In a world where cyber threats are constantly evolving, businesses and organizations are constantly searching for new ways to protect themselves and their sensitive data from malicious attacks.
One solution that’s been making waves in the tech industry is Intel Trust Domain Extensions (TDX), which provides hardware-based isolation, confidentiality, and integrity at the virtual machine (VM) level.
Recently, Canonical, the company behind the popular Linux-based system Ubuntu, announced a technology preview of Intel TDX for Ubuntu 23.10. This preview includes a patched version of Linux 6.5 with all the necessary kernel bits, as well as patched user-space components like a modified QEMU 8.0 and Libvirt 9.6 designed to work in the TDX world.
What makes TDX so unique is that it introduces new architectural elements to create secure, isolated virtual machines known as trust domains (TDs). These TDs are safeguarded from various potential software threats, including the virtual machine manager and other non-TD software on the platform.
Additionally, TDX enhances TD defense against specific physical access attacks on platform memory, including offline dynamic random access memory (DRAM) analysis, such as cold-boot attacks and active attacks on DRAM interfaces.
The primary goal of Intel TDX is to ensure that TDs are protected from attacks that could compromise sensitive data. This is accomplished through memory isolation, which is achieved through main memory encryption.
CPUs equipped with confidential computing capabilities include a hardware encryption engine within their memory controller, which encrypts and decrypts memory pages whenever there is a memory read or write operation. Instead of storing workloads in plain text, they are encrypted, making it difficult for attackers to access sensitive information.
While TDX premiered with Intel Xeon Scalable “Sapphire Rapids” processors, it was only made available to select cloud service providers and hyperscalers. However, with the upcoming Emerald Rapids generation, we’ll likely see more robust TDX support throughout the Xeon Scalable product stack.
By the time of Ubuntu 24.04 LTS, it’s looking like everything will be integrated into Ubuntu proper for this long-term support release. Today’s security landscape is more challenging than ever, with data breaches happening at runtime and stemming from a variety of vectors.
With Intel TDX, organizations can operate within hardware-protected trusted execution environments, which are purpose-built to prevent unauthorized access or alterations to applications and data while they are actively in use.
By partnering with Intel to offer a custom build derived from Ubuntu 23.10, Canonical is empowering users to launch a confidential TDX virtual machine seamlessly, providing a valuable tool to help businesses and organizations protect their sensitive data from malicious attacks.