Technology

Intel Trust Domain Extensions (TDX) represents an architectural enhancement integrated into the 4th Generation Intel Xeon Scalable Processors, providing Trusted Execution Environment (TEE) capabilities. Within TDX, there is the introduction of Secure-Arbitration Mode (SEAM), which ensures cryptographic isolation and protection for confidential Virtual Machines (cVMs) known as Trust Domains (TDs) in TDX terminology. The fundamental assumption behind TDX's design is the potential untrustworthiness or adversarial nature of privileged software, such as hypervisors or host operating systems.

With traditional virtualization, VMs share resources, and trust is placed in the hypervisor to ensure isolation between them. However, there is always a potential risk of vulnerabilities or attacks that could compromise the hypervisor and allow unauthorized access to other VMs.

Intel TDX addresses this concern by introducing a hardware-based approach to enhance isolation and protection. It establishes a new trust boundary called a "trust domain" within the processor. Each VM is assigned its trust domain, isolating it from other VMs and the hypervisor. This way, even if the hypervisor is compromised, the integrity and confidentiality of each VM's data are maintained.

Key features and benefits of Intel TDX include:

TDX's primary goal is to safeguard the confidentiality and integrity of the CPU state and memory for specific Trust Domains. Moreover, it enables Trust Domain owners to authenticate remote platforms securely. The implementation of TDX relies on a combination of advanced techniques, including Virtualization Technology (VT), Multi-key Total Memory Encryption (MKTME), and the TDX Module. Additionally, TDX leverages Software Guard Extensions (SGX) and Data Center Attestation Primitives (DCAP) to facilitate remote attestation processes effectively.