Inferensys

Glossary

Intel TDX

Intel Trusted Domain Extensions (TDX) is a hardware-isolated, virtual machine-level Trusted Execution Environment that extends Confidential Computing to entire VMs, enabling lift-and-shift migration of legacy workloads without code modification.
Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.
CONFIDENTIAL COMPUTING

What is Intel TDX?

Intel Trust Domain Extensions (TDX) is a hardware-isolated, virtual machine-level Trusted Execution Environment that extends Confidential Computing to entire VMs, enabling lift-and-shift migration of legacy workloads without code modification.

Intel TDX is a set of hardware extensions that creates a Confidential VM by encrypting the entire memory space of a virtual machine and isolating it from the host hypervisor, cloud operator, and other VMs. Unlike process-level enclaves such as Intel SGX, TDX protects a complete, unmodified operating system and its applications, removing the need to refactor legacy software into trusted and untrusted components.

TDX introduces a secure arbitration mode via the TDX Module, which acts as a peer to the hypervisor and manages the lifecycle of Trust Domains. The architecture provides remote attestation to cryptographically verify the integrity of the TDX environment before provisioning secrets, ensuring that data and models remain encrypted during active processing—a critical capability for Confidential AI and regulated enterprise workloads.

CONFIDENTIAL COMPUTING

Key Features of Intel TDX

Intel Trust Domain Extensions (TDX) introduces architectural innovations that extend Confidential Computing to entire virtual machines, enabling legacy workload migration without code modification.

01

Hardware-Isolated Trust Domains

Intel TDX creates a hardware-enforced cryptographic isolation boundary around each Trust Domain (TD) virtual machine. The CPU manages an encrypted memory region inaccessible to the hypervisor, host OS, or other VMs. This isolation is rooted in a Hardware Root of Trust baked into the silicon, ensuring that even a compromised cloud administrator cannot inspect memory contents. Unlike process-level enclaves, TDX protects the entire guest OS and application stack, enabling lift-and-shift migration of unmodified workloads into a secure execution environment.

Full VM
Isolation Granularity
02

Multi-Key Total Memory Encryption (MKTME)

TDX leverages Intel's Multi-Key Total Memory Encryption engine to encrypt each Trust Domain's memory with a unique, hardware-generated key. The memory controller transparently encrypts and decrypts data as it moves between the CPU and RAM, ensuring data-in-use remains protected. Key architectural properties include:

  • Per-TD key isolation: Each VM gets its own encryption key
  • Hardware-managed keys: Keys never exposed to software, including the hypervisor
  • Integrity protection: Cryptographic mechanisms detect replay and tampering attacks
  • Zero performance tuning: Encryption operates at memory bus speed with minimal latency overhead
Per-VM
Key Isolation
04

Secure Interrupt and Exception Handling

TDX introduces a Secure Arbitration Mode (SEAM) — a new CPU mode that sits between the hypervisor and the Trust Domain to mediate all transitions. Key security properties:

  • Interrupt injection filtering: The SEAM module validates and sanitizes interrupts before delivery to the TD
  • Exception confidentiality: Register states are scrubbed during VM exits to prevent information leakage
  • Restricted injection: The hypervisor cannot inject arbitrary interrupts; only SEAM-authorized vectors are permitted
  • Side-channel hardening: Architectural mitigations against cache-timing and page-fault side-channel attacks

This design eliminates a class of attacks where malicious hypervisors exploit interrupt handling to extract secrets.

06

Shared Memory and I/O Virtualization

TDX supports TDX Connect Shared Memory for high-performance communication between Trust Domains and accelerators without compromising security. The architecture provides:

  • Direct memory access: Accelerators can read/write encrypted TD memory through authenticated channels
  • IOMMU enforcement: The I/O Memory Management Unit enforces access controls, preventing DMA attacks
  • Scalable I/O virtualization: Support for SR-IOV and Scalable IOV to maintain near-native networking and storage performance
  • Zero-copy data paths: Eliminates costly memory copies between the TD and devices

This enables confidential computing for I/O-intensive workloads like databases and real-time analytics without sacrificing throughput.

CONFIDENTIAL COMPUTING COMPARISON

Intel TDX vs. Intel SGX vs. AMD SEV-SNP

A technical comparison of three hardware-based Trusted Execution Environment architectures for protecting data in use within cloud and enterprise environments.

FeatureIntel TDXIntel SGXAMD SEV-SNP

Abstraction Level

Full Virtual Machine

User-space Application

Full Virtual Machine

Trusted Computing Base

CPU + TDX Module

CPU + Enclave Code

CPU + PSP Firmware

Code Modification Required

Memory Integrity Protection

Hypervisor Exclusion from TCB

Enclave Memory Limit

Entire VM RAM

Up to 512 MB (EPC)

Entire VM RAM

I/O Protection

Shared memory with attestation

No native I/O

Encrypted I/O paths

Attestation Infrastructure

Intel DCAP

Intel DCAP

AMD KDS + SEV-SNP API

INTEL TDX EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about Intel Trust Domain Extensions, covering architecture, security properties, and operational considerations for deploying confidential virtual machines.

Intel Trust Domain Extensions (TDX) is a hardware-isolated, virtual machine (VM)-level Trusted Execution Environment (TEE) that extends Confidential Computing to entire virtual machines. It works by introducing a new architectural element called the Intel TDX Module—a digitally signed, security-audited software component that runs in a new CPU Secure Arbitration Mode (SEAM) root mode. This module manages Trust Domains (TDs) , which are hardware-encrypted VMs isolated from the Virtual Machine Manager (VMM)/hypervisor and other non-TD software. The CPU enforces memory encryption via the Total Memory Encryption-Multi-Key (TME-MK) engine, assigning each TD a unique, ephemeral encryption key. This hardware-enforced isolation means the host OS, hypervisor, and cloud administrator are removed from the Trusted Computing Base (TCB) for the guest VM's confidentiality and integrity. Unlike process-based enclaves (like Intel SGX), TDX enables a 'lift-and-shift' migration of existing, unmodified applications into a secure enclave, protecting the entire guest OS and workload without code changes.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.