Describe the support request
Intel's TDX image was hardened in multiple ways. The hardening is described in the Intel® Trust Domain Extension Guest Linux Kernel Hardening Strategy document. We found out that Canonical's tdx kernel code differs from Intel's in regards to IO ports filtering (calls to tdx_allowed_port are missing):
Is the IO port filtering not enabled in Canonical's versions of TDX kernel? Should users implement the filtering themselves?
And more importantly: are there any other security hardening measures described in Intel's "Guest Linux Kernel Hardening Strategy" document missing from Canonical's TDX kernels? Are there any steps users should take to harden their enclaves that Canonical can recommend?
System report
Questions are based purely on the source code available.
Describe the support request
Intel's TDX image was hardened in multiple ways. The hardening is described in the Intel® Trust Domain Extension Guest Linux Kernel Hardening Strategy document. We found out that Canonical's tdx kernel code differs from Intel's in regards to IO ports filtering (calls to
tdx_allowed_portare missing):Is the IO port filtering not enabled in Canonical's versions of TDX kernel? Should users implement the filtering themselves?
And more importantly: are there any other security hardening measures described in Intel's "Guest Linux Kernel Hardening Strategy" document missing from Canonical's TDX kernels? Are there any steps users should take to harden their enclaves that Canonical can recommend?
System report
Questions are based purely on the source code available.