Re:error：virt/tdx: module not loaded

cyyyc · ‎12-17-2025

Hello everyone, I am encountering an issue where the Intel TDX (Trusted Domain Extensions) kernel module fails to initialize on my server. I'm seeking guidance to resolve this. 1. Problem Description During system boot, dmesg shows the following relevant messages: text [ 0.918133] virt/tdx: BIOS enabled: private KeyID range [32, 64) [ 0.918136] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3. [ 7.389007] virt/tdx: module not loaded The BIOS seems to partially enable TDX (key range assigned), but the kernel module itself does not load successfully. 2. What I Have Checked & System Configuration CPU: Intel Xeon Silver 4510 (Sapphire Rapids platform). Hardware Support: lscpu confirms the CPU flags include tdx_host_platform, sgx, and tme. Kernel Configuration: CONFIG_INTEL_TDX_HOST=y is set in my kernel. KVM Module: The kvm_intel module loads by default, but TDX does not activate. Explicitly running sudo modprobe kvm_intel enable_tdx=1 does not produce new, specific TDX errors in the kernel log (the generic "module not loaded" persists). BIOS: TDX is enabled in the BIOS, and it reports a private KeyID range. I am currently in the process of double-checking the specific sub-settings. 3. Key Suspicions & Information Request Based on my research, the root cause for this specific symptom often lies in the BIOS/UEFI configuration or firmware compatibility. My primary suspects are: Incomplete BIOS Settings: I am verifying all required settings, but I suspect the "TME-MT / TDX Key Split" value might be critical. Is a non-zero value (e.g., 1) mandatory here? Are there other easily missed settings besides the main TDX switch? Firmware Version: I am checking my server's BIOS version. Could this be a known issue resolved in a later firmware update for Sapphire Rapids? 4. My Specific Questions For a Sapphire Rapids system passing the basic hardware check but failing on module load, what are the most likely specific BIOS settings to verify? What is the definitive method to get a more detailed error log from the TDX initialization? The current module not loaded message is not verbose. Are there any known kernel boot parameters (e.g., memmap reservations) commonly required for TDX on this platform? Any detailed pointers or similar case experiences would be greatly appreciated. I am ready to provide additional logs or system information as needed. Thank you for your time and expertise.

VonM_Intel · ‎12-17-2025

Hi cyyyc,

Thank you for posting in our Community. Based on the information you provided, your assessment is reasonable: the system does appear to partially recognize Intel TDX at the firmware level, but the kernel module is not completing initialization. As you correctly noted, this behavior is most commonly related to BIOS/UEFI configuration completeness or firmware compatibility, particularly on Sapphire Rapids platforms where TDX enablement is highly sensitive to specific settings. To help me narrow this down further, may I kindly ask you to confirm or provide the following details:

Could you please confirm the exact BIOS/UEFI version currently installed on the system?
In the BIOS, is TME-MT explicitly enabled, and what is the configured value for the TME-MT / TDX Key Split? A non-zero value is typically required for TDX functionality.
Is ACPI S3 explicitly disabled in the BIOS, as TDX is incompatible with S3?
Which Linux distribution and kernel version are you currently running?
Are you using an Intel-provided kernel, a distribution kernel, or a custom-compiled kernel?
Could you confirm whether the system is booted in UEFI mode (not Legacy/CSM)?
Is Secure Boot enabled, and if so, have you verified that it is not preventing the TDX-related components from loading?
Have you tested with a newer BIOS or firmware release, if available, as several Sapphire Rapids TDX issues have been resolved through firmware updates?

Your suspicion regarding BIOS completeness, particularly the TME-MT / TDX key split, is well-founded, and confirming those values will be an important next step. Once I have the additional details above, I can better determine whether this is a firmware limitation, a missing configuration dependency, or a kernel-side initialization constraint.

Have a nice day!

Best regards,

Von M.
Intel Customer Support Technician

cyyyc · ‎12-21-2025

Dear Expert,

Thank you for your guidance. I have gathered the following details as requested:

BIOS/UEFI Version: 2.4 (Release Date: 08/28/2024, Vendor: American Megatrends International, LLC.)

Boot Mode: UEFI (Confirmed via /sys/firmware/efi)

Secure Boot Status: Disabled (Platform is in Setup Mode)

Linux Distribution & Kernel:

Distribution: Ubuntu 24.04.3 LTS

Kernel Version: 6.8.0-1028-intel

Kernel Type: Intel-provided kernel (linux-image-intel package is installed and running).

BIOS Settings (Manually Verified):

TME-MT: Enabled

TME-MT / TDX Key Split: 1

Intel TDX: Enabled

ACPI S3: I have entered the BIOS setup but could not locate an explicit option to disable ACPI S3 in the power management or ACPI settings menus.

Core Questions & Request for Help:

BIOS Update Guidance: As you suggested, a firmware update might resolve TDX issues on Sapphire Rapids. Given my BIOS vendor is AMI, could you advise on the general steps or precautions for locating and applying a BIOS update on such a platform? How can I safely identify the correct update for my server?

ACPI S3 Clarification: Since I cannot find the ACPI S3 toggle in BIOS, is it possible the firmware manages this state automatically when TDX is enabled? Could its configuration still be a factor?

Next Diagnostic Steps: With all the key BIOS settings (TME-MT, Key Split=1) correctly configured, what should be the next focus? Are there specific kernel boot parameters (e.g., memmap reservations) or detailed logs I can enable to see why the tdx.ko module fails to initialize?

Any further direction would be greatly appreciated.

Best regards,
cyyyc

cyyyc · ‎12-18-2025

Dear Expert,

Thank you for your guidance. I have gathered the following details as requested:

BIOS/UEFI Version: 2.4 (Release Date: 08/28/2024, Vendor: American Megatrends International, LLC.)

