TDX Module

In preparation for the loading process of the Intel TDX Module it needs to be ensured that the platform has been configured correctly. As the platform configuration is the job of the BIOS/UEFI, which is untrusted in TDX and SGX Intel developed a piece of firmware named MCHECK which checks these parameters during the initialization process. The parameters which are checked by MCHECK are for example the configuration of the Convertible Memory Ranges, the configuration of memory encryption or the configuration of the ECC memory. The MCHECK routine is embedded into the microcode of the CPU and therefore signed and encrypted by Intel.

The loading process commences with the execution of the Intel Non-Persistent SEAM Loader (NP-SEAM Loader), an Intel Authenticated Code Module (ACM). ACMs are Intel-signed modules that operate within the processor's internal RAM. The NP-SEAM Loader is authenticated and loaded by the Intel Trusted Execution Technology (TXT) via the GETSEC[ENTERACCS] function.

Inside the NP-SEAM Loader resides the image of the Intel Persistent SEAM Loader (P-SEAM Loader), which is verified and loaded by the NP-SEAM Loader itself. The responsibility of installing or updating the TDX Module lies with the P-SEAM Loader. I want to emphasize that the P-SEAM Loader and the TDX Module are loaded into the SEAM RANGE, a dedicated portion of system memory reserved through UEFI/BIOS. The IA32_SEAMRR_PHYS_BASE and IA32_SEAMRR_PHYS_MASK MSRs specify this range's base address and size. The SEAM RANGE is divided into Module_Range for the TDX Module and P_SEAMLDR_Range for the P-SEAM Loader. Both modules operate in the SEAM VMX root mode and utilize SEAMCALL / SEAMRET instructions to interact with external software.

The NP-SEAM Loader, P-SEAM Loader, and TDX Module are all provided and signed by Intel, establishing a chain of trust to bootstrap the TDX Module. The P-SEAM Loader offers a SEAMCALL interface function named seamldr_install for loading the TDX Module. The TDX Module's image is pre-loaded into a memory buffer (located outside the SEAM RANGE). The buffer's physical addresses and a seam_sigstruct (signature of the TDX Module) are passed as parameters to seamldr_install. The seam_sigstruct contains the hash value and the Security Version Number (SVN) of the TDX Module, as well as the counts of per-Logical Processor (LP) stack pages, per-LP data pages, and global data pages. These values are used by seamldr_install to determine the physical/linear addresses and sizes of various memory regions in the TDX Module.

seamldr_install must be called on all Logical Processors (LPs) serially. When seamldr_install is invoked on the first LP, an installation session commences. On each subsequent LP, seamldr_install checks that the LP is not already in an installation session (initiated by another LP) and clears the LP's VMCS (Virtual Machine Control Structure) cache. Upon calling seamldr_install on the last LP, the following actions are performed:

1. Check the parameters provided to seamldr_install.

2. Verify the signature of the TDX Module.

3. Check the SVN of the to-be-loaded image and compare it with the resident TDX Module.

4. Determine the physical and linear addresses and sizes of various memory regions within the SEAM RANGE, including code, data, stack, page table, sysinfo_table, keyhole, and keyhole-edit.

5. Map the physical addresses of these regions to their corresponding linear addresses.

6. Load the binary image of the TDX Module into the SEAM RANGE, measuring the image and computing/verifying the TDX Module's hash value.

7. Set up the TDX Module's sysinfo_table.

8. Establish SEAM Transfer VMCS on each LP.

9. Record the TDX Module's hash and SVN in the P-SEAM Loader's data region.

In addition to the SEAMCALL used for installing the TDX Module, the P-SEAM Loader provides other interface functions to shut itself down and retrieve the loader's system information.