Intel® Trust Domain Extensions (Intel® TDX)

Overview

Intel® Trust Domain Extensions (Intel® TDX) is introducing new, architectural elements to help deploy hardware-isolated, virtual machines (VMs) called trust domains (TDs). Intel TDX is designed to isolate VMs from the virtual-machine manager (VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software. These hardware-isolated TDs include:

  • Secure-Arbitration Mode (SEAM) – a new mode of the CPU designed to host an Intel-provided, digitally-signed, security-services module called the Intel-TDX module.
  • Shared bit in GPA to help allow TD to access shared memory.
  • Secure EPT to help translate private GPA to provide address-translation integrity and to prevent TD-code fetches from shared memory. Encryption and integrity protection of private-memory access using a TD-private key is the goal.
  • Physical-address-metadata table (PAMT) to help track page allocation, page initialization, and TLB consistency.
  • Multi-key, total-memory-encryption (MKTME) engine designed to provide memory encryption using AES-128- XTS and integrity using 28-bit MAC and a TD-ownership bit.
  • Remote attestation designed to provide evidence of TD executing on a genuine, Intel-TDX system and its TCB version.

White Papers and Specifications

Document Description Date
Intel® Trust Domain Extensions (Intel® TDX) An introductory overview of the Intel® TDX technology August 2020
Intel® CPU Architectural Extensions Specification A specification to Intel’s architecture instruction set that describes the CPU architectural support for Intel TDX. September 2020
Intel TDX® Module 1.0 EAS SW interfaces specification describes the overall Intel TDX system architecture and the Intel TDX Programming Interfaces needed by a virtual machine manager (VMM) and by a guest operating system (OS) to utilize Intel TDX. September 2020
Intel® TDX Loader Interface Specification A specification of how a VMM loads Intel TDX on a platform. September 2020
Intel® TDX Guest-Hypervisor Communication Interface A specification of the new software interfaces between a VMM and a guest OS that are required for enabling Intel TDX. September 2020
Intel® TDX Virtual Firmware Design Guide A design guide on how to design and implement a virtual firmware for a trust domain. October 2020

 

Product and Performance Information

1

Intel's compilers may or may not optimize to the same degree for non-Intel microprocessors for optimizations that are not unique to Intel microprocessors. These optimizations include SSE2, SSE3, and SSSE3 instruction sets and other optimizations. Intel does not guarantee the availability, functionality, or effectiveness of any optimization on microprocessors not manufactured by Intel. Microprocessor-dependent optimizations in this product are intended for use with Intel microprocessors. Certain optimizations not specific to Intel microarchitecture are reserved for Intel microprocessors. Please refer to the applicable product User and Reference Guides for more information regarding the specific instruction sets covered by this notice.

Notice revision #20110804