Boot Mode: UEFI (Confirmed via /sys/firmware/efi)

Secure Boot Status: Disabled (Platform is in Setup Mode)

Linux Distribution & Kernel:

Distribution: Ubuntu 24.04.3 LTS

Kernel Version: 6.8.0-1028-intel

Kernel Type: Intel-provided kernel (linux-image-intel package is installed and running).

BIOS Settings (Manually Verified):

TME-MT: Enabled

TME-MT / TDX Key Split: 1

Intel TDX: Enabled

ACPI S3: I have entered the BIOS setup but could not locate an explicit option to disable ACPI S3 in the power management or ACPI settings menus.

Core Questions & Request for Help:

BIOS Update Guidance: As you suggested, a firmware update might resolve TDX issues on Sapphire Rapids. Given my BIOS vendor is AMI, could you advise on the general steps or precautions for locating and applying a BIOS update on such a platform? How can I safely identify the correct update for my server?

ACPI S3 Clarification: Since I cannot find the ACPI S3 toggle in BIOS, is it possible the firmware manages this state automatically when TDX is enabled? Could its configuration still be a factor?

Next Diagnostic Steps: With all the key BIOS settings (TME-MT, Key Split=1) correctly configured, what should be the next focus? Are there specific kernel boot parameters (e.g., memmap reservations) or detailed logs I can enable to see why the tdx.ko module fails to initialize?

Any further direction would be greatly appreciated.

Best regards,
cyyyc

RandyT_Intel · ‎12-23-2025

Hi cyyyc,

Thank you for providing this information. Your concern will be routed to our server specialists, as they are best equipped to address this matter. I will move this thread to the appropriate forum for continued assistance. Thank you for your patience and understanding, you can expect a response from the respective team as soon as possible.

Best regards,

Randy T.

Intel Customer Support Technician

Vik3 · ‎12-23-2025

Hello cyyyc,

Thank you for posting on Intel Community. To assist you further, please provide the additional details below.

Provide the complete system details
Error screenshot
Please confirm if the processor was purchased separately or pre-installed.

Thank you for using Intel products and services.

Regards,

Vikas_Intel

cyyyc · ‎12-23-2025

Hello Vikas,

Thank you for your response. Here are the additional details you requested:

1. Complete System Details:

Processor: Intel Xeon Silver 4510 (Sapphire Rapids)
BIOS/UEFI Version: 2.8 (Updated from previous 2.4, Vendor: American Megatrends International, LLC.)
Boot Mode: UEFI (Confirmed via /sys/firmware/efi)
Operating System: Ubuntu 24.04.3 LTS
Kernel Version: 6.8.0-1028-intel (Intel-provided kernel, CONFIG_INTEL_TDX_HOST=y)
BIOS Settings for TDX (Manually Verified & Enabled):
- Intel Trusted Domain Extensions (TDX): Enabled
- TME-MT: Enabled
- TME-MT / TDX Key Split: 1
- ACPI S3: Disabled (via kernel command as per log, BIOS option not found)
Error Status: The kernel detects TDX hardware (virt/tdx: BIOS enabled: private KeyID range [32, 64)), but fails to initialize (virt/tdx: module not loaded). After updating BIOS to version 2.8, the error persists unchanged.
Additional Hardware Info: I will provide the exact server or motherboard model once confirmed from the physical label. (sudo dmidecode -s system-product-name output is: To be filled by O.E.M.)

2. Error Information :
Since the error is in the kernel log, the complete relevant dmesg output is more useful than a screenshot:

[ 0.924774] virt/tdx: BIOS enabled: private KeyID range [32, 64)
[ 0.924776] virt/tdx: Disable ACPI S3. Turn off TDX in the BIOS to use ACPI S3.

[ 7.698328] virt/tdx: module not loaded

3. Processor Installation Confirmation:
The Intel Xeon Silver 4510 processor was pre-installed in the server/system by the OEM or system integrator when I purchased it. I did not purchase or install the CPU separately.

My Core Question Remains:
Given that all basic BIOS settings are correct, the BIOS is updated to the latest version, and the kernel has TDX support compiled in, what could be the root cause for the persistent module not loaded error? Are there specific advanced BIOS configurations (e.g., TDX Memory Region, Node Interleaving) or kernel command-line parameters required for Sapphire Rapids platforms that I should check?

Thank you for your further assistance.

New Finding:

After updating BIOS to version 2.8, I attempted to force TDX initialization as suggested. When reloading the kvm_intel module with enable_tdx=1 parameter, the kernel logged:

[68427.924519] kvm_intel: unknown parameter 'enable_tdx' ignored

This suggests that the kvm_intel module in my current 6.8.0-1028-intel kernel build does not have TDX support compiled in, despite CONFIG_INTEL_TDX_HOST=y being set in the kernel configuration.

New Questions:

Is this a known packaging issue with the linux-image-intel kernel for Ubuntu 24.04?
Should I be using a different kernel (e.g., the mainline linux-image-generic) that includes proper TDX support for Sapphire Rapids?
If TDX host support is compiled into the kernel (=y), is there an alternative way to enable it (e.g., via kernel boot parameter tdx.host=1)?

Best regards,
cyyyc

Poojitha · ‎12-24-2025

Hi cyyyc,

Thank you for your response. We would like to inform you that the Intel Xeon Silver 4510 is pre-installed on the motherboard.

Therefore, we recommend reaching out to the Original Equipment Manufacturer (OEM) or the board manufacturer/OS vendor. Additionally, the query is related to Linux and BIOS TDX configuration, and their expertise and resources will be crucial in resolving the issue. They will be the appropriate point of contact to help resolve the matter.

As a result, we will be proceeding with case closure.

Best regards,

Poojitha N

Intel Customer Support Technician