been some TDX attestation Linux patches posted previously while now has been summed up in the form of v1 Add TDX Guest Attestation support.

The kernel patches are preparing the TD Guest support for being able to handle attestation against third-party servers for verifying the trustworthiness. Also with the patches is an example user-space implementation as a tool for interfacing with /dev/tdx-attest for acquiring a TD Report from the TDX module and requesting a quote from the VMM. "In TD Guest, the attestation process is used to verify the trustworthiness of TD guest to the 3rd party servers. Such attestation process is required by 3rd party servers before sending sensitive information to TD guests. One usage example is to get encryption keys from the key server for mounting the encrypted rootfs or secondary drive. Following patches add the attestation support to TDX guest which includes attestation user interface driver, user agent example, and related hypercall support."

See this patch series for more details on the TDX attestation support now under review.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week