Discover Security Projects News
Intel's Unaccepted Memory Support Updated For Substantially Faster Booting Of TDX VMs
Way back in August Intel posted a set of Linux kernel patches for supporting "unaccepted memory" by the Linux kernel in preparation for next-generation Xeon processors and speeding up the boot time for guest virtual machines making use of Intel's Trust Domain Extensions (TDX) security feature. Unaccepted memory support hasn't yet made it to the mainline kernel but now a second iteration of the patches have been posted.
UEFI 2.9 introduces the concept of memory acceptance and unaccepted memory. This makes it so guests need to "accept" memory before it can be allocated/used within the guest's environment while the actual acceptance handling is depending upon the VM hypervisor. This memory acceptance is important for Intel TDX and AMD SEV-SNP to avoid the expensive memory acceptance at boot time for new VMs and to instead make it on-demand / as-needed. It's also possible to be a security benefit in its own right by keeping the memory unaccepted until it's actually going to be used.