Linux 6.8 Upstreams More Intel TDX Bits For Protecting KVM Guests

Intel has prepared additional Trust Domain Extensions enablement code for the ongoing Linux 6.8 kernel merge window.

TDX is now broadly available with new 5th Gen Xeon "Emerald Rapids" processors while the mainline Linux kernel support for these encrypted/secured VMs is still preparing to cross the finish line. TDX was first introduced last year with Intel Sapphire Rapids processors but the feature availability was limited to major cloud service providers / hyperscalers.

For this latest pull request is the TDX-side work so that KVM can run TDX-protected guests but the KVM-side changes are still pending. Longtime Intel Linux engineer Dave Hansen explained:

"Please pull some x86/tdx changes for 6.8. This contains the initial support for host-side TDX support so that KVM can run TDX-protected guests. This does not include the actual KVM-side support which will come from the KVM folks. The TDX host interactions with kexec also needs to be ironed out before this is ready for prime time, so this code is currently Kconfig'd off when kexec is on.

The majority of the code here is the kernel telling the TDX module which memory to protect and handing some additional memory over to it to use to store TDX module metadata. That sounds pretty simple, but the TDX architecture is rather flexible and it takes quite a bit of back-and-forth to say, "just protect all memory, please."

There is also some code tacked on near the end of the series to handle a hardware erratum. The erratum can make software bugs such as a kernel write to TDX-protected memory cause a machine check and masquerade as a real hardware failure. The erratum handling watches out for these and tries to provide nicer user errors."

More details on the Intel TDX code prepped for Linux 6.8 via this pull request.