One of the improvements that Intel software engineers have been working on for the Linux kernel around their Trust Domain Extensions (TDX) functionality for confidential computing VMs is reducing the memory use. That work is under the Dynamic PAMT umbrella and this week brought the latest iteration of patches to help lower RAM use when engaging TDX for confidential VMs.
For those not familiar with the memory waste of using Intel TDX, it was summed up in the patch series for Dynamic PAMT as:
“PAMT Background
===============
The TDX module needs to keep data about each physical page it uses. It requires the kernel to give it memory to use for this purpose, called PAMT. Internally it wants space for metadata for each page *and* each page size. That is, if a page is mapped at 2MB in a TD, it doesn’t spread this tracking across the allocations it uses for 4KB page size usage of the same physical memory. It is designed to use a separate allocation for this.So each memory region that the TDX module could use (aka TDMRs) has three of these PAMT allocations. They are all allocated during the global TDX initialization, regardless of if the memory is actually getting used for a TD. It uses up approximately 0.4% of system memory.
Dynamic PAMT (DPAMT)
====================
Fortunately, only using physical memory for areas of an address space that are actually in use is a familiar problem in system engineering, with a well trodden solution: page tables. It would be great if TDX could do something like that for PAMT. This is basically the idea for Dynamic PAMT.”
While less than 1% memory overhead currently, with modern Intel Xeon servers typically having hundreds of gigabytes of memory or even more than a terabyte, it adds up especially with today’s RAM costs and shortages.
Sent out on Thursday was the v4 patches for Dynamic PAMT. The cover letter was upfront in acknowledging the patches likely aren’t quite ready yet for merging but that another round of review would be appreciated.
Those with modern Intel Xeon processors supporting and using TDX for confidential computing with VMs can try out the latest work via the patch series.
