Intel Posts Latest 113 Patches For Linux KVM TDX Support

One of the new features of Intel Xeon Scalable 4th Gen "Sapphire Rapids" server processors is support for Trust Domain Extensions (TDX) but for this generation is only being activated for CPUs going to select cloud providers. Intel TDX allows better isolating virtual machines from the VMM/hypervisor and other non-TD software on the platform. This limited roll-out of Intel TDX has worked out okay with the Linux support for this security feature still being in flux. Sent out today was the 14th spin of the 113 patches needed for getting KVM TDX support wired up within the Linux kernel.

Intel provided technical details around TDX going back to 2020. For years they've been working on the Linux kernel support for this VM security feature and in Linux 6.2 Intel landed the TDX guest driver that followed the initial Intel TDX support in Linux 5.19. But still missing has been the Intel TDX KVM integration.

The set of 113 patches for the v14 series provide basic feature enablement for KVM virtual machines with Intel TDX on capable hardware. The new patches re-base against the current upstream Linux 6.4 state, switch to using KVM GMEM, and a number of other internal changes around the TDX handling in the scope of the Kernel-based Virtual Machine.

We'll see now if the v14 patches are good enough for upstreaming or it will drag on longer before all the Intel TDX support is fully mainlined in the Linux kernel. In any event I'm suspecting Intel isn't going to make Intel TDX support widespread until the Granite Rapids generation next year, so there is still time for rolling out the software support upstream to complement the few cloud service providers using TDX via out-of-tree patches. Even if TDX support will be found more widespread with Emerald Rapids later this year, at least by then is also decent changes we'll see mainline support prior to that launch.