On Thu, 2023-03-23 at 18:02 +0100, David Hildenbrand wrote: > On 16.03.23 23:37, Huang, Kai wrote: > > On Thu, 2023-03-16 at 13:48 +0100, David Hildenbrand wrote: > > > On 06.03.23 15:13, Kai Huang wrote: > > > > Intel Trust Domain Extensions (TDX) protects guest VMs from malicious > > > > host and certain physical attacks. A CPU-attested software module > > > > called 'the TDX module' runs inside a new isolated memory range as a > > > > trusted hypervisor to manage and run protected VMs. > > > > > > > > Pre-TDX Intel hardware has support for a memory encryption architecture > > > > called MKTME. The memory encryption hardware underpinning MKTME is also > > > > used for Intel TDX. TDX ends up "stealing" some of the physical address > > > > space from the MKTME architecture for crypto-protection to VMs. The > > > > BIOS is responsible for partitioning the "KeyID" space between legacy > > > > MKTME and TDX. The KeyIDs reserved for TDX are called 'TDX private > > > > KeyIDs' or 'TDX KeyIDs' for short. > > > > > > > > TDX doesn't trust the BIOS. During machine boot, TDX verifies the TDX > > > > private KeyIDs are consistently and correctly programmed by the BIOS > > > > across all CPU packages before it enables TDX on any CPU core. A valid > > > > TDX private KeyID range on BSP indicates TDX has been enabled by the > > > > BIOS, otherwise the BIOS is buggy. > > > > > Sorry for the late reply! Not late for me :) Thanks! [...] > > > > > > > > +config INTEL_TDX_HOST > > > > + bool "Intel Trust Domain Extensions (TDX) host support" > > > > + depends on CPU_SUP_INTEL > > > > + depends on X86_64 > > > > + depends on KVM_INTEL > > > > + help > > > > + Intel Trust Domain Extensions (TDX) protects guest VMs from malicious > > > > + host and certain physical attacks. This option enables necessary TDX > > > > + support in host kernel to run protected VMs. > > > > > > s/in host/in the host/ ? > > > > Sure. > > > > > > > > Also, is "protected VMs" the right term to use here? "Encrypted VMs", > > > "Confidential VMs" ... ? > > > > "Encrypted VM" perhaps is not a good choice, because there are more things than > > encryption. I am also OK with "Confidential VMs", but "protected VMs" is also > > used in the KVM series (not upstreamed yet), and also used by s390 by looking at > > the git log. > > > > So both "protected VM" and "confidential VM" work for me. > > > > Not sure anyone else wants to comment? > > I'm fine as long as it's used consistently. "Protected VM" would have > been the one out of the 3 alternatives that I have heard least frequently. > > Yes I'll make sure it is used consistently. Thanks! I am also glad to change to "Confidential VMs" if anyone else believes it is better.
