Skip to content

Latest commit

 

History

History
91 lines (68 loc) · 5.41 KB

README.md

File metadata and controls

91 lines (68 loc) · 5.41 KB

Linux Stack for Intel® TDX (Trust Domain Extensions)

CI Check Shell CI Check Python CI Check License CI Check Document

1. Overview

1.1 Intel® Trust Domain Extensions(TDX)

Intel® Trust Domain Extensions(TDX) refers to an Intel technology that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory Encryption(MK-TME) with a new kind of virtual machine guest called a Trust Domain(TD). A TD runs in a CPU mode that protects the confidentiality of its memory contents and its CPU state from any other software, including the hosting Virtual Machine Monitor (VMM). Please get more details from TDX White Papers and Specifications

NOTE: tdx-tools keeps evolving along with kernel version. Please refer to corresponding tag for different kernel version support. Please make sure to use the corresponding tag aligned with kernel version.

Tag Kernel version Description
2022ww44 5.15 TDX 1.0
2023ww01 5.19 TDX 1.0
2023ww15 6.2 TDX 1.5
2023ww22 5.19.17 TDX 1.0 update with Full disk encryption(FDE) reference solution, Amber client and IMA support

1.2 Hardware Availability

1.3 API and Specifications

Please see details at here:

2. Linux Stack for Intel TDX

Linux Stack for Intel® TDX is an end-to-end hypervisor cloud stack including the Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) components.

2.1 Use Cases

It produce the following minimal use cases:

  • Launch Intel® TDX guest VM to run general computing workloads
  • Do launch-time measurement within the Intel® TDX guest VM
  • Do runtime attestation with the quote generated by Intel® Software Guard Extensions (Intel® SGX)-based quote generation service (QGS) on the IaaS host

It provides the below tools for developer:

  • Build individual component's package or install pre-build binaries on IaaS host or create PaaS guest image for quick evaluation
  • Generate the patch set for deep dive in source code level
  • Test, hack and debug the TDX technology based on PyCloudStack framework
  • Dump guest VM measurement and generate TD quote report for TDX E2E attestation
  • Measured boot and Secure boot for TDX guest VM

2.2 Components

Linux Stack for Intel® TDX includes the components in below diagram:

TDX Stack Architecture

Name Stack Description
TDX Kernel Host + Guest Linux kernel for TDX
TDX Qemu-KVM Host Qemu VMM for TDX
TDX SEAM Module Host TDX Secure Arbitration Module
TDX Migration Host Migration TD for live migration
TDX Libvirt Host The modified libvirt to create TDX guest domain via Qemu
TDVF Host The modified OVMF(Open Source Virtual Firmware) to support TDX guest boot like page accept, TDX measurement
TDX Grub2 Guest The modified grub for guest VM to support TDX measurement
TDX shim Guest The modified shim for guest VM to support TDX measurement

3. How to Use

Please refer the white paper: Linux*Stacks for Intel® Trust Domain Extension 1.0 (only cover TDX 1.0) and wiki for additional informational about TDX 1.5 or developer specific.

Type Content
BKM Check Memory Encryption
BKM Enable IMA with TDX RTMR
Developer Developer Guide
Developer Off TD GDB Debug
1.5 TD Migration