Intel TDX is a set of hardware extensions that creates a Confidential VM by encrypting the entire memory space of a virtual machine and isolating it from the host hypervisor, cloud operator, and other VMs. Unlike process-level enclaves such as Intel SGX, TDX protects a complete, unmodified operating system and its applications, removing the need to refactor legacy software into trusted and untrusted components.
Glossary
Intel TDX

What is Intel TDX?
Intel Trust Domain Extensions (TDX) is a hardware-isolated, virtual machine-level Trusted Execution Environment that extends Confidential Computing to entire VMs, enabling lift-and-shift migration of legacy workloads without code modification.
TDX introduces a secure arbitration mode via the TDX Module, which acts as a peer to the hypervisor and manages the lifecycle of Trust Domains. The architecture provides remote attestation to cryptographically verify the integrity of the TDX environment before provisioning secrets, ensuring that data and models remain encrypted during active processing—a critical capability for Confidential AI and regulated enterprise workloads.
Key Features of Intel TDX
Intel Trust Domain Extensions (TDX) introduces architectural innovations that extend Confidential Computing to entire virtual machines, enabling legacy workload migration without code modification.
Hardware-Isolated Trust Domains
Intel TDX creates a hardware-enforced cryptographic isolation boundary around each Trust Domain (TD) virtual machine. The CPU manages an encrypted memory region inaccessible to the hypervisor, host OS, or other VMs. This isolation is rooted in a Hardware Root of Trust baked into the silicon, ensuring that even a compromised cloud administrator cannot inspect memory contents. Unlike process-level enclaves, TDX protects the entire guest OS and application stack, enabling lift-and-shift migration of unmodified workloads into a secure execution environment.
Multi-Key Total Memory Encryption (MKTME)
TDX leverages Intel's Multi-Key Total Memory Encryption engine to encrypt each Trust Domain's memory with a unique, hardware-generated key. The memory controller transparently encrypts and decrypts data as it moves between the CPU and RAM, ensuring data-in-use remains protected. Key architectural properties include:
- Per-TD key isolation: Each VM gets its own encryption key
- Hardware-managed keys: Keys never exposed to software, including the hypervisor
- Integrity protection: Cryptographic mechanisms detect replay and tampering attacks
- Zero performance tuning: Encryption operates at memory bus speed with minimal latency overhead
Secure Interrupt and Exception Handling
TDX introduces a Secure Arbitration Mode (SEAM) — a new CPU mode that sits between the hypervisor and the Trust Domain to mediate all transitions. Key security properties:
- Interrupt injection filtering: The SEAM module validates and sanitizes interrupts before delivery to the TD
- Exception confidentiality: Register states are scrubbed during VM exits to prevent information leakage
- Restricted injection: The hypervisor cannot inject arbitrary interrupts; only SEAM-authorized vectors are permitted
- Side-channel hardening: Architectural mitigations against cache-timing and page-fault side-channel attacks
This design eliminates a class of attacks where malicious hypervisors exploit interrupt handling to extract secrets.
Shared Memory and I/O Virtualization
TDX supports TDX Connect Shared Memory for high-performance communication between Trust Domains and accelerators without compromising security. The architecture provides:
- Direct memory access: Accelerators can read/write encrypted TD memory through authenticated channels
- IOMMU enforcement: The I/O Memory Management Unit enforces access controls, preventing DMA attacks
- Scalable I/O virtualization: Support for SR-IOV and Scalable IOV to maintain near-native networking and storage performance
- Zero-copy data paths: Eliminates costly memory copies between the TD and devices
This enables confidential computing for I/O-intensive workloads like databases and real-time analytics without sacrificing throughput.
Intel TDX vs. Intel SGX vs. AMD SEV-SNP
A technical comparison of three hardware-based Trusted Execution Environment architectures for protecting data in use within cloud and enterprise environments.
| Feature | Intel TDX | Intel SGX | AMD SEV-SNP |
|---|---|---|---|
Abstraction Level | Full Virtual Machine | User-space Application | Full Virtual Machine |
Trusted Computing Base | CPU + TDX Module | CPU + Enclave Code | CPU + PSP Firmware |
Code Modification Required | |||
Memory Integrity Protection | |||
Hypervisor Exclusion from TCB | |||
Enclave Memory Limit | Entire VM RAM | Up to 512 MB (EPC) | Entire VM RAM |
I/O Protection | Shared memory with attestation | No native I/O | Encrypted I/O paths |
Attestation Infrastructure | Intel DCAP | Intel DCAP | AMD KDS + SEV-SNP API |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about Intel Trust Domain Extensions, covering architecture, security properties, and operational considerations for deploying confidential virtual machines.
