Intel TDX is a hardware-isolated, encrypted Trusted Execution Environment (TEE) that protects the confidentiality and integrity of an entire virtual machine (VM). Unlike process-based enclaves, TDX creates a cryptographically isolated "trust domain" where the guest OS and applications run, rendering them inaccessible to the cloud host, hypervisor, and other VMs on the same physical processor.
Glossary
Intel TDX

What is Intel TDX?
Intel Trust Domain Extensions (TDX) is a hardware-based trusted execution environment that provides confidentiality and integrity for entire virtual machines, isolating them from the hypervisor and other platform software.
TDX achieves this through multi-key, total memory encryption managed by an on-die TDX Module, a small, auditable firmware layer that acts as the root of trust. It provides remote attestation to verify the trust domain's identity and security posture to a relying party before releasing secrets, ensuring data-in-use protection for sensitive AI training and inference workloads.
Key Features of Intel TDX
Intel Trust Domain Extensions (TDX) introduces architectural innovations that extend confidential computing from application-specific enclaves to entire virtual machines, fundamentally reducing the Trusted Computing Base while maintaining operational compatibility.
Full VM Confidentiality and Integrity
Intel TDX encrypts the entire virtual machine memory using a hardware-managed encryption key that is inaccessible to the hypervisor, host OS, and other VMs. Unlike process-based enclaves, TDX protects a complete, unmodified guest OS and its workloads. The CPU enforces cryptographic integrity on memory pages, preventing replay, relocation, and tampering attacks. This creates a Trust Domain—a hardware-isolated execution environment where even a compromised hypervisor cannot read or alter VM state.
Reduced Trusted Computing Base
TDX dramatically shrinks the Trusted Computing Base (TCB) by removing the hypervisor from the security boundary. In traditional virtualization, the VMM has unrestricted access to VM memory. With TDX, the CPU itself enforces isolation, meaning the only trusted components are the Intel TDX Module (a small, formally verified firmware layer) and the CPU package. This eliminates entire classes of attacks originating from hypervisor vulnerabilities, misconfigurations, or malicious insiders with cloud administrator privileges.
Cryptographic Attestation
Before a workload is deployed or secrets are released, TDX provides hardware-rooted attestation. The CPU generates a cryptographically signed TD Report containing measurements of the Trust Domain's initial state, including the guest firmware and OS image. A remote party can verify this quote against Intel's provisioning service to confirm:
- The VM is running on genuine Intel hardware with TDX enabled
- The exact software stack loaded matches a known-good configuration
- No tampering has occurred during boot This enables zero-trust deployment where workloads only execute on verified platforms.
Secure Interrupt and Exception Handling
TDX introduces Secure EPT (Extended Page Tables) to manage memory virtualization within the Trust Domain. Critically, it also defines a secure mechanism for injecting interrupts and exceptions. When an external interrupt occurs, the CPU transitions through the TDX module, which scrubs register state to prevent information leakage before delivering the interrupt to the guest. This prevents the hypervisor from mounting side-channel attacks by manipulating interrupt timing or injecting malicious exception vectors to probe Trust Domain state.
Shared Memory with Confidentiality Controls
While Trust Domain memory is private by default, VMs need to communicate with the outside world for I/O. TDX provides explicit shared memory regions that the guest OS designates as accessible to the hypervisor. The guest maintains full control over which pages are shared, and the CPU enforces that only designated pages lose their confidentiality protections. This allows standard virtio drivers for network and storage to function with minimal modification, while the guest's sensitive data structures remain encrypted and integrity-protected.
Live Migration with Security Guarantees
TDX supports live migration of Confidential VMs between physical hosts without exposing memory contents. The migration process uses a Migration TD—a special-purpose Trust Domain that securely transfers encrypted memory pages and VM state. The source and destination platforms perform mutual attestation, and the migration agent negotiates a transport encryption key. This ensures that even during migration, the hypervisor and network intermediaries never access plaintext VM data, enabling cloud operators to perform maintenance without violating confidentiality.
