# 13. Debug and Profiling Architecture

The Intel TDX module debug architecture includes the following debug facilities:

On-TD Debug: Facilities for debugging a guest TD using software that runs inside the TD

Off-TD Debug: Facilities for debugging a guest TD, configured in debug mode, using software that runs outside the TD

## 13.1. On-TD Debug

### Intel SDM, Vol. 3, 17 Debug, Branch Profile, TSC and Intel Resource Director Technology (Intel RDT) Features

#### 13.1.1. Overview

On-TD debug is the normal mode used to debug guest TD software. A debug agent resides inside the guest TD, and it can interact with external entities (e.g., a debugger) via standard I/O interfaces. The Intel TDX module is designed to virtualize and isolate TD debug capabilities from the host VMM and other guest TDs or legacy VMs. On-TD debug can be used for production or debug TDs – i.e., regardless of the guest TD's ATTRIBUTES.DEBUG state.

Guest TDs are allowed to use almost all architectural debug features supported by the processor, e.g.:

- Single stepping
- Code, data and I/O breakpoints
- 15 INT

10

30

- Bus lock detection
- DR access detection
- TSX debug

However, the TDX architecture does not allow guest TDs to toggle IA32 DEBUGCTL uncore PMI enabling bit (13).

- 20 Guest TDs are allowed to use almost all architectural tracing features, e.g.:
  - LBR (if allowed by the TD's XFAM, see 9.3)
  - PT (if allowed by the TD's XFAM, see 9.3)
  - BTS

However, the TDX architecture does not allow guest TDs to use BTM.

### 5 13.1.2. Generic Debug Handling

### 13.1.2.1. Context Switch

By design, the Intel TDX module context-switches all debug/tracing state that the guest TD is allowed to use.

- DR0-3, DR6 and IA32\_DS\_AREA MSR are context-switched in TDH.VP.ENTER and TD exit flows.
- RFLAGS, IA32\_DEBUGCTL MSR and DR7 are saved and cleared on VM exits from the guest TD and restored on VM entry to the guest TD.
- Pending debug traps are natively saved on VM exits from the guest TD and reloaded on VM entries using the TD VMCS PDE field.

# 13.1.2.2. IA32\_DEBUGCTL MSR Virtualization

# Intel SDM, Vol. 3, 17.4.1 IA32\_DEBUGCTL MSR

- By design, IA32\_DEBUGCTL access by the guest TD is restricted as follows:
  - Guest TD attempts to set any of the architecturally-reserved bits 63:15 and 5:2 result in a #GP(0).
  - Guest TD attempts to set TDX-disallowed values result in a #VE. This includes the following cases:
    - o Enable Uncore PMI by setting bit 13 to 1 (see 13.4 below).
    - Enable BTM by setting bits 7:6 to 0x1 (see details in 13.1.3 below).
- Uncore PMI is virtualized as disabled; bit 13 is read as 0 (see 13.4 below).

September 2020 Page 97 of 285

# 13.1.3. Debug Feature-Specific Handling

The following table discusses how specific debug features are handled.

