Intel® Trust Domain Extensions (Intel® TDX)
Published: 08/11/2020
Overview
Intel® Trust Domain Extensions (Intel® TDX) is introducing new, architectural elements to help deploy hardware-isolated, virtual machines (VMs) called trust domains (TDs). Intel TDX is designed to isolate VMs from the virtual-machine manager (VMM)/hypervisor and any other non-TD software on the platform to protect TDs from a broad range of software. These hardware-isolated TDs include:
- Secure-Arbitration Mode (SEAM) – a new mode of the CPU designed to host an Intel-provided, digitally-signed, security-services module called the Intel TDX module.
- Shared bit in GPA to help allow TD to access shared memory.
- Secure EPT to help translate private GPA to provide address-translation integrity and to prevent TD-code fetches from shared memory. Encryption and integrity protection of private-memory access using a TD-private key is the goal.
- Physical-address-metadata table (PAMT) to help track page allocation, page initialization, and TLB consistency.
- Multi-key, total-memory-encryption (MKTME) engine designed to provide memory encryption using AES-128- XTS and integrity using 28-bit MAC and a TD-ownership bit.
- Remote attestation designed to provide evidence of TD executing on a genuine, Intel TDX system and its TCB version.
Intel TDX 1.0 White Papers and Specifications
| Document | Description | Date |
|---|---|---|
| Intel® TDX Module 1.0 Specification | Architecture and Application Binary Interface (ABI) Specification of the Intel TDX Module. | August 2021 |
| Intel® TDX Guest-Hypervisor Communication Interface | Specification of the software interface between the Guest OS (Tenant and Service TD VMs) and the VMM required for enabling Intel® TDX 1.0 | February 2022 |
Intel TDX 1.5 White Papers and Specifications
Intel® TDX Version 1.5 extends TDX to introduce Live Migration for TD VMs and related support for Service TDs.
| Document | Description | Date |
|---|---|---|
| Intel® TDX Module v1.5 Base Architecture Specification | Overview and base architecture specification of the Intel TDX Module version 1.5 | September 2021 |
| Intel® TDX Module v1.5 TD Migration Architecture Specification | Overview and architecture specification of the TD Migration feature of the Intel TDX Module version 1.5 | September 2021 |
| Intel® TDX Module v1.5 ABI Specification | Application Binary Interface (ABI) specification of the Intel TDX Module version 1.5 | September 2021 |
| Intel® TDX Guest-Hypervisor Communication Interface v1.5 | Specification of the software interface between the Guest OS (Tenant and Service TD VMs) and the VMM required for enabling Intel TDX version 1.5 | February 2022 |
| Intel® TDX Migration TD Design Guide | A design guide on how to design and implement a Migration TD for TDX 1.5 Live migration. | October 2021 |
Intel TDX White Papers and Specifications – Common
| Document | Description | Date |
|---|---|---|
| Intel® Trust Domain Extensions (Intel® TDX) | An introductory overview of the Intel TDX technology. | August 2021 |
| Intel® CPU Architectural Extensions Specification | A specification of Intel CPU architectural support for Intel TDX. | May 2021 |
| Intel® TDX Loader Interface Specification | A specification of how a VMM loads the Intel TDX Module on a platform. | March 2022 |
| Intel® TDX Virtual Firmware Design Guide | A design guide on how to design and implement a virtual firmware for a trust domain. | October 2021 |
Product and Performance Information
Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.