Intel® hardware security and acceleration capabilities on Ubuntu

Project Discussion
1

This post outlines the availability and enablement status of key Intel® hardware security features, accelerators, and instruction sets on Ubuntu. These capabilities are designed to support confidential computing, high-throughput data movement, analytics acceleration, memory scalability, and vectorized compute, and are applicable across cloud, telco, edge, and enterprise deployments.

Intel® Software Guard Extensions (SGX)

Intel® Software Guard Extensions (SGX) is a hardware-based security technology that enables the creation of isolated, encrypted memory regions called enclaves. These enclaves protect sensitive code and data even if the operating system or hypervisor is compromised.

SGX enables a confidential computing model in which applications can execute securely while protecting secrets such as cryptographic keys and regulated data from the rest of the system software stack.

Benefits for the user

  • Zero-trust data protection: Sensitive data remains encrypted and isolated, even if the OS or hypervisor is compromised.

  • Regulatory compliance: Helps meet strict data-handling requirements in financial services, healthcare, and government environments.

  • Enhanced customer trust: Hardware-enforced isolation provides stronger security guarantees for tenants and end users.

Supported use cases

  • Secure telco workloads, including 5G Core and DU/CU functions

  • Cloud confidential computing workloads

  • Financial and regulatory data protection

Ubuntu support

Base SGX kernel functionality has been available in Ubuntu since the 22.04 release but some userspace capabilities are still missing. However, users can already use SGX on Ubuntu with several workarounds. The most common approach is using Intel’s official repos, where Intel maintains its own APT repository for the SGX SDK.

There is work-in-progress to add userspace required packages (#2129761) to Ubuntu to make SGX fully Ubuntu native.

Intel® Data Streaming Accelerator (DSA 2.0)

Intel® Data Streaming Accelerator (DSA 2.0) is a dedicated hardware engine that offloads high-volume data movement and transformation operations from the CPU. It accelerates common primitives such as memcpy, memcmp, memset, CRC, and data validation, improving throughput and reducing latency.

DSA is designed for workloads where memory bandwidth and data movement become performance bottlenecks.

Benefits for the user

  • Reduced system bottlenecks: Offloads memory-to-memory operations to dedicated hardware.

  • Predictable low latency: Improves pipeline consistency for data-intensive workloads.

  • Optimized CPU utilization: Frees CPU cores for application logic instead of housekeeping tasks.

Supported use cases

  • Packet processing in telco and cloud infrastructure

  • Storage acceleration for block and file storage

  • Data analytics pipelines

Ubuntu support

Intel DSA 2.0 support is available in Ubuntu 25.10 through newer upstream kernels in 6.14 that include the Intel accelerator framework and idxd driver support. This enables user space frameworks and applications to leverage DSA on supported Intel platforms.

Intel® Analytics Accelerator (IAA 2.0)

Intel® Analytics Accelerator (IAA 2.0) is a built-in hardware accelerator designed to speed up compression, decompression, and database analytic operations. It offloads compute-intensive tasks such as scanning, filtering, and data transformation from the CPU, improving throughput and reducing latency.

IAA is well suited for analytics-driven workloads where performance and efficiency are critical.

Benefits for the user

  • Faster real-time analytics: Accelerates compression, decompression, and pattern matching in database workloads.

  • Lower storage and memory costs: Efficient compression reduces memory footprint and infrastructure overhead.

  • Accelerated insight-to-action: Enables faster query responses for AI inference, fraud detection, and log analytics.

Supported use cases

  • Machine learning inference in cloud and edge environments

  • Database acceleration for analytics workloads

  • HPC workloads requiring vectorized data processing

Ubuntu support

IAA is supported by Ubuntu as of kernel version 5.18, but userspace still requires Intel Query Processing Library that is not available in Ubuntu.

Compute Express Link (CXL 2.0)

Compute Express Link (CXL) 2.0 is a high-speed, low-latency interconnect standard that enables memory expansion and memory pooling across servers. CXL allows CPUs, accelerators, and memory devices to share resources coherently, improving utilization and reducing memory-related bottlenecks.

CXL provides increased architectural flexibility for memory- and accelerator-intensive workloads.

Benefits for the user

  • Greater system flexibility: Add memory or accelerators without full platform upgrades.

  • Higher workload density: Support more VMs, containers, or analytics workloads per system.

  • Improved performance consistency: Reduce memory bottlenecks for large datasets and real-time applications.

Supported use cases

  • Memory pooling for cloud workloads

  • Accelerator offload using GPUs or FPGAs

  • Telco DU and CU workload optimization

Ubuntu support

Intel enabled CXL 2.0 support via upstream Linux kernel 6.9 including memory device discovery, hotplug, and resource management on supported Intel platforms. It will be available in Ubuntu releases with kernel version higher than 6.9, a category which includes Ubuntu 24.04 LTS HWE releases and Ubuntu 26.04 LTS release.

Intel® Advanced Vector Extensions (AVX2)

Intel® Advanced Vector Extensions (AVX2) is a CPU instruction set that accelerates math-intensive and data-parallel workloads using 256-bit vector operations. By processing more data per clock cycle, AVX2 delivers higher throughput and improved energy efficiency.

AVX2 is widely used across AI, analytics, signal processing, and media workloads.

Benefits for the user

  • Accelerated data and signal processing: Improves throughput for AI inference, RAN workloads, and media processing.

  • Higher application efficiency: Executes more work per CPU cycle, reducing processing time.

  • Improved energy efficiency: Fewer CPU cycles are required for the same workload.

