Add support for Intel Trust Domain Extensions (TDX) #228
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Temporarily pushing a mess of commits so that it can get cleaned up... |
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
In `memory_init` we need to use `kvm_userspace_memory_region2`, `kvm_create_guest_memfd`, and `kvm_memory_attributes` for the TDX architecture, otherwise it will fail. Signed-off-by: Jake Correnti <[email protected]>
TDX does not use the `KVM_CREATE_IRQCHIP` ioctl, rather it enables the `KVM_SPLIT_IRQCHIP` capability, which is handled by virtee/tdx. Signed-off-by: Jake Correnti <[email protected]>
Registers are confidential for TDX, so configuring them through the KVM API is not allowed. Signed-off-by: Jake Correnti <[email protected]>
Adds a new `inteltdx` module and implements a feature-flagged `new` method for `VM to create a VM with the TDX architecure. Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Implements the `tdx_secure_virt_prepare` method which in turn calls the `KVM_TDX_INIT_VM` TDX ioctl which does VM specific initialization. Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
…rt the memory page accordingly Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
Signed-off-by: Jake Correnti <[email protected]>
jakecorrenti
force-pushed
the
intel-tdx
branch
from
56547f1 to
f8b3c5d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for the Intel Trust Domain Extensions (TDX) Confidential Computing architecture.
This is currently a draft as the following issues are present:
Before merging there are some commits that will be squashed and/or re-ordered.
There is also additional functionality that I would like to add such as:
KVM_TDX_CAPABILITIESKVM_TDX_CAPABILITIESAny early reviews are welcome.