Keys and Key Management

In order to provide the security guarantees Intel TDX promises cryptographic algorithms are used to secure the data and attest the TD. These algorithms require keys which the CPU needs to keep strictly confidential. The keys are required by the attestation process and the memory encryption/integrity.

The memory encryption and integrity process uses a total of 3 different key types. The first key is the encryption key. This key is unique for each Trust Domain (TD) and is used to encrypt the private memory pages of the TD. In order to identify which key needs to be used for which page the encryption engine on the memory controller holds the Key Encryption Table (KET). This table matches the key with a Host Key Identifier (HKID), which identifies the TD. This key is generated by the CPU through the usage of a Hardware Digital Random Number Generator (HW-DRNG) and is lost once the CPU resets. In addition this key is stored within the CPU and is only accessible by the CPU.

During the encryption process a second key is used to generate the encryption tweak. The encryption tweak is the encrypted physical address and uses an ephemeral AES-XTS key which is unique for each HKID. The tweak key is also generated through the HW-DRNG.

The integrity protection uses HMAC with SHA3-256 as a base. The key that is needed for this procedure is again generated by the HW-DRNG and is also ephemeral. The key is derived by the MCHECK firmware during the initialization process and the HW-DRNG is being accessed through the RDRAN instruction.

As the attestation process of Intel TDX uses the already established process of with a few minor adjustments to the exchanged data the keys remained the same. Information regarding these keys can be found in the Intel SGX subsection about Memory Encryption.