Intel TDX

Intel Trust Domain Extensions (TDX) is a hardware-based confidential computing technology developed by Intel Corporation that isolates virtual machines (called Trust Domains) from the hypervisor

Intel Trusted Domains isolate virtualized workload against the hypervisor.

Prerequisites

Before enabling TDX, ensure the following requirements are met.

CPU Support

Feature

Minimum EPYC Generation

Intel TDX 1.0

5th Gen Intel Xeon Scalable (Emerald Rapids)

Intel TDX 1.5

6th Gen Intel Xeon Scalable (Granite Rapids)

Check your CPU:

lscpu

Look for:

Model name: Intel(R) Xeon(R) ...

Then verify TDX capability in BIOS or via Intel documentation.

Firmware Requirements

You must update to:

Latest BIOS/UEFI firmware
Latest Intel ME firmware
Latest microcode
Latest BMC firmware (recommended)

TDX requires modern platform firmware support.

Memory Requirements

TDX requires:

All memory banks filled
Sufficient RAM reserved for TDX memory
BIOS configuration of a TDX memory region

Step-by-Step: Enable Intel TDX in BIOS

Menu names differ slightly by vendor (Dell, HPE, Lenovo, Supermicro, etc.).

Step 1 — Enter BIOS

Reboot the server
Press:
- F2
- DEL
- F10
- ESC

(depending on vendor)

Step 2 — Enable Intel Virtualization

Navigate to:

Advanced
  → Processor Configuration

Enable:

Intel Virtualization Technology (VT-x) → Enabled
Intel VT-d → Enabled

These are mandatory.

Step 3 — Enable Total Memory Encryption (TME)

TDX depends on Total Memory Encryption (TME).

Navigate to:

Advanced
  → Memory Configuration

Set:

Total Memory Encryption (TME) → Enabled

Step 4 — Enable TDX

Navigate to:

Advanced
  → Processor Configuration
      → Intel TDX

Set:

Intel TDX → Enabled

Some BIOS versions list it under:

Trust Domain Extensions
Confidential Compute
Security → TDX

Step 5 — Configure TDX Memory Region

Some systems require configuring:

TDX Memory Reserved Size → (e.g., 64GB or more)

This reserves secure memory for Trust Domains.

If not configured, TDX may not initialize.

Additional Required BIOS Settings

Enable the following if present:

SGX → Disabled (TDX replaces SGX on some systems)
Above 4G Decoding → Enabled
Secure Boot → Enabled (recommended)
NUMA → Enabled
Memory Integrity → Enabled

Verify TDX in Linux

After booting Linux:

Check CPU flags

lscpu | grep tdx

Check dmesg

dmesg | grep -i tdx

Expected output should indicate:

TDX module initialized
TDX enabled

Check kernel support

TDX requires:

Recent Linux kernel (6.11 recommended)
KVM with TDX support
Intel TDX module loaded

Troubleshooting

Problem

Possible Cause

Solution

TDX option not visible

Old BIOS

Update firmware

TDX fails to initialize

TME disabled

Enable TME

No TDX memory region

Memory not reserved

Configure TDX memory

VM fails to start

Kernel lacks TDX support

Upgrade kernel

PreviousAMD SEV NextNVIDIA CC

Last updated 4 days ago

Was this helpful?

hashtagPrerequisites

hashtagCPU Support

hashtagFirmware Requirements

hashtagMemory Requirements

hashtagStep-by-Step: Enable Intel TDX in BIOS

hashtagStep 1 — Enter BIOS

hashtagStep 2 — Enable Intel Virtualization

hashtagStep 3 — Enable Total Memory Encryption (TME)

hashtagStep 4 — Enable TDX

hashtagStep 5 — Configure TDX Memory Region

hashtagAdditional Required BIOS Settings

hashtagVerify TDX in Linux

hashtagCheck CPU flags

hashtagCheck dmesg

hashtagCheck kernel support

hashtagTroubleshooting

Prerequisites

CPU Support

Firmware Requirements

Memory Requirements

Step-by-Step: Enable Intel TDX in BIOS

Step 1 — Enter BIOS

Step 2 — Enable Intel Virtualization

Step 3 — Enable Total Memory Encryption (TME)

Step 4 — Enable TDX

Step 5 — Configure TDX Memory Region

Additional Required BIOS Settings

Verify TDX in Linux

Check CPU flags

Check dmesg

Check kernel support

Troubleshooting