This slide provides an overview of Intel TDX, which I presented to my colleagues. It delves into the general architecture of Intel TDX and highlights its capability to ensure confidentiality and ...

Basic idea to implement private page Because shared EPT is the same as the existing EPT, use the existing logic for shared EPT. On the other hand, secure EPT requires additional operations inst...

EPT violation exit and handle The logistics of KVM’s page fault handling is like below: __vmx_handle_exit -> handle_ept_violation -> __vmx_handle_ept_violation -> kvm_mmu_page_fault ->...

QEMU side memory management The MemoryRegion is the link between guest physical address space and the RAMBlocks containing the memory. Each MemoryRegion has the ram_addr_t offset of the RAMBlo...

Shadow Page Table (SPT) Before the introduction of TDP, shadow paging has been utilized to translate GPA to HPA. The KVM module utilize a unified concept to abstract the structure managing this tr...

TD Boot Memory Setup (TDH.MEM.SEPT.ADD-TDH.MR.EXTEND) In the previous postings, we built the meta data required for launching TD VM such as TDR, TDCS and VMCS of VCPU. However, to actually run cod...

Deep dive into TD VCPU creation (TDH_VP_CREATE-TDH_VP_INIT) Instantiating TD VCPU After the VM has been initialized, note that it has not been finalized yet, it can generate VCPUs assigned to the ...

Deep dive into TD-VM creation (TDH_MNG_CREATE SEAMCALL-TDH_MNG_INIT) This article will follow the steps described in this figure. It is good to check this figure when you want to check which part...

In previous posts, I discussed the initialization of the TDX module using TDH_SYS_INIT SEAMCALL. As depicted in the image below, several additional configuration steps are necessary for the TDX m...

Initialize TDX module TDX module requires few initialization steps to start service as intermediary of the TD and VMM. To this end, TDX module requires multiple SEAMCALLs to be invoked, as shown i...