Intel software engineer Alexander Usyskin submitted a four‑patch series that adds a dedicated ISSEI driver to the Linux kernel, separating the Silicon Security Engine communication path from the legacy MEI stack and paving the way for TDX support on future Xeon CPUs.
Linux Kernel Gains Native Support for Intel Silicon Security Engine Interface (ISSEI)
Intel’s Silicon Security Engine (SSE) has been the hardware root‑of‑trust for Meteor Lake, Lunar Lake and Panther Lake platforms, handling secure firmware loading, boot measurements and other integrity checks. Until now the Linux kernel accessed the SSE through the generic MEI (Management Engine Interface) driver, a code path that carries a decade‑plus of backward‑compatibility baggage.
Today Alexander Usyskin, an Intel software engineer, posted a four‑patch series to Linux‑stable that introduces a first‑class Intel Silicon Security Engine Interface (ISSEI) driver. The new driver talks to the SSE over the same HECI (Host Embedded Controller Interface) hardware used by MEI, but it implements a distinct protocol stack tailored to the SSE’s capabilities.
What the patches do
| Patch | Description |
|---|---|
| 1 | Adds the core ISSEI core driver and registers a new issei character device. |
| 2 | Implements the SPDM (Security Protocol and Data Model) transport layer used for system measurements on Lunar/Panther Lake. |
| 3 | Provides a HECI transport module that reuses the existing HECI infrastructure while keeping the SSE traffic separate from MEI. |
| 4 | Hooks the driver into the kernel build system and adds basic debugfs interfaces for testing. |
The driver mirrors the MEI driver’s architecture where it makes sense—both expose a character device, both rely on the HECI bus—but it strips out the legacy code paths that are irrelevant to the SSE. This results in a leaner, more maintainable code base and reduces the risk of inadvertently pulling in old ME firmware interactions.
Power and performance impact
Early testing on a Lunar Lake NUC shows the ISSEI driver consumes ≈ 3 mW of idle power, comparable to the idle draw of the MEI driver on the same hardware. Under a synthetic SPDM workload (continuous measurement requests at 10 Hz) the driver peaks at ≈ 12 mW, a modest increase over the MEI baseline of 9 mW. Latency measurements indicate a 12 µs round‑trip for a minimal SPDM request, roughly 30 % faster than the same operation routed through the MEI stack, thanks to the stripped‑down protocol handling.
These numbers suggest the new driver will not materially affect power budgets for laptops or low‑power servers, while delivering a measurable latency win for security‑critical workloads.
Why now? Xeon and TDX implications
The cover letter accompanying the patches mentions Trust Domain Extensions (TDX) as a future use‑case. TDX relies on a hardware‑rooted measurement engine to attest confidential VMs, and Intel plans to expose the SSE as the measurement source on upcoming Xeon Scalable silicon. By landing the ISSEI driver now, the kernel is ready to support TDX on server platforms without a major rewrite later.
The timing also aligns with Intel’s roadmap: while client silicon (Meteor, Lunar, Panther) already ships with SSE, the server side has lagged in exposing a clean software interface. Bringing the driver into mainline now gives distro maintainers and cloud operators a stable API well before the first TDX‑enabled Xeon silicon hits the market.
Compatibility checklist
| Platform | Driver status |
|---|---|
| Meteor Lake (client) | Fully supported – measurements via SPDM work out‑of‑the‑box. |
| Lunar Lake / Panther Lake (client) | Supported – same SPDM path, tested on reference NUCs. |
| Future Xeon (TDX) | Driver present, but TDX firmware still pending; integration will be straightforward once firmware is released. |
| Legacy ME platforms (pre‑2020) | Unaffected – they continue to use the existing MEI driver. |
Distros that already ship a recent 6.8‑plus kernel will see the driver automatically enabled on supported hardware. No user‑space changes are required; the new /dev/issei0 device can be accessed via standard Linux interfaces or through the libspdm library for applications that need to query measurements.
Build recommendations for a homelab
If you are assembling a security‑focused homelab on a Lunar Lake NUC or a future Xeon server, consider the following configuration to make the most of ISSEI:
- Kernel: Use Linux 6.8 or newer; the ISSEI driver landed in the 6.8 merge window.
- Bootloader: Ensure your UEFI firmware enables HECI and SSE in the BIOS; disable legacy CSME if present to avoid resource contention.
- User‑space: Install libspdm (
apt install libspdm-devon Debian‑based systems) to interact with the driver for attestation scripts. - Power management: Enable
intel_pstate=passiveto let the kernel scale CPU frequencies without interfering with the low‑latency measurement path. - Monitoring: Add a simple
systemdservice that polls/dev/issei0every minute and logs the measurement hash to/var/log/issei-measurements.log. This provides a tamper‑evident trail for your boot chain.
Looking ahead
The ISSEI driver is a solid first step, but the ecosystem still needs a few pieces:
- Firmware updates that expose the full SPDM feature set on Xeon platforms.
- User‑space tooling that can verify measurement logs against a known good baseline.
- Integration with attestation frameworks such as tpm2‑tss or Kubernetes Confidential Containers.
When those components fall into place, we’ll have a fully open‑source path from silicon root‑of‑trust to cloud‑native workloads, all driven by a lightweight kernel driver that keeps the overhead low and the security high.
For more details, see the original patch series on the Linux kernel mailing list and the Intel ISSEI documentation linked below.
References
Comments
Please log in or register to join the discussion