Securing data at run-time has long been an open security challenge. Whether it is malicious insiders exploiting elevated privileges or attackers exploiting vulnerabilities within the platform’s privileged system software, your data’s confidentiality and integrity was at risk.
Intel® Trust Domain Extensions (Intel TDX) addresses this critical issue by establishing a solution that runs your workloads within secure, hardware-rooted execution environments. These isolated spaces are purpose-built to safeguard applications and data from unauthorized access or modifications while in use, fortifying security for organizations handling sensitive information.
To leverage these robust security measures effectively, we rely on Intel’s silicon-level innovations, building upon specific SKUs of the 4th Gen Intel Xeon processors and all forthcoming 5th Gen Intel Xeon processors. However, the realization of these essential silicon security features for end-users necessitates an enlightened software stack operating atop it.
In the Linux space, this involves upstreaming patches before customers can integrate them into their preferred distributions. This process demands time and effort. Acknowledging the urgency of addressing runtime security vulnerabilities, Ubuntu has strategically partnered with Intel. We now present Ubuntu users with a tailored build derived from Ubuntu 23.10, encompassing all necessary components to configure TDX confidential workloads. These Ubuntu builds cater comprehensively to both the host and guest sides, empowering users to seamlessly launch a confidential TDX virtual machine.
Intel® TDX introduces new architectural elements to create secure, isolated virtual machines known as trust domains (TDs). The primary goal of Intel® TDX is to safeguard TDs from various potential software threats, including the virtual-machine manager and other non-TD software on the platform. Intel® TDX also enhances TD defence against specific physical access attacks on platform memory, including offline dynamic random access memory (DRAM) analysis such as cold-boot attacks and active attacks on DRAM interfaces.
To achieve this high level of security, Intel® TDX incorporates new CPU security extensions that provide three essential security features:
Memory Isolation through Main Memory Encryption: CPUs equipped with confidential computing capabilities include an AES-128 hardware encryption engine within their memory controller. This engine encrypts and decrypts memory pages whenever there is a memory read or write operation. Instead of storing workload code and data in plain text in system memory, they are encrypted using a hardware-managed encryption key. This encryption and decryption process happens seamlessly within the CPU, ensuring strong memory isolation for confidential workloads.
Additional CPU-Based Hardware Access Control Mechanisms: CPUs with confidential computing capabilities introduce new instructions and data structures that allow auditing of security-sensitive tasks typically carried out by privileged system software. These tasks encompass memory management and access to platform devices. For example, when reading memory pages mapped to confidential workloads, these new instructions also provide information about the last value written into the page. This feature helps prevent data corruption and replay attacks by detecting unauthorised modifications to memory pages.
Remote Attestation: Enable a relying party, whether it’s the owner of the workload or a user of the services provided by the workload, to confirm that the workload is operating on an Intel® TDX-enabled platform located within a TD before sharing data with it. Remote attestation allows both workload owners and consumers to digitally verify the version of the Trusted Computing Base (TCB) they are relying on to secure their data.
When you have a TDX-capable hardware at your disposal, you are ready to set up the host side by leveraging the customised Ubuntu 23.10 build. This specialised build incorporates a 6.5 kernel, derived from the 23.10 generic kernel. It also includes essential user space components accessible through PPAs, such as Libvirt 9.6, and QEMU 8.0.
On the guest side, the 23.10 build provides a comprehensive package, featuring a 6.5 kernel, Shim, Grub, and TDVF, which serves as an in-guest VM firmware.
Figure 1. End-2-End TDX software stack with Ubuntu
To facilitate building with Ubuntu for Intel® TDX, Canonical offers a set of user-friendly scripts for the customers of its 23.10 TDX custom build. These scripts streamline the process of enabling TDX on both the host and guest sides and simplify the creation of confidential environments with just a few commands. The capability to remotely attest the security of the TDX trusted execution environment is expected to be available in December 2023.
We have made all the set up assets accessible to the public via our GitHub Repository. We encourage everyone to refer to the Readme file within the repository for straightforward instructions on how to get started.
We are eagerly looking forward to your deployment of the Ubuntu Intel® TDX build and are here to welcome your invaluable feedback and any queries you may have. Get in touch with us to embark on your journey into confidential computing. Your input is crucial as we work together to drive innovation and fortify data security for the future ahead.