Possibly missing IO ports filtering / question about TDX kernel hardening #398
Description
Describe the support request
Intel's TDX image was hardened in multiple ways. The hardening is described in the Intel® Trust Domain Extension Guest Linux Kernel Hardening Strategy document. We found out that Canonical's tdx kernel code differs from Intel's in regards to IO ports filtering (calls to tdx_allowed_port are missing):
- https://github.com/intel/tdx/blob/3949a919d892d026d7e13817a2b602e768e7d8a8/arch/x86/coco/tdx/tdx.c#L546
- https://git.launchpad.net/~canonical-kernel/ubuntu/+source/linux-intel/+git/noble/tree/arch/x86/coco/tdx/tdx.c#n509
Is the IO port filtering not enabled in Canonical's versions of TDX kernel? Should users implement the filtering themselves?
And more importantly: are there any other security hardening measures described in Intel's "Guest Linux Kernel Hardening Strategy" document missing from Canonical's TDX kernels? Are there any steps users should take to harden their enclaves that Canonical can recommend?
System report
Questions are based purely on the source code available.