Table 13.1: Debug Feature-Specific Handling

| Debug Feature                                  | How the Feature is Controlled                                                                               | Handling                                                                                                                                                                                                                                                           |
|------------------------------------------------|-------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Hardware<br>Breakpoints                        | DR7, DR0-3 and DR6                                                                                          | No special handling: DRs are context-switched.                                                                                                                                                                                                                     |
| General Detect                                 | • DR7 bit 13 (GD)                                                                                           | No special handling: DR7 is context-switched.                                                                                                                                                                                                                      |
| TSX Debug                                      | <ul><li>DR7 bit 11 (RTM)</li><li>IA32_DEBUGCTL bit 15 (RTM)</li></ul>                                       | No special handling: DR7 and IA32_DEBUGCTL are context-switched.                                                                                                                                                                                                   |
| Single Stepping                                | <ul> <li>RFLAGS bits 18 (Trap Flag) and<br/>16 (Resume Flag)</li> <li>IA32_DEBUGCTL bit 1 (BTF)</li> </ul>  | No special handling: RFLAGS and IA32_DEBUGCTL are context-switched.                                                                                                                                                                                                |
| Bus-Lock<br>Detection                          | IA32_DEBUGCTL bit 2     (BUS_LOCK_DETECT)                                                                   | No special handling: IA32_DEBUGCTL is context-switched.                                                                                                                                                                                                            |
| Software<br>Breakpoints (INT1,<br>INT3)        | None                                                                                                        | No special handling: software breakpoints are stateless.                                                                                                                                                                                                           |
| Branch Trace<br>Message (BTM)                  | IA32_DEBUGCTL bits 6 (TR) and 7 (BTS)                                                                       | Not allowed: when a guest TD attempts to set IA32_DEBUGCTL[7:6] to 0x1, the Intel TDX module injects a #VE (see 13.1.2 above).                                                                                                                                     |
|                                                |                                                                                                             | In debug mode (ATTRIBUTES.DEBUG == 1), the host VMM is allowed to activate BTM by setting the above bits to 0x1.                                                                                                                                                   |
| Branch Trace Store<br>(BTS)                    | IA32_DEBUGCTL bits 6 (TR), 7 (BTS), 8 (BTINT), 9 (BTS_OFF_OS) and 10 (BTS_OFF_USR)                          | No special handling: IA32_DEBUGCTL and IA32_DS_AREA are context-switched.                                                                                                                                                                                          |
|                                                |                                                                                                             | Note: The guest TD can configure BTS to raise PMI on buffer overflow (by setting BTINT = 1). However, since PMIs are virtualized by the host VMM, the guest TD should be ready to handle spurious, delayed and dropped PMIs. See Perfmon discussion in 13.2 below. |
| Processor Trace<br>(PT)                        | IA32_RTIT_CONTROL     Requires VMM's consent on     TD initialization by setting     TD_PARAMS.XFAM[8] to 1 | PT state handling as part of the extended feature set state is discussed in 9.3.                                                                                                                                                                                   |
| Architectural Last<br>Branch Records<br>(LBRs) | IA32_LBR_CONTROL Requires VMM's consent on TD initialization by setting TD_PARAMS.XFAM[15] to 1             | LBR state handling as part of the extended feature set state is discussed in 9.3.                                                                                                                                                                                  |
| Non-Architectural<br>LBRs                      | IA32_DEBUGCTL bit 0 (LBR)                                                                                   | Not allowed: a guest TD attempt to set IA32_DEBUGCTL[0] results in a #VE (see 13.1.2 above).                                                                                                                                                                       |

September 2020 . Page 98 of 285

# 13.2. On-TD Performance Monitoring

Intel SDM, Vol. 3, 18 Performance Monitoring

#### 13.2.1. Overview

10

15

20

25

The host VMM controls whether a guest TD can use the performance monitoring ISA using the TD's ATTRIBUTES.PERFMON bit – part of the TD\_PARAMS input to TDH.MNG.INIT (see 18.2.1).

By design, if a guest TD is allowed to use performance monitoring:

- The guest TD enumerates native Perfmon capabilities via CPUID leaf 0x0A.
- The guest TD is allowed to use all Perfmon ISA. This includes CR4.PCE, the RDPMC instruction and the Perfmon MSRs (see 13.2.2 below).
- Perfmon state is context-switched by the Intel TDX module across TD entry and exit transitions.

Context-switching the Perfmon state has a performance impact. TD entry and exit latencies are longer than when a guest TD is not allowed to use Perfmon.

By design, if a guest TD is not allowed to use performance monitoring:

- The guest TD enumerates no Perfmon capabilities. CPUID leaf 0x0A returns all 0s.
- The guest TD is not allowed to use Perfmon ISA.
- Perfmon state is not context-switched across TD entry and exit transitions.

Regardless of Perfmon enabling, per the design:

- IA32\_DS\_AREA MSR is context-switched across TD entry and exit transitions.
- Counter freeze control (IA32\_DEBUGCTL bit 12) is context-switched across TD entry and exit transitions.
- The uncore PMI enable bit (IA32\_DEBUGCTL bit 13) is preserved during SEAM mode execution, including Intel TDX module and guest TD execution. This bit is virtualized to the guest TD as 0, and the TD is prevented from setting it. See 13.4 below for details.

See also 13.1 above.