Intel TDX vs. Intel SGX
Comparing Intel's two primary hardware-based Trusted Execution Environment technologies for isolating sensitive workloads.
| Feature | Intel TDX | Intel SGX |
|---|---|---|
Abstraction Level | Full Virtual Machine (VM) | Application-level Enclave |
Protected Memory Size | Entire VM memory (up to terabytes) | Up to 512 MB per enclave (EPC limit) |
Code Modification Required | ||
Legacy Application Support | ||
Trusted Computing Base (TCB) | VM firmware + TDX module | Application + SGX SDK + untrusted runtime |
Hypervisor Isolation | ||
Side-Channel Resistance | Hardware-enforced via MKTME engine | Software mitigations required |
Attestation Model | TDREPORT + DCAP for VMs | EPID or DCAP for enclaves |
Frequently Asked Questions
Get clear, technically precise answers to the most common questions about Intel Trust Domain Extensions, the hardware-based confidential computing technology that isolates entire virtual machines from the hypervisor and cloud provider.
Intel Trust Domain Extensions (TDX) is a hardware-based Trusted Execution Environment (TEE) introduced in 4th Gen Intel Xeon Scalable processors (Sapphire Rapids) that provides confidentiality and integrity for entire virtual machines. Unlike Intel SGX, which isolates individual application enclaves, TDX creates a Trust Domain (TD) —a hardware-isolated VM whose memory is encrypted with a key inaccessible to the hypervisor, host OS, or cloud provider. The CPU enforces this isolation through a new TDX Module (a digitally signed, Intel-provided software component) that acts as a security intermediary between the Trust Domain and the Virtual Machine Manager (VMM). When a TD executes, all memory pages are encrypted using AES-128-XTS with a key generated at TD creation. The CPU's Memory Encryption Engine (MKE) handles encryption and integrity verification transparently, ensuring that even a compromised hypervisor cannot read or modify the TD's memory. TDX also introduces secure interrupt and exception delivery, preventing the VMM from injecting malicious interrupts to extract secrets. Attestation is performed via the TDX attestation flow, where the CPU generates a cryptographically signed TDREPORT containing the TD's measurements, which can be verified by a remote party using Intel's quoting infrastructure.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Intel TDX operates within a broader ecosystem of hardware security technologies, attestation protocols, and confidential computing primitives. These related concepts form the foundation for building verifiably secure AI infrastructure.
Attestation
The cryptographic process of verifying the identity and integrity of a Trusted Execution Environment before trusting it with sensitive data. Attestation produces a signed report containing enclave measurements that a remote party can validate against known-good values. Intel TDX uses a hardware-rooted attestation flow through the Intel SGX quoting infrastructure.
- Verifies hardware, firmware, and software integrity
- Produces cryptographically signed evidence
- Prerequisite for releasing secrets to a TEE
AMD SEV-SNP
AMD's Secure Encrypted Virtualization with Secure Nested Paging adds memory integrity protection to encrypted VMs. It prevents hypervisor-based attacks like data replay, memory remapping, and page table manipulation. SEV-SNP is the primary competitor to Intel TDX, offering similar confidential VM capabilities on AMD EPYC processors.
- Memory encryption with integrity protection
- Prevents malicious hypervisor attacks
- Comparable to Intel TDX on AMD platforms
Confidential VM (CVM)
A virtual machine instance backed by hardware-based memory encryption, ensuring data remains encrypted while in use. The hypervisor cannot access VM memory, protecting workloads from cloud provider insiders and compromised infrastructure. Intel TDX enables CVMs by encrypting the full VM state with a hardware-generated key inaccessible to the VMM.
- Full VM memory encryption at runtime
- Isolated from cloud provider hypervisor
- No application modification required
Trusted Computing Base (TCB)
The set of all hardware, firmware, and software components critical to a system's security. A smaller TCB reduces the attack surface and simplifies formal verification. Intel TDX dramatically shrinks the TCB for virtualized workloads by removing the hypervisor from the trust boundary, leaving only the CPU package and TDX module.
- Minimizes components that must be trusted
- Smaller TCB = fewer potential vulnerabilities
- TDX excludes the VMM from the TCB
Confidential AI SDK
A software development kit providing APIs and tools for building AI applications that run within a TEE. It ensures model weights and inference data remain encrypted during computation. When combined with Intel TDX, the SDK enables confidential inference services where proprietary models process sensitive queries without exposing either to the infrastructure operator.
- APIs for enclave-aware AI workloads
- Protects model IP and user data simultaneously
- Enables confidential model serving pipelines

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us