TD Partitioning

A common problem with Virtual Machines for Confidential Computing is that they need to support the new hardware based extensions. The support for these extensions takes often a while until they are available upstream and included in stable distributions. Therefore customers who run older kernels without the support for these new hardware instructions can not leverage the security guarantees. Another common problem is the usage of emulated devices as these devices are emulated by the hypervisor under normal circumstances. In a scenario where the hypervisor is not trusted a device emulation through the hypervisor is seen critical.

Intel addresses these different problems in TDX 1.5 through the introduction of TD Partitioning which essentially is nested virtualization. For this the kernel of the L1 VM got extended as it needs to be able to route request from the L2 VM to the TDX Module, handle interrupts in a secure manner and handle VMEXITS and other functionality required for the virtualization. In order to support TDX enabled L2 VMs the L1 VMM is also able to support the partitioning of its memory space and subsequent mapping of the aliased memory pages into the L2 SEPT.

The base TD that supplies the L1 VMM which has been extended with the support for the nested virtualization is able to host 3 nested VMs (L2).