The Intel TDX module is designed to support performance monitoring as implemented on the GLC core:

- Architectural performance monitoring version 5, described in [Intel SDM, Vol. 3, 18.2.5)
- Exactly 8 performance monitoring counters (IA32 PMC0 through IA32 PMC7)
- Exactly 4 fixed counters (IA32 FIXED CTR0 through IA32 FIXED CTR3)
- Some non-architectural MSRs (see 13.2.2 below)

## 13.2.2. Performance Monitoring MSRs

30 Perfmon uses the following MSRs:

**Table 13.2: Performance Monitoring MSRs** 

| MSR               | Comments                   | Enumeration                                                                                                                                                         | Reference                           |
|-------------------|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------|
| IA32_PMCx         | multiple MSRs              | CPUID(0x0A).EAX[15:8] The Intel TDX module requires the CPU to support 8 counters.                                                                                  |                                     |
| IA32_PERFEVTSELx  | multiple MSRs              | CPUID(0x0A).EAX[15:8]                                                                                                                                               |                                     |
| MSR_OFFCORE_RSPx  | 2 MSRs, model-<br>specific |                                                                                                                                                                     |                                     |
| IA32_FIXED_CTRx   | multiple MSRs              | IA32_FIXED_CTRx is supported if (x < CPUID(0x0A).EDX[4:0]) or if (CPUID(0x0A).ECX[x] == 1).  The Intel TDX module requires the CPU to support counters 0 through 3. | [Intel SDM,<br>Vol. 3,<br>18.2.5.2] |
| IA32_PERF_METRICS |                            |                                                                                                                                                                     |                                     |

September 2020 . Page 99 of 285

| MSR                           | Comments       | Enumeration                                                                                                    | Reference                         |
|-------------------------------|----------------|----------------------------------------------------------------------------------------------------------------|-----------------------------------|
| IA32_PERF_CAPABILITIES        |                |                                                                                                                |                                   |
| IA32_FIXED_CTR_CTRL           |                |                                                                                                                |                                   |
| IA32_PERF_GLOBAL_STATUS       |                |                                                                                                                |                                   |
| IA32_PERF_GLOBAL_CTRL         |                |                                                                                                                |                                   |
| IA32_PERF_GLOBAL_STATUS_RESET |                |                                                                                                                |                                   |
| IA32_PERF_GLOBAL_STATUS_SET   |                |                                                                                                                |                                   |
| IA32_PERF_GLOBAL_INUSE        |                |                                                                                                                |                                   |
| IA32_PEBS_ENABLE              | model-specific |                                                                                                                |                                   |
| MSR_PEBS_DATA_CFG             | model-specific |                                                                                                                |                                   |
| MSR_PEBS_LD_LAT               | model-specific |                                                                                                                |                                   |
| MSR_PEBS_FRONTEND             | model-specific |                                                                                                                |                                   |
| IA32_A_PMCx                   | multiple MSRs  | CPUID(0x0A).EAX[15:8], IA32_PERF_CAPABILITIES[13] The Intel TDX module requires the CPU to support 8 counters. | [Intel SDM,<br>Vol. 3,<br>18.2.6] |

MSR virtualization is described in 9.5.

#### 13.2.3. Performance Monitoring Interrupts (PMIs)

By design, when a guest TD is allowed to use Perfmon, it can also configure the counters to raise PMI on overflow. When such a TD counter overflows, the physical interrupt or an NMI configured by the host VMM into the local APIC is delivered. This interrupt or NMI causes a VM exit, and it is delivered as a TD exit to the host VMM. The host VMM is then expected to inject the PMI into the guest TD, either as a virtual interrupt using the posted interrupt mechanism (see 9.7.3), or as virtual NMI using the NMI injection interface (see 9.7.4).

Since the host VMM is not trusted, the guest TD must be ready to handle spurious, delayed or dropped PMIs. Thus, it is recommended for the guest TD to use PEBS instead of PMIs in order to record TD state at counter overflows.

Uncore PMIs are discussed in 13.4 below.

# 13.3. Off-TD Debug

10

20

A guest TD is defined as **debuggable** if its ATTRIBUTES.DEBUG bit is 1. In this mode, the host VMM can use Intel TDX functions to access secret TD state that is not accessible for non-debuggable TDs.

A debuggable TD is, by nature, untrusted. Since the TD's ATTRIBUTES are included in the TDG.MR.REPORT, the TD's debuggability state can be known to any third party to which the TD attests.

