Intel introduced Total Memory Encryption (TME) with its 11th Generation Core vPro mobile processor, aiming to safeguard against attackers who gain physical access to a computer's memory to steal data. TME secures the entire computer's memory using a single transient key generated during the boot process through a combination of hardware-based random number generators and security measures integrated into the system's chipset. The memory encryption is executed by dedicated encryption engines on each memory controller, utilizing the NIST standard AES-XTS algorithm with 128-bit or 256-bit keys.
Multi-key Total Memory Encryption (MKTME)
MKTME is an extension of TME that supports multiple keys and memory encryption at the granularity of pages. During each memory transaction, MKTME selects an encryption key based on the Host Key Identifier (HKID), which occupies a configurable number of bits from the top of the physical address. The range of HKIDs is determined during system boot by the BIOS. MKTME allows for software-provided keys and introduces a new instruction, PCONFIG, to program the key and encryption mode associated with a specific HKID. These HKID-key tuples are stored in the Key Encryption Table (KET), securely held by each MKTME encryption engine. The cryptographic keys in the KET remain within the processor and are never exposed to software.
MKTME is applicable in both native and virtualized environments. In virtualized setups, hypervisors manage memory encryption for different virtual machines (VMs) by associating HKIDs with the physical addresses of the VMs through Extended Page Table (EPT) mechanisms.
With TDX
In confidential computing, trusting the hypervisor to control memory encryption in virtualized environments is no longer acceptable due to the new threat model. As a result, the responsibility for controlling memory encryption for Trusted Domains (TDs) in TDX falls to the TDX Module. The HKID space is partitioned into private HKIDs and shared HKIDs. The private HKIDs are exclusively used for encrypting the private memory of TDs. Despite this shift in responsibility, TDX still leverages MKTME to protect the memory of TDs.
TDX utilizes MKTME for encrypting the private memory and metadata of TDs. MKTME performs transparent memory encryption and decryption for data flowing through the memory controller. The TDX Module programs the cryptographic keys MKTME uses to encrypt specific cache lines when written to memory. These keys are associated with HKIDs embedded in the physical addresses. MKTME decodes the HKIDs and employs the corresponding cryptographic keys to execute the encryption operations. The cryptographic keys are securely stored in MKTME's internal memory, ensuring they remain isolated from external access. Only their respective HKIDs can reference these keys.
When constructing a new TD, the hypervisor selects an unused private HKID, and the TDX Module requests the processor to generate a new cryptographic key associated with this HKID. This key is then bound to the TD, ensuring that each TD's memory is encrypted with a unique cryptographic key. MKTME encrypts memory at the granularity of cache lines using AES-128 XTS cryptography. Each cache line in the main memory is associated with metadata that encodes its affiliation with secure memory (indicated by the TD Owner bit) and, optionally, a Message Authentication Code (MAC) for integrity and authentication verification. This encryption capability helps protect against specific physical attacks, such as cold boot attacks.
TDX incorporates two distinct mechanisms for ensuring memory integrity: Logical Integrity (Li) and Cryptographic Integrity (Ci). Li primarily guards against software-level attacks by preventing unauthorized encryption and reads of secure memory. It restricts the use of private HKIDs and access to secure memory, ensuring that only processes running in SEAM mode can perform encryption with private HKIDs and read cache lines with the TD Owner bit set to 1. However, Li does not prevent adversaries with direct access to the main memory from tampering with the content of cache lines and TD Owner bits, thereby creating a potential for rollbacks of individual cache lines. In contrast, Ci serves as an advanced mechanism addressing the limitations of Li by detecting malicious direct memory writes or bit flips, preventing adversaries with physical access to the main memory from tampering with the memory content.