Inferensys

Glossary

Intel TDX

Intel Trust Domain Extensions (TDX) is a hardware-based Trusted Execution Environment that provides confidentiality and integrity for entire virtual machines, isolating them from the hypervisor and other platform software.
Operations team reviewing AI vendor onboarding platform on laptop, forms and contracts visible, casual office workspace.
TRUSTED EXECUTION ENVIRONMENT

What is Intel TDX?

Intel Trust Domain Extensions (TDX) is a hardware-based trusted execution environment that provides confidentiality and integrity for entire virtual machines, isolating them from the hypervisor and other platform software.

Intel TDX is a hardware-isolated, encrypted Trusted Execution Environment (TEE) that protects the confidentiality and integrity of an entire virtual machine (VM). Unlike process-based enclaves, TDX creates a cryptographically isolated "trust domain" where the guest OS and applications run, rendering them inaccessible to the cloud host, hypervisor, and other VMs on the same physical processor.

TDX achieves this through multi-key, total memory encryption managed by an on-die TDX Module, a small, auditable firmware layer that acts as the root of trust. It provides remote attestation to verify the trust domain's identity and security posture to a relying party before releasing secrets, ensuring data-in-use protection for sensitive AI training and inference workloads.

HARDWARE-ASSISTED VM ISOLATION

Key Features of Intel TDX

Intel Trust Domain Extensions (TDX) introduces architectural innovations that extend confidential computing from application-specific enclaves to entire virtual machines, fundamentally reducing the Trusted Computing Base while maintaining operational compatibility.

01

Full VM Confidentiality and Integrity

Intel TDX encrypts the entire virtual machine memory using a hardware-managed encryption key that is inaccessible to the hypervisor, host OS, and other VMs. Unlike process-based enclaves, TDX protects a complete, unmodified guest OS and its workloads. The CPU enforces cryptographic integrity on memory pages, preventing replay, relocation, and tampering attacks. This creates a Trust Domain—a hardware-isolated execution environment where even a compromised hypervisor cannot read or alter VM state.

1-Key/VM
Encryption Granularity
MKTME
Underlying Engine
02

Reduced Trusted Computing Base

TDX dramatically shrinks the Trusted Computing Base (TCB) by removing the hypervisor from the security boundary. In traditional virtualization, the VMM has unrestricted access to VM memory. With TDX, the CPU itself enforces isolation, meaning the only trusted components are the Intel TDX Module (a small, formally verified firmware layer) and the CPU package. This eliminates entire classes of attacks originating from hypervisor vulnerabilities, misconfigurations, or malicious insiders with cloud administrator privileges.

~100KB
TDX Module Size
VMM Excluded
From TCB
03

Cryptographic Attestation

Before a workload is deployed or secrets are released, TDX provides hardware-rooted attestation. The CPU generates a cryptographically signed TD Report containing measurements of the Trust Domain's initial state, including the guest firmware and OS image. A remote party can verify this quote against Intel's provisioning service to confirm:

  • The VM is running on genuine Intel hardware with TDX enabled
  • The exact software stack loaded matches a known-good configuration
  • No tampering has occurred during boot This enables zero-trust deployment where workloads only execute on verified platforms.
SGX DCAP
Attestation Backend
ECDSA
Signature Algorithm
04

Secure Interrupt and Exception Handling

TDX introduces Secure EPT (Extended Page Tables) to manage memory virtualization within the Trust Domain. Critically, it also defines a secure mechanism for injecting interrupts and exceptions. When an external interrupt occurs, the CPU transitions through the TDX module, which scrubs register state to prevent information leakage before delivering the interrupt to the guest. This prevents the hypervisor from mounting side-channel attacks by manipulating interrupt timing or injecting malicious exception vectors to probe Trust Domain state.

05

Shared Memory with Confidentiality Controls

While Trust Domain memory is private by default, VMs need to communicate with the outside world for I/O. TDX provides explicit shared memory regions that the guest OS designates as accessible to the hypervisor. The guest maintains full control over which pages are shared, and the CPU enforces that only designated pages lose their confidentiality protections. This allows standard virtio drivers for network and storage to function with minimal modification, while the guest's sensitive data structures remain encrypted and integrity-protected.

06

Live Migration with Security Guarantees

TDX supports live migration of Confidential VMs between physical hosts without exposing memory contents. The migration process uses a Migration TD—a special-purpose Trust Domain that securely transfers encrypted memory pages and VM state. The source and destination platforms perform mutual attestation, and the migration agent negotiates a transport encryption key. This ensures that even during migration, the hypervisor and network intermediaries never access plaintext VM data, enabling cloud operators to perform maintenance without violating confidentiality.

TEE COMPARISON

Intel TDX vs. Intel SGX

Comparing Intel's two primary hardware-based Trusted Execution Environment technologies for isolating sensitive workloads.

FeatureIntel TDXIntel SGX

Abstraction Level

Full Virtual Machine (VM)

Application-level Enclave

Protected Memory Size

Entire VM memory (up to terabytes)

Up to 512 MB per enclave (EPC limit)

Code Modification Required

Legacy Application Support

Trusted Computing Base (TCB)

VM firmware + TDX module

Application + SGX SDK + untrusted runtime

Hypervisor Isolation

Side-Channel Resistance

Hardware-enforced via MKTME engine

Software mitigations required

Attestation Model

TDREPORT + DCAP for VMs

EPID or DCAP for enclaves

INTEL TDX EXPLAINED

Frequently Asked Questions

Get clear, technically precise answers to the most common questions about Intel Trust Domain Extensions, the hardware-based confidential computing technology that isolates entire virtual machines from the hypervisor and cloud provider.

Intel Trust Domain Extensions (TDX) is a hardware-based Trusted Execution Environment (TEE) introduced in 4th Gen Intel Xeon Scalable processors (Sapphire Rapids) that provides confidentiality and integrity for entire virtual machines. Unlike Intel SGX, which isolates individual application enclaves, TDX creates a Trust Domain (TD) —a hardware-isolated VM whose memory is encrypted with a key inaccessible to the hypervisor, host OS, or cloud provider. The CPU enforces this isolation through a new TDX Module (a digitally signed, Intel-provided software component) that acts as a security intermediary between the Trust Domain and the Virtual Machine Manager (VMM). When a TD executes, all memory pages are encrypted using AES-128-XTS with a key generated at TD creation. The CPU's Memory Encryption Engine (MKE) handles encryption and integrity verification transparently, ensuring that even a compromised hypervisor cannot read or modify the TD's memory. TDX also introduces secure interrupt and exception delivery, preventing the VMM from injecting malicious interrupts to extract secrets. Attestation is performed via the TDX attestation flow, where the CPU generates a cryptographically signed TDREPORT containing the TD's measurements, which can be verified by a remote party using Intel's quoting infrastructure.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.