TDX architecture aims to provide resiliency against confidentiality and
integrity attacks. Towards this goal, the TDX architecture helps enforce
the enabling of memory integrity for all TD-private memory.
The CPU memory controller computes the integrity check value (MAC) for
the data (cache line) during writes, and it stores the MAC with the
memory as meta-data. A 28-bit MAC is stored in the ECC bits.
Checking of memory integrity is performed during memory reads. If
integrity check fails, CPU poisones cache line.
On a subsequent consumption (read) of the poisoned data by software,
there are two possible scenarios:
- Core determines that the execution can continue and it treats
poison with exception semantics signaled as a #MCE
- Core determines execution cannot continue,and it does an unbreakable
shutdown
For more details, see Chapter 14 of Intel TDX Module EAS[1]
As some of integrity check failures may lead to system shutdown host
kernel must not allow any writes to TD-private memory. This requirment
clashes with KVM design: KVM expects the guest memory to be mapped into
host userspace (e.g. QEMU).