Providing isolation in virtualized systems using trust domains

What is claimed is: 1. A processing device comprising: a memory ownership table (MOT) to store security attributes for a host physical memory page; and a processing core that is to: execute a trust domain resource manager (TDRM) to manage a trust domain (TD); maintain a trust domain control structure (TDCS) for managing metadata of the TD, wherein the TDRM is to cause creation of the TD using an instruction, wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction, and wherein execution of the instruction generates an encryption key assigned to the TD and a key identifier (ID) and initializes a hash for a TD measurement in the TDCS, the key ID to be stored in the TDCS; maintain an execution state of the TD in a trust domain thread control structure (TD-TCS) that is referenced by the TDCS and is access-controlled against software access from at least one of the TDRM, a virtual machine manager (VMM), or the other TDs; and reference the MOT to obtain the key identifier (ID) corresponding to the encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key; wherein the MOT security attributes comprise: a TD identifier assigning the host physical memory page to the TD, and an expected guest physical address used in the TD for the TDRM to perform memory mapping of the host physical memory page. 2. The processing device of claim 1 , wherein the VMM comprises a TDRM component to provide memory management for at least one of the TD, the other TDs, or one or more virtual machines (VMs) via Extended Page Tables (EPTs). 3. The processing device of claim 1 , wherein the TD-TCS references the TDCS, wherein the TDCS is to maintain a count of one or more TD-TCSs corresponding to a logical processor of the TD, and wherein the TD-TCS to store a supervisor execution state and a user execution state of the TD. 4. The processing device of claim 1 , wherein the encryption key is generated by a multi-key total memory encryption (MK-TME) engine of the processing device. 5. The processing device of claim 4 , wherein the MK-TME engine generates a plurality of encryption keys accessed via key IDs assigned to the TD for use in encrypting and decrypting the memory pages of the TD, and encrypting and decrypting memory pages corresponding to persistent memory assigned to the TD, and wherein the MOT to track the plurality of key IDs via one key ID associated with each entry in the MOT. 6. The processing device of claim 2 , wherein the processing core to reference the MOT for host physical memory pages accessed as part of page walk operations to access a guest physical memory page mapped by the EPTs. 7. The processing device of claim 1 , wherein the TD comprises at least one of an operating system (OS) to manage one or more applications or the VMM to manage one or more virtual machines (VMs), and wherein a TD enter operation to transition an operating context of the processing core from at least one of the VMM to the OS of the TD or from the TDRM to the VMM of the TD. 8. The processing device of claim 1 , wherein the TDRM is not comprised in a trusted computing base (TCB) of the TD. 9. The processing device of claim 1 , wherein the TDCS comprises a signature structure that captures a cryptographic measurement of the TD, the cryptographic measurement signed by a hardware root of trust of the processing device, and wherein the signature structure is provided to an attestation party for verification of the cryptographic measurement. 10. The processing device of claim 1 , wherein the processing core is further to maintain measurement state of the TD in the TDCS that is access-controlled against software accesses from software comprising at least the TDRM, the VMM, or the other TDs executed by the processing device. 11. The processing device of claim 1 , wherein the TDRM manages the TD and the other TDs. 12. A system comprising: a memory device to store one or more instructions; and a processing device operably coupled to the memory device, the processing device to execute the one or more instructions to: execute a trust domain resource manager (TDRM) to manage a trust domain (TD), wherein the TDRM is not comprised in a trusted computing base (TCB) of the TD; maintain a user execution state and a supervisor execution state of the TD in a trust domain thread control structure (TD-TCS) that is access-controlled against software accesses from at least one of the TDRM, a virtual machine manager (VMM), or other TDs executed by the processing device; and reference a memory ownership table (MOT) to obtain at least one key identifier (ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key identified via the key ID, wherein the MOT is to store security attributes for a host physical memory page assigned to the TD, wherein a trust domain control structure (TDCS) is to manage metadata of the TD, wherein the TDRM is to cause creation of the TD using an instruction, wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction, and wherein execution of the instruction generates the encryption key assigned to the TD and the key ID and initializes a hash for a TD measurement in the TDCS, the key ID to be stored in the TDCS; wherein the MOT security attributes comprise: a TD identifier assigning the host physical memory page to the TD, and an expected guest physical address used in the TD for the TDRM to perform memory mapping of the host physical memory page. 13. The system of claim 12 , wherein the VMM comprises a TDRM component to provide memory management for one or more of the TD, the other TDs, or one or more virtual machines (VMs) via Extended Page Tables (EPTs). 14. The system of claim 12 , wherein the TD-TCS corresponds to a logical processor of the TD, the TD-TCS to store the user execution state and the supervisor execution state of the TD on a TD exit operation and load user and supervisor execution state of the TD on a TD enter operation, wherein the TD-TCS is access-controlled against software accesses from at least one of the TDRM, the VMM, or the other TDs executed by the processing device. 15. The system of claim 12 , wherein the encryption key is generated by a multi-key total memory encryption (MK-TME) engine of the processing device, and wherein the MK-TME engine generates a plurality of encryption keys assigned to the TD via key IDs for use in encrypting ephemeral memory pages or persistent memory pages of the TD, and wherein the MOT to track the plurality of encryption key IDs via one key ID associated with each entry in the MOT. 16. The system of claim 12 , wherein the VMM comprises the TDRM to manage the TD, wherein the TD comprises an operating system (OS) or a non-root VMM to manage one or more virtual machines (VMs), and wherein a TD enter operation transitions an operating context of the processing device from the TDRM to the non-root VMM of the TD. 17. A method comprising: executing, by a processing device, a trust domain resource manager (TDRM) to manage a trust domain (TD), wherein the TDRM is not comprised in a trusted computing base (TCB) of the TD; maintaining a us