Intel® Trust Domain Extensions(TDX) refers to an Intel technology that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory Encryption(MK-TME) with a new kind of virtual machine guest called a Trust Domain(TD). A TD runs in a CPU mode that protects the confidentiality of its memory contents and its CPU state from any other software, including the hosting Virtual Machine Monitor (VMM). Please see details at here.
- Azure already launched the
TDX based confidential computing at zone of
DCesv5andECesv5series. - Google published Intel Trust Domain Extensions (TDX) Security Review
- Please contact Intel sales representative for on-premise bare metal server or processor.
Use the script start-qemu.sh to start a TD via QEMU.
A simple usage of the script to launch TD would be as follows:
./start-qemu.sh -i <guest image file> -k <guest kernel file>
Or to use the guest's grub bootloader:
./start-qemu.sh -i <guest image file> -b grub
For more advanced configurations, please check the help menu:
./start-qemu.sh -h
Once the TD guest VM is launched, you can verify it is truly TD VM by querying cpuinfo. It's supposed to have tdx_guest flag.
cat /proc/cpuinfo | grep tdx_guest