Stacks and Solutions for Intel® TDX (Trust Domain Extensions)

1. Overview

This project provides the modified components to setup TDX stacks and additional components/tools/services for optimized/full-capabilities Intel® TDX based confidential computing solutions.

NOTE:

1. Please refer the white paper: Linux*Stacks for Intel® Trust Domain Extension 1.0 (only cover TDX 1.0) and wiki for additional informational about TDX 1.5 or developer specific information.
2. The modified components like Kernel, Qemu, Libvirt etc includes pre-upstream patches are for reference only.
3. The modified components like Grub, Shim's were already upstream-ed. Please install from the corresponding OS distribution.
4. The component TDVF uses the configuration of IntelTdxX64.dsc from edk2 upstream.
5. The component DCAP refers to SGXDataCenterAttestationPrimitives
6. The components, tools, services are not only for function evaluation, but also are full optimized for performance, please see Performance Considerations of Intel® Trust Domain Extensions on 4th Generation Intel® Xeon® Scalable Processors
7. The use case based services/solutions strictly follows the Kernel Hardening Strategy without compromising security.
8. The kernel is keeping to evolving. Please refer to corresponding tags for different kernel version used.

1.1 Intel® Trust Domain Extensions(TDX)

Intel® Trust Domain Extensions(TDX) refers to an Intel technology that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory Encryption(MK-TME) with a new kind of virtual machine guest called a Trust Domain(TD). A TD runs in a CPU mode that protects the confidentiality of its memory contents and its CPU state from any other software, including the hosting Virtual Machine Monitor (VMM). Please get more details from TDX White Papers and Specifications

1.2 Hardware Availability

• As of July 2023, Intel TDX is available through custom 4th Gen Intel Xeon Scalable processors (formerly code-named “Sapphire Rapids”) delivered to certain major Cloud Service Providers, including Alibaba, Azure, Google Cloud and IBM Cloud. Today, Alibaba and Azure are already in preview, with Google and IBM expected in the coming months.
• Intel’s Developer Cloud will be equipped with TDX-capable Intel Xeon Scalable processors in the coming months for software testing and solution development. Stay tuned to our GitHub for news on availability.
• Intel TDX will be generally available in the upcoming 5th Gen Intel Xeon Scalable processors (code-named “Emerald Rapids”).

NOTE:

• Please run check-tdx-host.sh to check your TDX bare metal host environment.
• Please run check-tdx-guest.sh to check your TDX guest VM environment.

1.3 API and Specifications

Please see details at here:

2. Stacks and Solutions for Intel® TDX

2.1 Use Cases

It produces the following minimal use cases:

• Launch Intel® TDX guest VM to run general computing workloads
• Do launch-time measurement within the Intel® TDX guest VM
• Do runtime attestation with the quote generated by Intel® Software Guard Extensions (Intel® SGX)-based quote generation service (QGS) on the IaaS host
• vTPM stack for TD works with tpm2-tools, IMA and Keylime.

It provides the below tools for developer:

• Build individual component's package or install pre-build binaries on IaaS host or create PaaS guest image for quick evaluation
• Generate the patch set for deep dive in source code level
• Test, hack and debug the TDX technology based on PyCloudStack framework
• Dump guest VM measurement and generate TD quote report for TDX E2E attestation
• Measured boot and Secure boot for TDX guest VM
• Deployment tool for Linux TDX SW stack deployment on TDX enabled host
• Guest image tool to generate TD guest image

2.2 Components

Linux Stack for Intel® TDX includes the components in below diagram:

3. Further Reading