intel TDX

2022-02-17 · 2 min read

Intel TDX is designed to isolate virtual machines from the VMM/hypervisor and other non-VMM system software on the platform. TDX is also able to protect the VMs from some forms of hardware attacks

Intel Trust Domain Extensions (Intel TDX) is introducing new, architectural elements to help deploy hardware-isolated, virtual machines (VMs) called trust domains (TDs). Intel TDX is designed to isolate VMs from the virtual-machine manager (VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software. source

  • Secure-Arbitration Mode (SEAM) – a new mode of the CPU designed to host an Intel-provided, digitally-signed, security-services module called the Intel TDX module.

  • Shared bit in GPA to help allow TD to access shared memory.

  • Secure EPT to help translate private GPA to provide address-translation integrity and to prevent TD-code fetches from shared memory. Encryption and integrity protection of private-memory access using a TD-private key is the goal.

  • Physical-address-metadata table (PAMT) to help track page allocation, page initialization, and TLB consistency.

  • Multi-key, total-memory-encryption (MKTME) engine designed to provide memory encryption using AES-128- XTS and integrity using 28-bit MAC and a TD-ownership bit.

  • Remote attestation designed to provide evidence of TD executing on a genuine, Intel TDX system and its TCB version.

  • It looks like you basically run a linux kernel on the host machine, then linux (which now supports TDX) can run these VM isolates (just like containers I guess, but with privacy and isolation).

Roadmap Status (2021/09/24) #

linux firmware loaderWIP
KVM TDUnder Review
KVM MMUUnder Review
KVM unmappingUnder discussion
QEMU guest BIOSUnder Review
QEMU guest attestationWIP
QEMU unmappingUnder discussion