📃
Confidential Computing 101
HomeTechnologyTry CC!
  • Welcome
  • Confidential Computing
    • What is Confidential Computing
    • What problems Confidential Computing solves
      • Bare Metal
      • Docker
      • Kubernetes
      • Knative
    • Why Confidential Computing
    • How Confidential Computing works
      • Memory Encryption
      • Workload Attestation
      • Confidential Boot
      • Sealing / Binding
      • Secret Provisioning
    • Technology Overview
    • Cloud Service Providers
  • Technology in depth
    • Intel SGX
      • Getting Started
        • Bare Metal Server Installation
        • Enclave Development Environment
        • Intel SGX SDK Setup
      • Technology
        • 🎭Features
        • 💂Threat Model
        • 🆚Versions
        • 🟦Concepts
          • 🏦Memory Encryption
          • 👮Local and Remote Attestation
          • 🖼️DCAP-Attestation Framework
          • 🔑Secret Key Provisioning
      • enclaive Development Kit
        • 🏢Architecture
        • 🌪️Workflow
        • 🌍Tutorials
          • Azure DCdsv3, DCsv2, or DCsv3 Setup
          • Redis in cK8s
          • MongoDB in cK8s
          • K8s + HashiCorp Vault on Azure DCsv3
      • Vault Remote Attestation Plug-In
        • 🏃‍♂️Initialization
        • 👮Attestation
        • ⚙️Configuration
    • Intel TDX
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
          • VT
          • TME/MKTME
          • SGX
        • Features
        • Threat Model
        • Concepts
          • Architecture
            • TDX Module
          • Memory Encryption
            • Confidentiality and Integrity
            • Keys and Key Management
          • TD Partitioning
          • DCAP-Attestation
            • Overview
            • Platform Registration
            • Attestation Report
    • AMD SEV
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
        • Threat Model
        • SME Concepts
          • Use Models
        • SEV-SNP Concepts
          • Features
            • Integrity Threats
            • Reverse Map Table
            • Page Validation
            • Page States
            • Virtual Machine Privilege Levels
            • Interrupt/Exception Protection
            • Trusted Platform Information
            • TCB Versioning
            • VM Launch & Attestation
            • VM Migration
            • Side Channels
          • Use Cases
          • Architecture
            • Encrypted Memory
            • Key Management
          • Software Implications
    • ARM CC
      • Technology
        • Introduction
        • Threat Model
        • Design
        • Comparison
    • Attestation Methods
      • Raw Attestation
      • Raw Attestation with Secure-Boot
      • Raw Attestation with a vTPM
        • AMD Secure VM Service Module and vTPMs
      • Raw Attestation with paravirtualized TPM
  • Resources
    • Youtube
    • Github
    • Products
Powered by GitBook
On this page

Was this helpful?

  1. Technology in depth
  2. Intel TDX
  3. Technology
  4. Concepts
  5. Memory Encryption

Keys and Key Management

Last updated 1 year ago

Was this helpful?

In order to provide the security guarantees Intel TDX promises cryptographic algorithms are used to secure the data and attest the TD. These algorithms require keys which the CPU needs to keep strictly confidential. The keys are required by the attestation process and the memory encryption/integrity.

The memory encryption and integrity process uses a total of 3 different key types. The first key is the encryption key. This key is unique for each Trust Domain (TD) and is used to encrypt the private memory pages of the TD. In order to identify which key needs to be used for which page the encryption engine on the memory controller holds the Key Encryption Table (KET). This table matches the key with a Host Key Identifier (HKID), which identifies the TD. This key is generated by the CPU through the usage of a Hardware Digital Random Number Generator (HW-DRNG) and is lost once the CPU resets. In addition this key is stored within the CPU and is only accessible by the CPU.

During the encryption process a second key is used to generate the encryption tweak. The encryption tweak is the encrypted physical address and uses an ephemeral AES-XTS key which is unique for each HKID. The tweak key is also generated through the HW-DRNG.

The integrity protection uses HMAC with SHA3-256 as a base. The key that is needed for this procedure is again generated by the HW-DRNG and is also ephemeral. The key is derived by the MCHECK firmware during the initialization process and the HW-DRNG is being accessed through the RDRAN instruction.

As the attestation process of Intel TDX uses the already established process of with a few minor adjustments to the exchanged data the keys remained the same. Information regarding these keys can be found in the Intel SGX subsection about Memory Encryption.

Intel SGX