Intel TDX Runtime Update Support Nears Mainline Inclusion for Linux 7.2

Announcement

Intel’s kernel engineers have announced that the runtime update mechanism for Trusted Domain Extensions (TDX) is poised to land in the upcoming Linux 7.2 release. After ten rounds of review, the changes have been merged into the public tip/x86/tdx branch and are expected to enter the mainline tree during the next merge window.

{{IMAGE:2}}

Technical specifications

• Current loading model – The TDX firmware module is loaded by the system BIOS during the early boot phase. Any change to the module—whether a security patch or a feature addition—requires a full system reboot because the BIOS does not expose a hot‑swap interface.
• P‑SEAMLDR – Intel’s Protected SEAM Loader (P‑SEAMLDR) provides a secure entry point for the TDX runtime. The new code adds a runtime‑update entry point that can be invoked from the kernel while the system is up. The loader validates the new binary’s signature, checks version compatibility, and atomically swaps the old module with the new one.
• Kernel integration – The patch set introduces:
  • A new sysfs interface at /sys/devices/tdx/update for delivering the signed firmware blob.
  • A kernel thread that performs the verification and hand‑off to P‑SEAMLDR.
  • Compatibility checks that reject updates if the running VM workload uses features not present in the target firmware.
• Performance impact – The update path runs in a dedicated thread and pauses only the TDX enclave for a few milliseconds while the swap completes. Benchmarks on a Xeon Scalable 4 GHz platform show <0.5 % latency spike for a typical 2 MiB firmware image.
• Security posture – By eliminating the need for a reboot, operators can apply critical patches within the same maintenance window, reducing exposure time for known TDX vulnerabilities. The update process is signed with the same RSA‑4096 keys used for BIOS‑level provisioning, preserving the chain of trust.

Market implications

1. Reduced downtime for confidential‑computing workloads – Cloud providers that offer TDX‑enabled VMs can now roll out firmware fixes without disrupting tenant workloads. For large‑scale hyperscale operators, a single reboot can affect thousands of VMs; the new runtime path cuts that risk dramatically.
2. Accelerated adoption of hardware‑based isolation – One of the main objections to TDX has been the operational overhead of firmware updates. By removing the reboot requirement, Intel lowers the total cost of ownership for enterprises that need strong VM isolation for regulated data.
3. Supply‑chain resilience – The ability to patch TDX firmware in‑field helps mitigate the impact of discovered supply‑chain bugs. Operators can react to a vulnerability disclosure within hours rather than waiting for a scheduled maintenance window.
4. Competitive pressure on AMD SEV‑SNP – AMD’s Secure Encrypted Virtualization with Secure Nested Paging (SEV‑SNP) already supports runtime updates via a hypervisor‑mediated API. Intel’s move brings the two confidential‑computing stacks onto a more even footing, potentially influencing customers’ silicon choices in upcoming server refresh cycles.

The code is now queued in the tip/x86/tdx branch and will be submitted for inclusion in Linux 7.2 unless a critical regression is discovered during the final pre‑merge testing. If accepted, the feature will be documented in the upcoming kernel release notes and in Intel’s TDX developer guide.

For operators planning a migration to TDX, the new runtime update path means that firmware hygiene can be maintained with standard patch‑management tools, aligning TDX maintenance with the rest of the Linux stack.