Get the latest tech news
Intel TDX For Confidential VMs Causing Concern Among Fedora & Open-Source Advocates
One of the capabilities of newer Intel Xeon Scalable processors is support for Trust Domain Extensions (TDX) as a way of providing for confidential virtual machines
Intel TDX allows for "isolation, confidentiality, and integrity at the VM level" which is good from the security perspective but the dependence on signed binaries is causing mixed feelings within the Fedora camp at the broader open-source community. Daniel Berrange on Red Hat's Virtualization Engineering Team opened a FESCo ticket seeking an exception to be allowed to ship pre-built, signed SGX enclave binaries within Fedora Linux. What the Red Hat engineer is proposing and seeking approval from the Fedora Engineering and Steering Committee (FESCo) is:"Pre-built binaries for the standard / fundamental SGX enclaves, signed and distributed by Intel, can be packaged Fedora, with the pre-condition that their payload is verified to be byte-for-byte identical to unsigned binaries fully packaged and built from source in koji using the designated SGX toolchain and runtime for reproducible builds."
Or read this on Phoronix
/cdn.vox-cdn.com/uploads/chorus_asset/file/20073263/Untitled.png)