Linux 6.16 Revitalizes Confidential Computing with Major Trusted Security Manager (TSM) Enhancements

At the end of 2023, the long-anticipated feature for unified handling of attestation reports in confidential computing systems was introduced into the Linux 6.7 kernel—via the Trusted Security Manager (TSM). Following this, news surrounding TSM receded into the background, as no significant updates emerged in subsequent kernel versions. However, with the upcoming release of Linux 6.16, development in this domain has once again gained momentum.

Dan Williams of Intel announced new enhancements to the Trusted Security Manager and acknowledged that considerable time had passed since the last patch submission for Linux 6.7. In forthcoming releases, developers intend to place greater emphasis on evolving TSM, including expanded support for assigning PCI devices to guest virtual machines operating under confidential computing environments, made possible through the PCI Device Security mechanism.

Among the innovations in TSM for Linux 6.16 is the introduction of a sysfs interface for publishing measurement values, a restructured driver codebase, and the resolution of various issues. Notably, a unified scheme has been implemented for the publication of “measurements” generated by the kernel security manager. This includes RTMR values for Intel TDX, which may contain hashes of saved data (akin to PCR values in TPMs) or static data used by validating services to assess system integrity.

Additionally, the drivers/virt/coco/ directory was reorganized to better support shared infrastructure for both host and guest environments. A bug related to the deregistration of configfs-tsm-report was fixed, and configuration changes were made: the TSM Measurements component has now been merged with TSM Reports, paving the way for a more comprehensive infrastructure to support TSM. The advancement of virtualization security technologies remains a cornerstone priority in the modern IT landscape.

The accompanying entry has also been renamed to “Trusted Security Module (TSM) Infrastructure.” Further details about the Trusted Security Manager updates in Linux 6.16 can be found at the provided link.