From 842dcb62215256d319b934ebaad913463c97e5b7 Mon Sep 17 00:00:00 2001 From: Alex James Date: Tue, 24 Sep 2024 13:59:37 -0500 Subject: [PATCH] linux/common-config: enable Intel TDX guest support Intel Trust Domain Extensions (TDX) is a VM-based trusted execution environment which attempts to isolate confidential guest VMs from the host, similar to AMD SEV-SNP. Like AMD SEV-SNP it requires guest modifications (also referred to as "enlightenments") to operate in the TEE. Initial support for running Linux in a TDX guest environment was merged [in 5.19][1]. The guest driver used for generating attestation reports was merged [in 6.2][2]. Enable both of these options on supported kernel versions. This matches other distros such as [Arch Linux][3], [Debian][4], [Fedora][5], [openSUSE][6], and [Ubuntu][7]. [1]: https://lore.kernel.org/lkml/Yot1IAqHoRBlwe0w@zn.tnic/ [2]: https://lore.kernel.org/lkml/20221212191525.553266-1-dave.hansen@linux.intel.com/ [3]: https://gitlab.archlinux.org/archlinux/packaging/packages/linux/-/blob/ac5ceec882898aa46353794a7c8b645b9ec5ae19/config#L409 [4]: https://salsa.debian.org/kernel-team/linux/-/blob/3fdc0bdcafb4e49c232dcea1144dbdfab21eef20/debian/config/amd64/config#L13 [5]: https://src.fedoraproject.org/rpms/kernel/blob/28b3da71f8a3bbd4947adeeba223527776e01927/f/kernel-x86_64-fedora.config#_3170 [6]: https://github.com/SUSE/kernel-source/blob/994cc2d44d4db48977fa33715fd833105fa23555/config/x86_64/default#L403 [7]: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/noble/tree/debian.master/config/annotations#n6660 (cherry picked from commit 41a390a2a28e590a11a87f81081683f5ac4be3e4) --- pkgs/os-specific/linux/kernel/common-config.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 54a9753b5fa1..0676294533a8 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -769,6 +769,10 @@ let # Shadow stacks X86_USER_SHADOW_STACK = whenAtLeast "6.6" yes; + # Enable support for Intel Trust Domain Extensions (TDX) + INTEL_TDX_GUEST = whenAtLeast "5.19" yes; + TDX_GUEST_DRIVER = whenAtLeast "6.2" module; + # Mitigate straight line speculation at the cost of some file size SLS = whenBetween "5.17" "6.9" yes; MITIGATION_SLS = whenAtLeast "6.9" yes;