1Intel Trusted Domain eXtension (TDX) 2==================================== 3 4Intel Trusted Domain eXtensions (TDX) refers to an Intel technology that extends 5Virtual Machine Extensions (VMX) and Multi-Key Total Memory Encryption (MKTME) 6with a new kind of virtual machine guest called a Trust Domain (TD). A TD runs 7in a CPU mode that is designed to protect the confidentiality of its memory 8contents and its CPU state from any other software, including the hosting 9Virtual Machine Monitor (VMM), unless explicitly shared by the TD itself. 10 11Prerequisites 12------------- 13 14To run TD, the physical machine needs to have TDX module loaded and initialized 15while KVM hypervisor has TDX support and has TDX enabled. If those requirements 16are met, the ``KVM_CAP_VM_TYPES`` will report the support of ``KVM_X86_TDX_VM``. 17 18Trust Domain Virtual Firmware (TDVF) 19~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 20 21Trust Domain Virtual Firmware (TDVF) is required to provide TD services to boot 22TD Guest OS. TDVF needs to be copied to guest private memory and measured before 23the TD boots. 24 25KVM vcpu ioctl ``KVM_TDX_INIT_MEM_REGION`` can be used to populate the TDVF 26content into its private memory. 27 28Since TDX doesn't support readonly memslot, TDVF cannot be mapped as pflash 29device and it actually works as RAM. "-bios" option is chosen to load TDVF. 30 31OVMF is the opensource firmware that implements the TDVF support. Thus the 32command line to specify and load TDVF is ``-bios OVMF.fd`` 33 34Feature Configuration 35--------------------- 36 37Unlike non-TDX VM, the CPU features (enumerated by CPU or MSR) of a TD are not 38under full control of VMM. VMM can only configure part of features of a TD on 39``KVM_TDX_INIT_VM`` command of VM scope ``MEMORY_ENCRYPT_OP`` ioctl. 40 41The configurable features have three types: 42 43- Attributes: 44 - PKS (bit 30) controls whether Supervisor Protection Keys is exposed to TD, 45 which determines related CPUID bit and CR4 bit; 46 - PERFMON (bit 63) controls whether PMU is exposed to TD. 47 48- XSAVE related features (XFAM): 49 XFAM is a 64b mask, which has the same format as XCR0 or IA32_XSS MSR. It 50 determines the set of extended features available for use by the guest TD. 51 52- CPUID features: 53 Only some bits of some CPUID leaves are directly configurable by VMM. 54 55What features can be configured is reported via TDX capabilities. 56 57TDX capabilities 58~~~~~~~~~~~~~~~~ 59 60The VM scope ``MEMORY_ENCRYPT_OP`` ioctl provides command ``KVM_TDX_CAPABILITIES`` 61to get the TDX capabilities from KVM. It returns a data structure of 62``struct kvm_tdx_capabilities``, which tells the supported configuration of 63attributes, XFAM and CPUIDs. 64 65TD attributes 66~~~~~~~~~~~~~ 67 68QEMU supports configuring raw 64-bit TD attributes directly via "attributes" 69property of "tdx-guest" object. Note, it's users' responsibility to provide a 70valid value because some bits may not supported by current QEMU or KVM yet. 71 72QEMU also supports the configuration of individual attribute bits that are 73supported by it, via properties of "tdx-guest" object. 74E.g., "sept-ve-disable" (bit 28). 75 76MSR based features 77~~~~~~~~~~~~~~~~~~ 78 79Current KVM doesn't support MSR based feature (e.g., MSR_IA32_ARCH_CAPABILITIES) 80configuration for TDX, and it's a future work to enable it in QEMU when KVM adds 81support of it. 82 83Feature check 84~~~~~~~~~~~~~ 85 86QEMU checks if the final (CPU) features, determined by given cpu model and 87explicit feature adjustment of "+featureA/-featureB", can be supported or not. 88It can produce feature not supported warning like 89 90 "warning: host doesn't support requested feature: CPUID.07H:EBX.intel-pt [bit 25]" 91 92It can also produce warning like 93 94 "warning: TDX forcibly sets the feature: CPUID.80000007H:EDX.invtsc [bit 8]" 95 96if the fixed-1 feature is requested to be disabled explicitly. This is newly 97added to QEMU for TDX because TDX has fixed-1 features that are forcibly enabled 98by TDX module and VMM cannot disable them. 99 100Launching a TD (TDX VM) 101----------------------- 102 103To launch a TD, the necessary command line options are tdx-guest object and 104split kernel-irqchip, as below: 105 106.. parsed-literal:: 107 108 |qemu_system_x86| \\ 109 -accel kvm \\ 110 -cpu host \\ 111 -object tdx-guest,id=tdx0 \\ 112 -machine ...,confidential-guest-support=tdx0 \\ 113 -bios OVMF.fd \\ 114 115Restrictions 116------------ 117 118 - kernel-irqchip must be split; 119 120 This is set by default for TDX guest if kernel-irqchip is left on its default 121 'auto' setting. 122 123 - No readonly support for private memory; 124 125 - No SMM support: SMM support requires manipulating the guest register states 126 which is not allowed; 127 128Debugging 129--------- 130 131Bit 0 of TD attributes, is DEBUG bit, which decides if the TD runs in off-TD 132debug mode. When in off-TD debug mode, TD's VCPU state and private memory are 133accessible via given SEAMCALLs. This requires KVM to expose APIs to invoke those 134SEAMCALLs and corresonponding QEMU change. 135 136It's targeted as future work. 137 138TD attestation 139-------------- 140 141In TD guest, the attestation process is used to verify the TDX guest 142trustworthiness to other entities before provisioning secrets to the guest. 143 144TD attestation is initiated first by calling TDG.MR.REPORT inside TD to get the 145REPORT. Then the REPORT data needs to be converted into a remotely verifiable 146Quote by SGX Quoting Enclave (QE). 147 148It's a future work in QEMU to add support of TD attestation since it lacks 149support in current KVM. 150 151Live Migration 152-------------- 153 154Future work. 155 156References 157---------- 158 159- `TDX Homepage <https://www.intel.com/content/www/us/en/developer/articles/technical/intel-trust-domain-extensions.html>`__ 160 161- `SGX QE <https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/QuoteGeneration>`__ 162