Intel Trust Domain Extensions (TDX) for providing hardware-backed isolation and confidential computing support for virtual machines (VMs) on modern Xeon processors is about to become more reliable and potentially faster for some workloads.
Intel TDX has been supported by the mainline Linux kernel for a while although some improvements continue to come via new patch series. Submitted for the current Linux 6.15 kernel but marked for back-porting to current Linux kernel stable series is a significant bug-fix improvement to the Trust Domain Extensions.
This “bug fix” is avoiding use of the HLT instruction by the TDX-protected guest VMs. This avoids a “slow and buggy” code path and in doing so also is reported to provide a “major performance improvement” for some workloads like the Java SPECjbb2015 benchmark.
In yesterday’s x86/tdx pull request, Intel Linux engineer Dave Hansen explained:
“Please pull some x86/tdx changes for 6.15-rc1. This is coming during the merge window, but it is really a bug fix.
TDX guests aren’t expected to use the HLT instruction directly. It causes a virtualization exception (#VE). While the #VE _can_ be handled, the current handling is slow and buggy and the easiest thing is just to avoid HLT in the first place. Plus, the kernel already has paravirt infrastructure that makes it relatively painless.
Make TDX guests require paravirt and add some TDX-specific paravirt handlers which avoid HLT in the normal halt routines. Also add a warning in case another HLT sneaks in.
There was a report that this leads to a “major performance improvement” on specjbb2015, probably because of the extra #VE overhead or missed wakeups from the buggy HLT handling.”
Sadly there was just the reference to a “major performance improvement” with SPECjbb and no numbers to quantify that gain nor was there any commentary in the patches for any other workloads that may have been evaluated.
This Intel TDX improvement to avoid protected guest VMs from using the HLT instruction in halt routines is now pending for pulling in Linux 6.15 Git this week and will presumably then appear in the next round of Linux stable point releases shortly thereafter. On the hardware side, TDX was a preview feature in Xeon Scalable 4th Gen “Sapphire Rapids” but reached broad availability with Emerald Rapids and continues to be a big focus for the latest Xeon 6 processors.
