Threat Model

TDX operates on the assumption that adversaries may have physical or remote access to a computer, allowing them to gain control over critical components such as boot firmware, System Management Mode, host operating system, hypervisor, and peripheral devices. This includes access to the main memory, which could be exploited through physical and hardware attacks like probing buses or accessing main memory using malicious Direct Memory Access (DMA).

To counter these threats, TDX Virtual Machines (VMs) extend the security perimeter beyond the Trusted Domain, protecting against attacks like rootkits, return-oriented programming, Meltdown, Rowhammer, cold boot memory attacks, and DRAM probing. The primary trust assumption is that the CPU, specifically the Intel platform, is trustworthy along with the TDX module, which extends the hypervisor's capabilities to support confidential VMs (also known as Trusted Domains). The Trusted Computing Base includes the firmware, guest operating system, and applications within the Trusted Domain.

Drawing
Intel TDX Trust Model

The primary goal of the security architecture is to protect the TDX Linux guest OS from attacks originating from the hypervisor through communication interfaces. Additionally, the goal is to avoid introducing new attack vectors that could compromise the TDX Linux guest kernel (ring 0) from the TDX guest userspace (ring 3). The threat model does not directly cover threats arising from the TDX guest userspace utilizing the mentioned interfaces exposed to an untrusted host/VMM. For instance, if the TDX guest userspace enables debug or test tools that perform MMIO or PCI config space reading without properly validating untrusted host/VMM input, it may introduce additional attack opportunities.

The threat model assumes the hypervisor running the protected TDX guest, thus excluding other hypervisors and their hardening measures from its scope. Also, the threat model doesn't address potential abuses of kernel printout and debug routines that may accept parameters directly from an untrusted host/VMM.

It's important to note that while the TDX module and the Intel platform contribute to the protection of TDX guest memory and registers, they cannot defend the TDX guest from host/VMM attacks that leverage existing communication interfaces between them. These include TDVMCALL hyper calls through the TDX module and shared memory for I/O. To ensure complete security, extra measures, such as end-to-end communication security, must be implemented to prevent the injection of malicious code into the confidential VM.

Last updated