Intel TDX With Linux 6.3 Updated To Avoid "Total Insanity" Scenario

Intel Trust Domain Extensions (TDX) is one of the new features with 4th Gen Xeon Scalable "Sapphire Rapids" processors but is limited this generation to deployment by a few select cloud partners. For Linux 6.3 this feature for hardware-isolated virtual machines is continuing to be further refined.

The Intel TDX support for Linux on both the host and guest side has been coming together over the past number of kernel cycles. With Linux 6.3 the focus of the TDX changes is on preventing unexpected virtualization exceptions from hosts removing guest mappings and excessive #VE notifications.

The x86/tdx pull request of Linux 6.3 changes sums up the work as:

"Other than a minor fixup, the content here is to ensure that TDX guests never see virtualization exceptions (#VE's) that might be induced by the untrusted VMM.

This is a highly desirable property. Without it, #VE exception handling would fall somewhere between NMIs, machine checks and total insanity. With it, #VE handling remains pretty mundane."

The Intel TDX patch that is part of this pull request to disable NOTIFY_ENABLES goes on to explain:

"There is a class of side-channel attacks against SGX enclaves called "SGX Step". These attacks create lots of exceptions inside of enclaves. Basically, run an in-enclave instruction, cause an exception. Over and over.

There is a concern that a VMM could attack a TDX guest in the same way by causing lots of #VE's. The TDX architecture includes new countermeasures for these attacks. It basically counts the number of exceptions and can send another *special* exception once the number of VMM-induced #VE's hits a critical threshold.

But, these special exceptions are independent of any action that the guest takes. They can occur anywhere that the guest executes. This includes sensitive areas like the entry code. The (non-paranoid) #VE handler is incapable of handling exceptions in these areas.

Fortunately, the special exceptions can be disabled by the guest via write to NOTIFY_ENABLES TDCS field. NOTIFY_ENABLES is disabled by default, but might be enabled by a bootloader, firmware or an earlier kernel before the current kernel runs.

Disable NOTIFY_ENABLES feature explicitly and unconditionally. Any NOTIFY_ENABLES-based #VE's that occur before this point will end up in the early #VE exception handler and die due to unexpected exit reason."

So that clean-up around the virtualization exceptions (#VE) is good to go now for Linux 6.3. It will likely be with next-generation Emerald Rapids processors where TDX support becomes widely available.