SYSTEM Cited by 1 source

Intel TDX (Trust Domain Extensions)¶

What it is¶

Intel Trust Domain Extensions (TDX) is Intel's VM-granularity trusted execution environment — the protected-boundary unit is an entire virtual machine (a Trust Domain or TD), not an enclave inside a process. Built on top of Intel SGX-style isolation primitives extended to whole-VM scope, available on Intel Xeon Scalable processors from 2023 onward (4th gen Sapphire Rapids and later).

Per Intel's developer documentation, TDX provides:

Memory encryption + integrity for guest-VM memory, transparent to the guest OS.
Isolation of the guest from the host hypervisor — the hypervisor cannot read guest memory or register state.
Attestation — hardware-rooted measurement of the guest binary that a remote verifier can check.
Confidential I/O — extensions for trusted-IO paths (later generations).

TDX is one of the two production-VM-TEE substrates competing with AMD SEV-SNP; both are CVM implementations with different vendor lineages.

Architectural role¶

In a TEE-using application stack, TDX is the substrate the TEE-resident code runs on. The application's threat model treats the host OS, hypervisor, and operator as untrusted; TDX enforces that boundary.

┌─────────────────────────────────┐
│  Application binary (attested)  │   ← runs inside the TD
├─────────────────────────────────┤
│  Guest OS (also inside the TD)  │
├─────────────────────────────────┤
│  TDX module (CPU firmware)      │   ← enforces isolation
├─────────────────────────────────┤
│  Host hypervisor (untrusted)    │
├─────────────────────────────────┤
│  Host OS (untrusted)            │
├─────────────────────────────────┤
│  Hardware (Intel CPU + memory)  │
└─────────────────────────────────┘

The hypervisor schedules the TD but cannot inspect its memory or register state.

VM-granularity vs enclave-granularity¶

Property	Intel SGX (enclave)	Intel TDX (VM)
Protected unit	Memory region inside a process	Entire virtual machine
Programming model	App must be ported to enclave SDK	Lift-and-shift of existing VM workloads
Memory size	Constrained (gigabytes-scale on EPC)	Full VM memory
OS inside boundary	None — bare enclave	Full guest OS
Attestation	Per-enclave	Per-VM
Side-channel surface	Many published attacks	Fewer published, but systems/tdxray-side-channel-research-class research ongoing

TDX is the production-friendly substrate for confidential-computing workloads — most existing software runs without modification because the TD is just "a VM whose memory the host can't see."

Side-channel research¶

The 2026-05-27 Google post explicitly cites TDXray as a recent side-channel research result against TDX:

"Researchers regularly discover side-channel vulnerabilities that can be leveraged by an attacker to either invalidate TEE guarantees, or application-level specific guarantees ([SNPeek][AMD SEV-SNP], [TDXray][TDX])."

TDXray is itself Google Research output — Microarchitectural side-channel analysis of Intel TDX for real-world workloads. The implication: even the architecture's own publishers acknowledge the side-channel risk class as ongoing, motivating defense-in-depth composition with cryptographic privacy layers.

Use in production privacy architectures¶

System	Role
systems/google-confidential-federated-analytics	TDX (or SEV-SNP) hosts the secure-aggregation binary
systems/whatsapp-private-processing	Comparable TEE-VM hosts the LLM inference (specific TEE is implementation-detail)
Google Cloud Confidential VMs	First-party offering; TDX-backed
AWS Nitro Enclaves	Different vendor stack but conceptually similar boundary

Attestation flow¶

TDX produces a hardware-signed quote that includes:

TDREPORT — the measurement of the loaded TD (binary digest of the guest OS + application).
MRTD / MRSEAM / MRCONFIG — initial-state and configuration measurements.
CPU SVN — patch-level information to detect microcode vulnerabilities.
Vendor signature — Intel-rooted, verifiable against the Intel Provisioning Certification Authority.

A remote verifier checks the quote against:

Vendor signature validity (chain to Intel root).
Measurement match against expected binary digests (transparency log).
CPU SVN freshness (no recently-patched vulnerabilities still present).
Nonce match (anti-replay).

Caveats¶

Side-channel attacks are an ongoing risk class. TDXray and similar research continue to surface new microarchitectural leaks; Intel ships microcode updates but the discovery cadence does not approach zero.
Vendor-rooted trust. Attestation is signed by Intel; an attacker who compromises Intel's signing infrastructure breaks the trust chain for all TDs.
TD escape vulnerabilities have happened for prior Intel TEE generations (e.g. SGX); TDX is not categorically different in this regard, just newer.
Performance overhead. Memory encryption + attestation cost is measurable — not free, though usually <10% for typical workloads.
Confidential-IO support is generation-dependent. Earlier TDX generations don't securely attest peripheral access; later generations add this for accelerator workloads.

Seen in¶

sources/2026-05-27-google-private-analytics-via-zero-trust-aggregation — TDX (or AMD SEV-SNP) is the substrate for Google's confidential-federated-analytics aggregator; cited specifically alongside the TDXray side-channel research as motivation for composing TEE with cryptographic privacy layers.

systems/amd-sev-snp — AMD's competing VM-TEE substrate
systems/cvm-confidential-virtual-machine — generalising wiki concept that TDX is one realisation of
systems/tdxray-side-channel-research — Google Research's side-channel analysis of TDX
concepts/trusted-execution-environment — TEE class
concepts/remote-attestation — attestation primitive
concepts/tee-side-channel-vulnerability — risk class TDXray is in
concepts/confidential-computing — the broader posture
patterns/cryptography-plus-tee-defense-in-depth — the architectural response to ongoing side-channel risk
patterns/tee-for-private-ai-inference — sibling use of TDX-class TEE