LP: #1844245 - Integrate Intel SGX driver into linux-azure

Marcelo Henrique Cerri marcelo.cerri at canonical.com
Wed Dec 4 16:24:37 UTC 2019


Microsoft will offer a new confidential compute VM on Azure[1] and
this new instance type will basically rely on Intel's SGX technology
that wasn't integrated upsteam yet.

In other to provide the best user experience we will integrate Intel's
out of tree module into the linux-azure kernel. However due to
maintenance and security concerns the module will not be loaded by

For that we are blacklisting the module and also adding a systemd
service to the linux-cloud-tools-common package in other to provide an
easy way for users to load the module by default if they desire so.

The version that Microsoft recommended us to integrate is currently
available at GitHub[2].

Patches for Trusty were intentionally left outside of the scope this
RFC because it doesn't rely on systemd and it's not clear yet if
Trusty will be available for this new instance type.

I'm also suppressing any kind of automation to pick up new changes
directly from Intel's GitHub repository (as I had included on a
previous patchset I had submitted), because we are still discussing
how updates will be handled.

[1] https://azuremarketplace.microsoft.com/en-us/marketplace/apps/microsoft-azure-compute.confidentialcompute
[2] https://github.com/haimc-intel/SGXDataCenterAttestationPrimitives

More information about the kernel-team mailing list