PROJECT NOT UNDER ACTIVE MANAGEMENT
This project will no longer be maintained by Intel.
Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project.
Intel no longer accepts patches to this project.
If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project.
Contact: webadmin@linux.intel.com
NOTE: The project is end of life. See more information of TDX Early Preview in Software Availability.
For solutions of Intel TDX Full Disk Encryption and building Trusted Chain for Cloud Native in Confidential Computing Envrionment, please see Unified API for Trusted Execution Environment.
Intel® Trust Domain Extensions(TDX) refers to an Intel technology that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory Encryption(MK-TME) with a new kind of virtual machine guest called a Trust Domain(TD). A TD runs in a CPU mode that protects the confidentiality of its memory contents and its CPU state from any other software, including the hosting Virtual Machine Monitor (VMM). Please see details at here.
- Azure already launched the
TDX based confidential computing at zone of
DCesv5andECesv5series. - Google published Intel Trust Domain Extensions (TDX) Security Review
- Please contact Intel sales representative for on-premise bare metal server or processor.
NOTE: The project "Linux TDX SW Stack" is end of life. This branch only sustains tools for TDX early preview.
Please refer to Red Hat blog Enabling hardware-backed confidential computing with a CentOS SIG or Ubuntu blog Intel® TDX 1.0 technology preview available on Ubuntu 23.10 or SUSE blog Intel® TDX Support Coming to SUSE Linux Enterprise Server for more information of TDX Early Preview.
The corresponding git repositories are as below.
Use the script start-qemu.sh to start a TD via QEMU.
A simple usage of the script to launch TD would be as follows:
./start-qemu.sh -i <guest image file> -k <guest kernel file>
Or to use the guest's grub bootloader:
./start-qemu.sh -i <guest image file> -b grub
For more advanced configurations, please check the help menu:
./start-qemu.sh -h
Once the TD guest VM is launched, you can verify it is truly TD VM by querying cpuinfo. It's supposed to have tdx_guest flag.
cat /proc/cpuinfo | grep tdx_guest