Intel has been a pioneer in Confidential Computing by introducing Software Guard Extensions – better known as SGX – as early as 2013. It continues this trend with the upcoming Trusted Domain Extensions or TDX. But when it comes to Intel SGX vs Intel TDX, what is the difference?

We first briefly explain Intel SGX – the technology, state of progress, support and outlook. Next, we move on to TDX to introduce it too. Finally, we will conclude with a comparison of the two technologies. Reading this article will help you understand when you should use TDX or SGX, and how the two are related.

Intel SGX

SGX was first publicly presented in a brief, 6-page workshop article called “Innovative instructions and software model for isolated execution”. The was accompanied by a complement article describing Intel’s approach to CPU-based attestation and sealing used in the SGX implementation. Despite important firmware upgrades and a significant overhaul in SGX II, the fundamental architecture of SGX remained the same. SGX is a process-based confidential computing environment. A core premise of SGX is that the security of the code and data deployed in an enclave relies on the security of the firmware and microcode implementing the SGX features. The rest remains untrusted – including the entire underlying operating system and other enclaves.

Once SGX became available in the wild, academic researchers and practitioners managed to find dozens of vulnerabilities. Another aspect that slows down adoption is that SGX has important memory limitations and its own, peculiar programming model. This makes porting legacy software slow and error-prone. The future of SGX remains unclear – while it is still available on many server platforms, Intel has already announced that it will stop supporting SGX on consumer platforms.

Intel TDX

TDX – or Trusted Domain Extensions – is a more recent implementation of a confidential computing environment. Its approach builds on lessons learned from SGX and the understanding that memory limitations and peculiar programming models do not bode well with legacy, general-purpose computing applications that require additional isolation in the cloud. Instead, Intel TDX is a virtualisation-based confidential computing environment. In a nutshell, with TDX the entire virtual machine is an isolated, confidential computing environment, equivalent to an enclave in the SGX model. In this case, the security of code and data deployed in a TDX virtual machine depends on the virtualised operating system’s security, its correct configuration and the security of the underlying firmware. The rest remains untrusted – including the virtualisation layer and its configuration.

Intel TDX reuses some elements of Intel SGX to perform the security attestation of virtual machine images launched in the TDX domain. To strengthen isolation, TDX virtual machines execute is a new processor mode, called SEAM. Now that the entire virtual machine is a confidential computing environment, users can deploy legacy applications and run them without notable performance or memory limitations. The TDX architecture replicates some of the AMD SEV-SNP and IBM PEF features introduced earlier. Recently, we compared four leading confidential computing architectures for enterprise platforms and published our findings. You can reach out to us for guidance in choosing the right confidential computing hardware to support your use case.

At the time of writing (July 2022), there is no publicly available hardware the TDX support. However, Intel engineers are already in the last stages of adding support for TDX features in the Linux kernel. Mainline Linux kernel support is expected in Linux v5.19 later this year. There is, however, no clear indication of upcoming hardware availability.

Conclusion: Intel SGX vs TDX

Both SGX and TDX fit into the paradigm of confidential computing. However, Intel TDX is very different from SGX in several core ways. First, it is a virtualisation-based confidential computing environment, with less performance and memory. Second, TDX allows trivial deployment of legacy applications and does not require adapting them to a different programming model (as does SGX). Third, it features a better isolation thanks to executing in a new processor mode.


Standardising Confidential Computing

Trusted Execution Environments have been around for a while now and keep evolving. As support for confidential computing is included in more commodity platform, standardising this approach is becoming increasingly important to accelerate updake. This is part one of a...

Enhancing the circularity of electric vehicle batteries

REmanufacture, REcycle, REuse and REduce: Mälardalen University is addressing these four main aspects of Circular Economy in a new research project in close collaboration with the Swedish industry. The Circul8 (Smart batteries circularity) project enables circularity...

CanaryBit supports Mobility industry leaders

CanaryBit is one of the eight startups selected for batch 10 of the MobilityXlab programme. The programme aims to co-create solutions with seven mobility industry leaders: CEVT, Ericsson, Polestar, Veoneer, Volvo Cars, Volvo Group, and Zenseact. The competition was...

2022: still growing, still independent, still us!

Still growing. In our 2021 end-of-the-year message, we highlighted that growth will be the theme of 2022. And so it was. Both founders started working 100% on CanaryBit in January. It was a challenging year in many respects, but our ideas and solutions were validated...