Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Can SGX enclaves run inside a TDX trust domain?

zxwang
Beginner
1,357 Views

Last year Intel introduced a new ISA extension, TDX, which aims to provide a confidential execution environment for virtual machines. So I'm wondering if SGX virtualization is feasible in TDX.

0 Kudos
1 Solution
JesusG_Intel
Moderator
1,320 Views

Hi zxwang,


According to the Intel Trust Domain Extensions (Intel TDX) Module Base Architecture Specification v1.5, Chapter 2.7 Overview Measurement and Attestation: "Running Intel SGX enclaves within a guest TD is not supported."

 

However, Intel TDX uses Intel SGX quoting enclaves and certificate infrastructure to perform Trusted Domain (TD) attestation, which is described in detail in Chapter 12: Measurement and Attestation.

 

Section12.3.1 Intel SGX-Based Attestation states:

 

"The Intel SGX attestation architecture is designed to provide facilities for multiple Quoting Enclaves from multiple providers. This is intended to allow the host to instantiate a Quoting Enclave for Intel SGX attestations and another Quoting Enclave for TD attestation without interference -- i.e., each provider can supply its own quoting enclave, and the quoting enclave for Intel SGX and for Intel TDX may be separate, the design does not require the quoting enclave to run inside the TD."


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

4 Replies
zxwang
Beginner
1,356 Views

Is it not feasible at all in hardware aspects? Or we just have to support it in TDX-aware VMM (e.g. KVM).

0 Kudos
JesusG_Intel
Moderator
1,321 Views

Hi zxwang,


According to the Intel Trust Domain Extensions (Intel TDX) Module Base Architecture Specification v1.5, Chapter 2.7 Overview Measurement and Attestation: "Running Intel SGX enclaves within a guest TD is not supported."

 

However, Intel TDX uses Intel SGX quoting enclaves and certificate infrastructure to perform Trusted Domain (TD) attestation, which is described in detail in Chapter 12: Measurement and Attestation.

 

Section12.3.1 Intel SGX-Based Attestation states:

 

"The Intel SGX attestation architecture is designed to provide facilities for multiple Quoting Enclaves from multiple providers. This is intended to allow the host to instantiate a Quoting Enclave for Intel SGX attestations and another Quoting Enclave for TD attestation without interference -- i.e., each provider can supply its own quoting enclave, and the quoting enclave for Intel SGX and for Intel TDX may be separate, the design does not require the quoting enclave to run inside the TD."


Sincerely,

Jesus G.

Intel Customer Support


zxwang
Beginner
1,296 Views
0 Kudos
JesusG_Intel
Moderator
1,199 Views

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Reply