What Is Intel® Trust Domain Extensions (Intel® TDX)

What is Intel® TDX?

Intel® Trust Domain Extensions (Intel® TDX) is Intel's newest confidential computing technology. This hardware-based trusted execution environment (TEE) facilitates the deployment of trust domains (TD), which are hardware-isolated virtual machines (VM) designed to protect sensitive data and applications from unauthorized access.

A CPU-measured Intel® TDX module enables Intel® TDX. This software module runs in a new CPU Secure Arbitration Mode (SEAM) as a peer virtual machine manager (VMM) and supports TD entry and exit using the existing virtualization infrastructure. The module is hosted in a reserved memory space identified by the SEAM Range Register (SEAMRR).

Intel® TDX uses hardware extensions for managing and encrypting memory and protects both the confidentiality and integrity of the TD CPU state from non-SEAM mode.

Intel® TDX uses architectural elements such as SEAM, a shared bit in Guest Physical Address (GPA), secure Extended Page Table (EPT), physical-address-metadata table, Intel® Total Memory Encryption – Multi-Key (Intel® TME-MK), and remote attestation.

Intel® TDX ensures data integrity, confidentiality, and authenticity, empowering engineers and tech professionals to create and maintain secure systems and enhancing trust in virtualized environments.

Key Benefits

• Isolation: Hardware-level VM isolation for robust data protection against unauthorized access ensures confidentiality and integrity of your data.
• Confidentiality: Unauthorized or altered software is prohibited from loading and accessing confidential data. Data in memory is opaque to cloud service providers (CSP) or operators and shared applications.
• Integrity: Attestation confirms that hardware and software configurations and policies are as expected and provides assurance to the workload owner that the server is trustworthy.