Intel Trust Domain Extensions (TDX) is a hardware-isolated, virtual machine (VM)-level Trusted Execution Environment (TEE) that extends Confidential Computing to entire virtual machines. It works by introducing a new architectural element called the Intel TDX Module—a digitally signed, security-audited software component that runs in a new CPU Secure Arbitration Mode (SEAM) root mode. This module manages Trust Domains (TDs) , which are hardware-encrypted VMs isolated from the Virtual Machine Manager (VMM)/hypervisor and other non-TD software. The CPU enforces memory encryption via the Total Memory Encryption-Multi-Key (TME-MK) engine, assigning each TD a unique, ephemeral encryption key. This hardware-enforced isolation means the host OS, hypervisor, and cloud administrator are removed from the Trusted Computing Base (TCB) for the guest VM's confidentiality and integrity. Unlike process-based enclaves (like Intel SGX), TDX enables a 'lift-and-shift' migration of existing, unmodified applications into a secure enclave, protecting the entire guest OS and workload without code changes.
Related Terms
Intel TDX operates within a broader ecosystem of hardware security technologies. These related concepts define the mechanisms, protocols, and complementary architectures that enable end-to-end confidential computing.
Confidential Computing
The overarching hardware-based security paradigm that protects data in use by performing computation within a hardware-enforced Trusted Execution Environment. Intel TDX is a specific implementation of this paradigm at the virtual machine level, shielding entire workloads from the cloud provider, hypervisor, and other tenants. This contrasts with protecting only data at rest (encrypted storage) or data in transit (TLS).
Attestation
The cryptographic process by which an Intel TDX-enabled platform proves its identity, integrity, and security posture to a remote relying party. Before a client provisions secrets or trusts a TDX-protected VM, the platform generates a verifiable attestation report. This report includes:
- TDX Module measurements: Verifying the trusted firmware version.
- Guest VM measurements: Confirming the exact OS and software stack loaded.
- Platform TCB status: Ensuring all microcode and firmware are up-to-date and not revoked.
Trusted Computing Base (TCB)
The set of all hardware, firmware, and software components critical to a system's security. A vulnerability in any TCB component compromises the entire system. Intel TDX dramatically reduces the TCB by removing the hypervisor and host OS from the trust boundary. The TDX TCB includes:
- The Intel CPU package and microcode.
- The Intel TDX Module (a small, verified firmware layer).
- The guest VM's own operating system and applications. This minimal TCB drastically reduces the attack surface compared to traditional virtualization.
Intel SGX
A related Intel TEE technology that operates at the application level rather than the VM level. SGX creates small, isolated memory regions called enclaves for specific code segments, requiring developers to modify applications using a software development kit. In contrast, Intel TDX protects an entire virtual machine, enabling lift-and-shift migration of legacy workloads without code changes. SGX offers finer-grained protection, while TDX prioritizes operational simplicity and broader workload compatibility.
AMD SEV-SNP
AMD's competing VM-level TEE technology that provides similar protections to Intel TDX. Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) encrypts VM memory and adds strong integrity protection to prevent malicious hypervisor attacks like data replay and memory remapping. Both technologies aim to protect entire VMs from the host, but they differ in their hardware roots of trust, attestation protocols, and specific side-channel mitigations. Multi-cloud strategies often require supporting both.
Confidential AI
The application of Confidential Computing hardware—including Intel TDX—to protect the confidentiality and integrity of machine learning models, training data, and inference inputs during active computation. In a TDX-protected VM:
- Model weights remain encrypted in memory, preventing intellectual property theft by the cloud operator.
- Inference requests containing sensitive user data are processed in complete isolation.
- Training pipelines can combine sensitive datasets from multiple parties without exposing raw data to any single entity.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us