| 2022-09-01 08:09:30 |
Kleber Sacilotto de Souza |
description |
[Impact]
Intel has requested to support the TDX (trust domain extension) guest attestation driver interface. In a TDX guest "attestation" is used to verify the trustworthiness of a TD (trusted domain) before provisioning secrets to the TD (i.e, encrypted keys to mount an encrypted rootfs, etc.).
During the TD boot the initial contents and configurations are recorded by the Intel TDX module in the build time measurement register (MRTD). At TD runtime, the Intel TDX module reuses the Intel SGX attestation infrastructure to provide support for attesting to these information.
This driver is targeting 6.x upstream, so we need to backport the upstream patches as SAUCE patches to properly support this feature in 5.19.
[Fix]
Backport upstream TDX attestation driver.
[Test case]
Tests have been performed by IBM, a test-case is included in the patch set as a kernel selftest (called 'tdx').
TODO: consider to integrate this test in our testing infrastructure once this feature has been merged.
[Regression potential]
This feature is self-contained, it's only available on amd64 and it doesn't affect any other amd64 code. So we could only experience regressions on amd64 systems that are using the TDX feature. |
[Impact]
Intel has requested to support the TDX (trust domain extension) guest attestation driver interface. In a TDX guest "attestation" is used to verify the trustworthiness of a TD (trusted domain) before provisioning secrets to the TD (i.e, encrypted keys to mount an encrypted rootfs, etc.).
During the TD boot the initial contents and configurations are recorded by the Intel TDX module in the build time measurement register (MRTD). At TD runtime, the Intel TDX module reuses the Intel SGX attestation infrastructure to provide support for attesting to these information.
This driver is targeting 6.x upstream, so we need to backport the upstream patches as SAUCE patches to properly support this feature in 5.19.
[Fix]
Backport upstream TDX attestation driver.
[Test case]
Tests have been performed by Intel, a test-case is included in the patch set as a kernel selftest (called 'tdx').
TODO: consider to integrate this test in our testing infrastructure once this feature has been merged.
[Regression potential]
This feature is self-contained, it's only available on amd64 and it doesn't affect any other amd64 code. So we could only experience regressions on amd64 systems that are using the TDX feature. |
|