The applicable Intel TDX functions are listed in Table 13.3 below. Note that some of the functions can access non-secret guest TD state regardless of the DEBUG attribute. The lists of state information that can be read and/or written in non-DEBUG and in DEBUG modes are detailed in the referenced sections.

Table 13.3: Off-TD Debug Interface

| Intel TDX Function                  | ATTRIBUTES.DEBUG = 0    | ATTRIBUTES.DEBUG = 1                                         | References                |
|-------------------------------------|-------------------------|--------------------------------------------------------------|---------------------------|
| TDH.MNG.RD/<br>TDH.MNG.WR           | N/A                     | Access secret and non-secret TD-scope state in TDR and TDCS. | 19.1, 20.2.20,<br>20.2.21 |
| TDH.MEM.SEPT.RD/<br>TDH.MEM.SEPT.WR | Access Secure EPT entry | Access Secure EPT entry, see note below.                     | 20.2.10,<br>20.2.12       |

September 2020 . Page 100 of 285

| Intel TDX Function                        | ATTRIBUTES.DEBUG = 0                                         | ATTRIBUTES.DEBUG = 1                                                     | References          |
|-------------------------------------------|--------------------------------------------------------------|--------------------------------------------------------------------------|---------------------|
| TDH.VP.RD/<br>TDH.VP.WR                   | Access non-secret TD VCPU state in TDVPS (including TD VMCS) | Access secret and non-secret TD VCPU state in TDVPS (including TD VMCS). | 19.2                |
| TDH.PHYMEM.PAGE.WR/<br>TDH.PHYMEM.PAGE.RD | N/A                                                          | Access TD-private memory.                                                | 20.2.23,<br>20.2.23 |
| TDH.PHYMEM.PAGE.RDMD                      | Read page metadata (PAMT information)                        | Read page metadata (PAMT information).                                   | 20.2.27             |

#### 13.3.1. Note on TDH.VP.WR in Debug Mode

In some debug mode cases, the host VMM can write architecturally illegal values to fields. This means that later VM entry checks by the CPU will fail, and the Intel TDX module is designed to handle these as fatal errors leading to its shutdown. In any case, the security of other guest TDs running in production mode should not be impacted.

In other debug mode cases, TDH.VP.WR allows setting of TDVPS fields to values that may impact the correct operation of the TD under debug. It is the responsibility of the host VMM to take this into consideration. Following are the intended applicable cases:

- TDH.VP.WR is allowed to enable BTM by setting guest IA32\_DEBUGCTL[7:6] to 0x1 (see 13.1.3).
- TDH.VP.WR is allowed to enable VM exit on exceptions other than MCE by setting the TD VMCS exception bitmap
  execution control. The Intel TDX module does not take this into account when handling VM exits that occur during
  event delivery.

### 13.3.2. Preventing Guest TD Corruption of DRs

10

15

20

25

The host-side debugger may need to have full control over guest DRs to help prevent their corruption by the guest TD. To do so, the debugger can do the following:

- Use TDH.VP.WR to set the TD VMCS GUEST\_DR7 field's Global Detect bit.
- Set the TD VMCS exception bitmap execution control to intercept debug exceptions.

# 13.4. Uncore Performance Monitoring Interrupts (Uncore PMIs)

By design, neither the Intel TDX module itself not its guest TDs are allowed to use Uncore PMIs. The state of IA32\_DEBUGCTL MSR bit 13 (ENABLE\_UNCORE\_PMI) is preserved across SEAMCALL, SEAM root and non-root mode and SEAMRET, except for very short time periods immediately after SEAMCALL and VM exit.

# 13.5. System Profiling Mode

The Intel TDX module may be initialized in a system profiling mode by specifying the SYSPROF module attribute input to TDH.SYS.INIT (see 20.2.33). In this mode, the Intel TDX module and all guest TDs operation may be monitored by the host VMM using Perfmon counters.

When system profiling mode is on, guest TDs cannot be trusted. This fact is reflected to all guest TDs as part of their ATTRIBUTES (see 18.2.1). ATTRIBUTES is reflected in the TD attestation as part of TDINFO\_STRUCT (see 18.5.5). In addition, guest TDs cannot use on-TD performance monitoring (see 13.2 above).

September 2020 . Page 101 of 285