During the VMware Explore 2024 in Las Vegas, VMware has introduced the new VMware Cloud Foundation 9 and described some of its features.
One of them was Confidential Computing with TDX: a way to provide advanced security by isolating and encrypting workloads, ensuring data integrity and privacy at the hypervisor level.
But what is TDX?
Intel® Trust Domain Extensions (Intel® TDX) is Intel’s newest confidential computing technology. This hardware-based trusted execution environment (TEE) facilitates the deployment of trust domains (TD), which are hardware-isolated virtual machines (VM) designed to protect sensitive data and applications from unauthorized access.
A CPU-measured Intel TDX module enables Intel TDX. This software module runs in a new CPU Secure Arbitration Mode (SEAM) as a peer virtual machine manager (VMM), and supports TD entry and exit using the existing virtualization infrastructure. The module is hosted in a reserved memory space identified by the SEAM Range Register (SEAMRR).
Intel TDX uses hardware extensions for managing and encrypting memory and protects both the confidentiality and integrity of the TD CPU state from non-SEAM mode.
Intel TDX uses architectural elements such as SEAM, a shared bit in Guest Physical Address (GPA), secure Extended Page Table (EPT), physical-address-metadata table, Intel® Total Memory Encryption – Multi-Key (Intel® TME-MK), and remote attestation.
Intel TDX ensures data integrity, confidentiality, and authenticity, which empowers engineers and tech professionals to create and maintain secure systems, enhancing trust in virtualized environments.
Intel® TDX is planned for general market availability on 5th Gen Intel® Xeon Scalable and Intel® Xeon® 6 processors.
For a complete list of processors compatible with Intel® TDX, visit:
Note that it isn’t the first CPU feature introduced by Intel to increase the security of the virtual machines. In the past Intel introduced Software Guard Extensions (SGX) supported in vSphere since version 7!
While Intel SGX focuses on creating isolated enclaves in memory to run applications securely, Intel TDX takes a broader approach. It provides isolation, confidentiality, and integrity at the VM level, ensuring that not only the data but also the VM’s state remains confidential and untampered.
Both Intel SGX and TDX champion the cause of confidential computing, yet they are distinct in several fundamental ways:
- Nature of Environment: While SGX is process-based, TDX is rooted in virtualization, offering a broader confidential computing environment.
- Legacy Application Deployment: SGX’s programming model often necessitated alterations to legacy applications. In contrast, TDX allows effortless deployment of such applications without any notable performance or memory constraints.
- Isolation Mechanism: TDX provides superior isolation by operating in the new SEAM processor mode, a feature absent in SGX.