Initial Intel TDX Enablement Positioned For Linux 5.19

It looks like the initial Linux kernel enablement code around Trust Domain Extensions (TDX) will be mainlined for the Linux 5.19 cycle this summer.

Intel began talking about Trust Domain Extensions (TDX) back in 2020 for better protecting virtual machines with new hardware features akin to Secure Encrypted Virtualization (SEV) with AMD EPYC CPUs.

Since 2020 there has been work on the compiler support for new TDX instructions along with began work on TDX changes for Linux kernel support. In some areas this also means code sharing between AMD SEV and Intel TDX.

Now with the Linux 5.19 cycle with its merge window opening up around the end of May, it looks like at that point the Intel TDX support will be merged. The news this week was TIP's x86/tdx branch created with the various Intel-led changes to the kernel around TDX support.

With the patches now part of a tip/tip.git branch, it pretty much means barring any last minute snafus that the code will be submitted for the next kernel cycle (Linux 5.19). The big batch of x86/tdx patches include detection for Trust Domain Extensions, MSR and HLT support for TDX guests, handling in-kernel MMIO, supporting the KVM hypercalls, support for TDX shared memory, and a variety of other kernel changes needed for supporting this Intel security feature.

Intel's TDX documentation sums up the new security functionality as: "Intel Trust Domain Extensions (Intel TDX) is introducing new, architectural elements to help deploy hardware-isolated, virtual machines (VMs) called trust domains (TDs). Intel TDX is designed to isolate VMs from the virtual-machine manager (VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software."

As part of TIP's x86/tdx patch queue, there is this documentation that outlines the kernel architecture for TDX.

There are other Linux patches still pending around TDX such as the recently posted TDX guest attestation patches for verifying trustworthiness from third party servers. Those patches may make it as well for Linux 5.19 but aren't part of this Git branch.

Intel Trust Domain Extensions is expected to debut with Xeon Scalable "Sapphire Rapids", so the timing should work out fine considering broad availability of SPR seems to still be some months out. At least Intel has been working on this code in the open for a while now and getting it upstreamed shortly before launch. Meanwhile this week TIP also positioned AMD SEV-SNP for upstreaming in Linux 5.19 too. The difference there is AMD SEV-SNP "Secure Nested Paging" upgrade to Secure Encrypted Virtualization debuted last year with EPYC 7003 "Milan" processors after which AMD began posting the Linux SEV-SNP patches publicly and after a year of work post-launch is now ready for going mainline at the same time as Intel TDX for the blue company's future CPUs. So once again Intel scores an extra point for their open-source/Linux punctuality of new hardware support, beyond all the other Sapphire Rapids patches they've been pushing to the Linux kernel over the past two years as well as having the Sapphire Rapids compiler support introduced since 2020.