Supported use cases

  • HPC and AI workloads

  • Video encoding and scientific simulations

  • Database compression and analytics

Ubuntu support

Ubuntu supports AVX2 on several Intel platforms starting with processors based on the Intel Haswell microarchitecture. Applications can take advantage of AVX2 through modern compilers and optimized libraries available in the Ubuntu ecosystem.

Intel® Trusted Domain Extensions (TDX)

Intel® Trusted Domain Extensions (TDX) is a hardware-based confidential computing technology that isolates virtual machines into secure Trusted Domains (TDs). TDX protects guest workloads from the hypervisor, host OS, and other VMs by encrypting memory and enforcing strong, hardware-level isolation.

TDX is designed for cloud and virtualized environments where workload confidentiality must be preserved in shared, multi-tenant infrastructure.

Benefits for the user

  • Isolated multi-tenant compute: Ensures VM memory and data remain confidential even in shared cloud environments.

  • Secure cloud migration: Enables customers to move sensitive workloads from on-premises environments to the cloud with confidence.

  • Reduced data-breach risk: Hardware-based isolation significantly limits attack surface exposure.

Supported use cases

  • Confidential cloud workloads

  • Secure telco and enterprise virtual machines

  • Financial and healthcare secure workloads

Ubuntu support

Intel TDX will be enabled in Ubuntu 26.04 LTS, including with KVM and QEMU support on Intel platforms that expose TDX capabilities. Meanwhile Ubuntu 25.10 interim release also provides full support.

Integrated Ethernet with SyncE (DPLL Support)

The Digital Phase-Locked Loop (DPLL) driver is a Linux kernel framework that manages hardware timing devices responsible for generating precise, synchronized clock signals. It provides a unified interface for configuring, monitoring, and controlling frequency and phase synchronization across network and telecom hardware.

DPLL support is critical for meeting the stringent timing and synchronization requirements of modern telecom and edge networks.

Benefits for the user

  • Accurate and stable timing: Delivers highly precise timing required for 5G, Open RAN, SyncE, PTP, and other time-sensitive applications.

  • Simplified network management: Provides a unified Linux interface for configuring and monitoring timing hardware across platforms.

  • Improved vendor interoperability: Reduces integration complexity and ensures predictable timing behavior in multi-vendor environments.

Supported use cases

  • 5G and Open RAN timing synchronization

  • Time-Sensitive Networking (TSN)

  • High-precision edge and telecom infrastructure

Ubuntu support

DPLL framework support will be available in Ubuntu 26.04 LTS.

Intel® QuickAssist Technology (QAT) Gen 4

Intel® QuickAssist Technology (QAT) Gen 4 is a hardware accelerator that offloads cryptography, compression, and decompression workloads from the CPU. It delivers high-throughput, low-latency acceleration for TLS, IPsec VPNs, storage compression, and cloud-native security services while reducing CPU utilization.

QAT Gen 4 enables scalable security and data services without consuming valuable CPU cycles.

Benefits for the user

  • Higher service throughput: Accelerates encryption and compression to handle more traffic on the same hardware.

  • Lower total cost of ownership (TCO): Reduces the need for additional servers by offloading CPU-intensive crypto workloads.

  • Improved user experience: Enables faster VPN, SSL/TLS, and secure storage operations.

Supported use cases

  • Secure network tunnels (IPsec VPN, SSL/TLS)

  • High-throughput data compression for storage or cloud services

  • Telco User Plane Function (UPF) packet processing

Ubuntu support

Intel QAT Gen 4 is supported on Ubuntu 24.04 LTS through upstream kernel 6.8 drivers and user space libraries, enabling cryptographic and compression offload on supported Intel platforms.

Intel® QuickAssist Technology (QAT) Gen 5

Intel® QuickAssist Technology (QAT) Gen 5 is the next-generation accelerator for high-throughput cryptography, compression, and decompression offload. It delivers significantly higher performance, lower latency, and improved power efficiency for secure networking, storage, and cloud-native workloads.

QAT Gen 5 provides scalable, hardware-accelerated security for 5G, encrypted traffic processing, and microservices architectures.

Benefits for the user

  • Higher service throughput: Accelerates encrypted traffic without requiring additional CPU cores.

  • Efficient CPU utilization: Frees compute resources for application workloads by offloading crypto and compression.

  • Improved sustainability and power efficiency: Enables more efficient secure infrastructure with fewer servers and lower energy consumption.

Supported use cases

  • Secure network tunnels (IPsec VPN, SSL/TLS)

  • High-throughput data compression for storage or cloud services

  • Telco UPF packet processing

Ubuntu support

Intel QAT Gen 5 support is available in Ubuntu 24.04 LTS via upstream kernel 6.8 enablement and updated user space acceleration frameworks on platforms that expose QAT Gen 5 hardware.

Summary

Ubuntu provides broad, upstream-aligned support for various Intel platforms, hardware security technologies, accelerators, and instruction sets. Together, these capabilities enable secure, scalable, and high-performance platforms for cloud, telco, edge, and enterprise workloads.

Ubuntu empowers operators to harness the full power of the Intel platform by integrating key architectural features:

  • Security: Confidential computing via SGX and TDX.

  • Performance: Data acceleration (DSA/IAA), vectorized compute (AVX2), and crypto-offloading (QAT).

  • Connectivity: High-precision timing (DPLL/SyncE) and scalable memory (CXL).

While these features are enabled in Ubuntu, their performance in a system is not guaranteed. It is recommended that production workloads run in Ubuntu certified systems, which are constantly updated here.

Canonical’s Hardware Certification program provides a rigorous set of certification tests and continuous regression testing on a certified device throughout the Ubuntu release life cycle. This ensures that every user of Intel’s solution gets the best Ubuntu experience. For more information contact Canonical or ask your OEMs about their Ubuntu certification plans.

3 Likes