linux-drivers/
drivers/virt/coco/tdx-guest

Intel TDX confidential VM guest driver

Guest-side support for Intel Trust Domain Extensions, the confidential-computing feature on 5th Generation Xeon Scalable and Xeon 6 server CPUs that lets a virtual machine run encrypted and isolated from its hypervisor. It exposes attestation reports and runtime measurements to software inside the protected VM so cloud workloads can prove what they are running.

keep conf=0.82 deploy=medium replacement=none subsystem=virt category=virtualization
82%

recommendation

It should stay because Intel TDX is a current, actively marketed feature on 5th Gen Xeon and Xeon 6 processors that major cloud providers are rolling out, and the kernel code is still receiving both bug fixes and new functionality (such as added measurement and sysfs interfaces) into 2025 and 2026. There is no alternative implementation, since this is the canonical guest-side glue for the TDX/TSM confidential-computing stack.

repository signals

3 files
451 source lines
11 commits, 5y
+559 / −94 lines added / removed, 5y
7 authors, 5y
monthly commits · 2021-04-21 → 2026-04-21 · 11 total · active in 8/61 months
2021 2022 2023 2024 2025 2026 2021-04: 0 commits · +0 −0 2021-05: 0 commits · +0 −0 2021-06: 0 commits · +0 −0 2021-07: 0 commits · +0 −0 2021-08: 0 commits · +0 −0 2021-09: 0 commits · +0 −0 2021-10: 0 commits · +0 −0 2021-11: 0 commits · +0 −0 2021-12: 0 commits · +0 −0 2022-01: 0 commits · +0 −0 2022-02: 0 commits · +0 −0 2022-03: 0 commits · +0 −0 2022-04: 0 commits · +0 −0 2022-05: 0 commits · +0 −0 2022-06: 0 commits · +0 −0 2022-07: 0 commits · +0 −0 2022-08: 0 commits · +0 −0 2022-09: 0 commits · +0 −0 2022-10: 0 commits · +0 −0 2022-11: 1 commit · +114 −0 2022-12: 0 commits · +0 −0 2023-01: 0 commits · +0 −0 2023-02: 0 commits · +0 −0 2023-03: 0 commits · +0 −0 2023-04: 0 commits · +0 −0 2023-05: 0 commits · +0 −0 2023-06: 0 commits · +0 −0 2023-07: 0 commits · +0 −0 2023-08: 0 commits · +0 −0 2023-09: 1 commit · +229 −1 2023-10: 0 commits · +0 −0 2023-11: 0 commits · +0 −0 2023-12: 0 commits · +0 −0 2024-01: 0 commits · +0 −0 2024-02: 0 commits · +0 −0 2024-03: 0 commits · +0 −0 2024-04: 0 commits · +0 −0 2024-05: 0 commits · +0 −0 2024-06: 2 commits · +26 −4 2024-07: 0 commits · +0 −0 2024-08: 0 commits · +0 −0 2024-09: 1 commit · +0 −1 2024-10: 0 commits · +0 −0 2024-11: 0 commits · +0 −0 2024-12: 0 commits · +0 −0 2025-01: 0 commits · +0 −0 2025-02: 0 commits · +0 −0 2025-03: 1 commit · +4 −4 2025-04: 0 commits · +0 −0 2025-05: 3 commits · +173 −81 2025-06: 0 commits · +0 −0 2025-07: 0 commits · +0 −0 2025-08: 0 commits · +0 −0 2025-09: 0 commits · +0 −0 2025-10: 0 commits · +0 −0 2025-11: 0 commits · +0 −0 2025-12: 0 commits · +0 −0 2026-01: 0 commits · +0 −0 2026-02: 1 commit · +3 −1 2026-03: 1 commit · +10 −2 2026-04: 0 commits · +0 −0

sources

  1. git.kernel.org

    Upstream kernel Kconfig describes this as the TDX Guest driver and shows it depends on INTEL_TDX_GUEST, so this is an active kernel-facing guest driver for Intel TDX rather than legacy helper code.

  2. git.kernel.org

    The driver received a substantive fix on 2026-03-20/21, indicating current upstream maintenance rather than abandonment.

  3. git.kernel.org

    The driver gained new measurement/sysfs functionality in 2025, showing feature work in addition to bug fixes.

  4. intel.com

    Intel states Intel TDX is supported on 5th Generation Intel Xeon Scalable Processors and Intel Xeon 6, which are current server products beyond 2025.

  5. intel.com

    Intel markets TDX as currently available via cloud providers and says it is widely available with 5th Gen Xeon, supporting ongoing new deployments rather than legacy-only use.

codex reasoning notes (technical)

Kept because local upstream history shows sustained 2024-2026 maintenance and feature work for a young confidential-VM guest driver; there is no natural replacement beyond the same TDX/TSM stack. Source acquisition: Kconfig and commit evidence came from local tree inspection plus `git log` via shell, with canonical kernel.org URLs attached by stable recall; deployment evidence came from web search results on Intel support/product pages. Lore-first fallback was attempted via `lei`, but `lei` was unavailable in this environment, so removal-talk confidence is indirect rather than from lore query output.