Is there a way to verify from the userspace of a VM running within Intel TDX that the Trusted Domain and VM have been configured with a secure Time Stamp Counter (TSC)? Or is the TSC secured by default in the Trusted Domain?

 Page 3 of the Intel TDX Whitepaper states:

The Intel-TDX module helps ensure that the execution
controls active for a TD do not allow the VMM or other
untrusted entities to intercept TD accesses to TD-assigned
resources like control registers, model-specific registers
(MSRs), debug registers, performance-monitoring counters,
Time-Stamp Counter, etc.

The TDX Github Docs also confirm that TDX has a secure TSC, but makes it sound like the kvmclock might be the default:

TDX has a limited secure time with the TSC timer. The TSC inside a TD is guaranteed to be synchronized and monotonous, but not necessarily matching real time.... By default, for the KVM hypervisor, kvmclock would have priority, which is not secure anymore because it uses untrusted input from the host. To avoid this the kvmclock must be disabled by using ‘no-kvmclock’ cmdline option (command line is measured and can be attested). Additionally, the TSC watchdog is also disabled (by forcing the X86_FEATURE_TSC_RELIABLE bit) to avoid the possible fallback to jiffy time, which could be influenced by the host by changing the frequency of the timer interrupts.

In fact, that section in the docs describes the solution I am trying to implement (a secure real time wall clock source), but I need to know whether the TSC is secure by default, how to check, and how to enable if needed.