VT

Intel Virtualization Technology (VT)

Intel introduced VT-x by releasing two Pentium 4 models (Model 662 and 672) as the first processors to support this technology. VT-x is a collection of hardware-assisted virtualization features in Intel processors that significantly enhance virtual machines' performance, isolation, and security compared to software-based virtualization. The VT portfolio includes CPU, memory, and I/O virtualization capabilities.

Processors equipped with VT-x come with a specialized instruction set called Virtual Machine Extensions (VMX), enabling efficient virtualisation task control. These processors operate in VMX root mode for the hypervisor and VMX non-root mode for guest VMs. Transitions between the guest and the hypervisor are facilitated by two new operations known as VM entry and VM exit. The Virtual Machine Control Structure (VMCS) is a crucial data structure that stores vital information about the VM and the host's state, facilitating these mode transitions. VT-x also employs Extended Page Table (EPT) to implement Second Level Address Translation (SLAT). Each guest kernel maintains its page table to translate Guest Virtual Address (GVA) to Guest Physical Address (GPA), while the hypervisor manages EPT to map GPA to Host Physical Address (HPA).

Regarding I/O access, VMs can utilize different models, such as software-based or hardware-based approaches. Software-based I/O models involve emulated or para-virtualized devices, while hardware-based models include direct device assignment, Single Root I/O virtualization (SR-IOV) devices, and Scalable I/O virtualization (S-IOV) devices. Intel VT for Directed I/O (VT-d) also provides isolation and access control for I/O devices, supporting I/O device assignment, DMA remapping, interrupt remapping, and interrupt posting. VT-d enhances the performance and security of virtualized environments requiring direct access to I/O devices.

With TDX

With TDX, a VM-based Trusted Execution Environment (TEE), VT is employed to achieve isolation among Trust Domains (TDs). As the hypervisor can no longer be fully trusted in the new threat model, the management of TDs is encapsulated within the TDX Module. This new mode of operation, called SEAM (Secure-Arbitration Mode), ensures additional protection for the TDX Module and TDs. TDX still utilizes EPT for managing GPA-to-HPA translation. Still, it maintains two distinct EPTs for each TD – one protected for private (encrypted) memory and another for shared (unencrypted) memory.

When TDX is enabled, the physical memory space is divided into two parts: normal and secure. Sensitive data of TDs, including private memory, virtual CPU state, and associated metadata, should be stored in secure memory. TDs can also specify certain memory regions as shared memory for I/O, which falls outside the protection of TDX and belongs to normal memory. All other software executing outside SEAM mode belongs to normal memory and is prohibited from accessing secure memory, irrespective of its privilege level. The memory controller, an architectural component within the processor, enforces memory access checks.

The TD Owner bit is enabled to incorporate a physical page into secure memory. Each TD Owner bit is associated with a memory segment corresponding to a cache line. These TD Owner bits are stored in the Error Correction Code (ECC) memory linked with these segments. The TDX Module ensures the conversion of physical memory pages to secure memory by attaching private HKIDs (Host Key Identifiers) to their physical addresses. TDX controls these private HKIDs and can only be used for TDs and the TDX Module. When the memory controller writes to a physical address with a private HKID, it sets the TD Owner bit to 1. Conversely, writing to an address without a private HKID clears the TD Owner bit.

Access control is strictly enforced during cache line reads. Only processes executing in SEAM mode can read a cache line with a TD Owner bit set to 1. Any read request not originating from SEAM mode receives all zeros when attempting to read such a cache line. During TD construction, the untrusted hypervisor selects memory pages from normal memory to be part of secure memory. The TDX Module gradually migrates these pages to secure memory, utilizing them for metadata and the main memory of each individual TD. Before these pages can be used for the TD's main memory, the TD must explicitly accept them. To ensure secure memory setup integrity, the TDX Module maintains a Physical Address Metadata Table (PAMT) and performs quick checks regularly.

Last updated 7 months ago