Intel® TDX Support Coming to SUSE Linux Enterprise Server
Reliable data protection is a long-standing goal in computing and a requirement often set by end users and legislation. Two data protection technologies have been with us for a while, protecting data at different stages. These are:
- Data protection in Transit. When data is transferred over the network it is protected with network encryption and authentication mechanisms. Popular protocols used today include Transport Layer Security (TLS) and Secure Shell (SSH).
- Data protection at Rest. When data is stored on disk it is protected using the disk encryption facilities of the various operating systems. On Linux the tools of choice are dm_crypt for encryption and dm_integrity for integrity protection. There is also dm_verity available for data verification.
What was missing so far is a set of technologies for protecting data while in-use by applications. For using data it has to be decrypted and loaded into main memory. Unencrypted data is a much easier target for malicious actors.
In recent years technologies for protecting data-in-use were added to modern processors to close this data protection gap. One of the first technologies was Intel® SGX, which provides a secure Trusted Execution Environment (TEE) within an existing application.
SGX is a great way of protecting data in-use, but it requires changes in the application layer. Newer Intel® processors add another data protection facility: Trusted Domain Extensions (TDX). TDX is based on hardware virtualization and allows the execution of whole operating systems within a TEE. With TDX no changes at the application layer are needed so that it can provide data-in-use protection to a much broader set of workloads.
The Intel® Trusted Domain Extensions allows a running virtual machine inside a Trusted Execution Environment. Several protections are implemented from the hardware side. The protected virtual machine is also called a Trusted Domain (TD). TDX provides:
- Memory Encryption. All memory used by the TD is encrypted by the hardware in a way that does not allow access from software running outside of the TEE, e.g. the host hypervisor. The memory controller implements strong AES-128 encryption and the CPU only allows unencrypted data access to software running in the TEE. The operating system in the TD can decide to make some memory visible to the host. This is required for communication between the TD and the hypervisor.
- Register encryption. Besides the memory of the TD, also its register state is encrypted and protected from access or modification by the hypervisor. This prevents access to secrets stored in the TD registers and attacks against its execution flow.
- Memory integrity. The hardware also protects the TD from attacks against its encrypted memory contents, namely replay and remapping attacks. With these attacks the hypervisor could replay old encrypted data or map encrypted data at a different address. These attacks could hijack the execution flow of the TD and trick it to reveal secrets. Intel® TDX protects against these attacks from the hardware side by making them detectable from within the TD.
Intel® TDX allows workloads to run with data-in-use protection without changes to the application layer. But setting up and running an operating system inside the TD requires several changes to the host virtualization stack and the guest operating system.
Present:
The upstream Linux kernel supports running in an Intel® Trusted Domain since version 5.19. SUSE engineers have back ported the code to SUSE Linux Enterprise 15-SP5 and openSUSE Leap 15.5.
From these versions on SUSE distributions can be used as a guest operating system in a Trusted Domain.
Future:
While running as a TD guest is supported for quite a while now, support for using Linux as a host operating system running Trusted Domains is not yet merged into the mainline Linux kernel or the upper parts of the virtualization stack.
These patches are still under discussion and will probably be merged into their upstream projects within the next year. Nevertheless, since the patches are not upstream they can not be included in a SUSE Enterprise distribution yet.
Testing Intel® TDX with SUSE Linux Enterprise Server
For users and customers with access to TDX capable hardware we at SUSE provide demo packages of the key components required to set up a TDX hypervisor environment. The packages are built for SUSE Linux Enterprise Server 15-SP5 and openSUSE Leap 15.5 and include the Linux kernel, QEMU and the virtual firmware for trusted domains (TDVF). With these packages installed on a TDX capable machine our users and customers can try out the protection provided by a TD and experiment with this new technology.
There is additional documentation available which explains in detail how to set up the host and guest image to run a Trusted Domain with SUSE Linux Enterprise Server or openSUSE Leap. The documentation can be found at our tdx-demo repository at GitHub: https://github.com/SUSE/tdx-demo/blob/main/INSTALL-SLES-15-SP5.md.
Intel® TDX Support in Future SUSE Distributions
Today we provide experimental demo packages for TDX host setups for SUSE Linux Enterprise Server 15-SP5 and openSUSE Leap 15.5. These packages are only for experimentation and testing, as they are provided without any support.
But this is not the end of the road. With the TDX patches being merged into their respective upstream repositories, SUSE engineers will integrate them into our distributions and remove the need to install additional packages.
The current plan is to provide Intel® TDX host support with Technology Preview status in SUSE Linux Enterprise Server 15-SP6 and full enterprise support in SUSE Linux Enterprise Server 15-SP7 and other future products.