Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1514 Discussions

Can SGX enclaves run inside a TDX trust domain?

zxwang
Beginner
‎10-19-2021 05:24 AM
2,431 Views
Solved Jump to solution

Last year Intel introduced a new ISA extension, TDX, which aims to provide a confidential execution environment for virtual machines. So I'm wondering if SGX virtualization is feasible in TDX.

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎10-19-2021 09:47 AM
2,394 Views
Solved Jump to solution

Hi zxwang,


According to the Intel Trust Domain Extensions (Intel TDX) Module Base Architecture Specification v1.5, Chapter 2.7 Overview Measurement and Attestation: "Running Intel SGX enclaves within a guest TD is not supported."

 

However, Intel TDX uses Intel SGX quoting enclaves and certificate infrastructure to perform Trusted Domain (TD) attestation, which is described in detail in Chapter 12: Measurement and Attestation.

 

Section12.3.1 Intel SGX-Based Attestation states:

 

"The Intel SGX attestation architecture is designed to provide facilities for multiple Quoting Enclaves from multiple providers. This is intended to allow the host to instantiate a Quoting Enclave for Intel SGX attestations and another Quoting Enclave for TD attestation without interference -- i.e., each provider can supply its own quoting enclave, and the quoting enclave for Intel SGX and for Intel TDX may be separate, the design does not require the quoting enclave to run inside the TD."


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

Copy link

Link Copied

4 Replies
zxwang
Beginner
‎10-19-2021 05:27 AM
2,430 Views
Solved Jump to solution

Is it not feasible at all in hardware aspects? Or we just have to support it in TDX-aware VMM (e.g. KVM).

0 Kudos
Copy link
JesusG_Intel
Moderator
‎10-19-2021 09:47 AM
2,395 Views
Solved Jump to solution

Hi zxwang,


According to the Intel Trust Domain Extensions (Intel TDX) Module Base Architecture Specification v1.5, Chapter 2.7 Overview Measurement and Attestation: "Running Intel SGX enclaves within a guest TD is not supported."

 

However, Intel TDX uses Intel SGX quoting enclaves and certificate infrastructure to perform Trusted Domain (TD) attestation, which is described in detail in Chapter 12: Measurement and Attestation.

 

Section12.3.1 Intel SGX-Based Attestation states:

 

"The Intel SGX attestation architecture is designed to provide facilities for multiple Quoting Enclaves from multiple providers. This is intended to allow the host to instantiate a Quoting Enclave for Intel SGX attestations and another Quoting Enclave for TD attestation without interference -- i.e., each provider can supply its own quoting enclave, and the quoting enclave for Intel SGX and for Intel TDX may be separate, the design does not require the quoting enclave to run inside the TD."


Sincerely,

Jesus G.

Intel Customer Support


Copy link
zxwang
Beginner
‎10-19-2021 11:24 PM
2,370 Views
Solved Jump to solution
In response to JesusG_Intel

Thanks. That makes sense to me.

In response to JesusG_Intel
0 Kudos
Copy link
JesusG_Intel
Moderator
‎10-29-2021 01:53 PM
2,273 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided Monday to Friday. Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.