There are some new improvements in Linux 6.13 for the Intel TDX code for Trust Domain Extensions in providing hardware-based security protections for virtual machines on recent Xeon processors.
The Intel TDX updates for Linux 6.13 refine interactions between TDX guests and the hypervisor / virtual machine monitor (VMM). There are two nice improvements with the Intel TDX code now expressed via new infrastructure for handling TDX metadata. Unfortunately the changes can’t be exposed by default due to the behavior of some “pesky other OSes”, which is presumably about Microsoft Windows, and thus needs to be communicated via metadata.
The x86/tdx pull request explains:
“These essentially refine some interactions between TDX guests and VMMs.
The first leverages a new TDX module feature to runtime disable the ability for a VM to inject #VE exceptions. Before this feature, there was only a static on/off switch and the guest had to panic if it was configured in a bad state.
The second lets the guest opt in to be able to access the topology CPUID leaves. Before this, accesses to those leaves would #VE.
For both of these, it would have been nicest to just change the default behavior, but some pesky “other” OSes evidently need to retain the legacy behavior.”
Look for these Intel TDX improvements in Linux 6.13.
