Set up Intel® TDX on an ECS instance and verify it with remote attestation sample code.
Background
Intel® TDX is a hardware-based protection technology for ECS instances. In a TDX instance, CPU registers, memory data, interrupt handling, and other runtime states are confidentially protected by the CPU hardware. Neither cloud providers nor external attackers can monitor or tamper with the internal runtime state of a TDX instance, such as running processes and sensitive data during computation. See Intel® Trusted Domain Extension (Intel® TDX).
Intel® TDX secures instances and applications by default. Existing applications can migrate to TDX instances without redevelopment.
Prerequisites
Console
Creating a TDX instance is similar to creating a standard instance. Only TDX-specific configurations are described here. For general configurations, see Create an instance on a custom basis.
Go to ECS console - Instances.
In the upper-left corner of the page, select a region and resource group.
-
Click Create Instance and configure the following parameters.
Parameter
Description
Region and zone
Supported regions and zones vary by instance type. See Supported regions, instance types, and images.
This example uses China (Beijing) Zone I and ecs.g8i.xlarge.
Instance type
Image
Select the Confidential VM checkbox, and then select the Alibaba Cloud Linux 3.2104 LTS 64-bit image.

-
Complete the remaining configurations to create the instance.
CLI and API
Call the RunInstances operation or use Alibaba Cloud CLI to create a TDX-enabled ECS instance. Configure the following parameters.
|
Parameter |
Description |
Example |
|
RegionId |
China (Beijing) |
cn-beijing |
|
ZoneId |
Available only in specific zones. Instance types vary by zone. See Supported regions, instance types, and images. |
cn-beijing-i |
|
InstanceType |
ecs.g8i.2xlarge |
|
|
ImageId |
ID of a TDX-supported image. Only Alibaba Cloud Linux 3.2104 LTS 64-bit UEFI images with kernel 5.10.134-16.al8.x86_64 or later are supported. |
aliyun_3_x64_20G_alibase_20241218.vhd |
|
SecurityOptions.ConfidentialComputingMode |
The confidential computing mode. |
TDX |
CLI example
aliyun ecs RunInstances \
--SecurityOptions.ConfidentialComputingMode TDX \
--Region cn-beijing \
--ZoneId cn-beijing-i \
--SystemDisk.Category cloud_essd \
--ImageId 'aliyun_3_x64_20G_alibase_20241218.vhd' \
--InstanceType 'ecs.g8i.2xlarge' \
--SecurityGroupId 'sg-<YourSecurityGroupId>' \
--VSwitchId 'vsw-<YourVSwitchId>' \
--KeyPairName <YourKeyPairName> \
Procedure
Step 1: Verify that TDX is enabled
Verify that TDX is enabled on your instance before proceeding.
-
Check if TDX is enabled.
lscpu |grep -i tdx_guestIf the output contains
tdx_guest, TDX is enabled.
-
Check if the TDX drivers are installed.
ls -l /dev/tdx_guestIf the output contains /dev/tdx_guest, the TDX drivers are installed.

Step 2: Build the TDX environment
Most applications can migrate to TDX instances without redevelopment. To fully leverage TDX security, use the features described below.
A TDX Report is a CPU-generated data structure that represents the identity of a TDX instance. It contains key information, such as ATTRIBUTES, Runtime-extendable Measurement Registers (RTMRs), and Trusted Computing Base Security Version Numbers (TCB SVNs), and uses cryptographic methods to protect its integrity. See Intel TDX Module.
-
Add the Alibaba Cloud confidential computing yum repository.
-
Public endpoint format:
https://enclave-[Region-ID].oss-[Region-ID].aliyuncs.com/repo/alinux/enclave-expr.repo. -
VPC endpoint format:
https://enclave-[Region-ID].oss-[Region-ID]-internal.aliyuncs.com/repo/alinux/enclave-expr.repo.Replace [Region-ID] with the region ID of the TDX instance. The following example uses instance metadata to dynamically obtain the region ID:
token=$(curl -s -X PUT -H "X-aliyun-ecs-metadata-token-ttl-seconds: 5" "http://100.100.100.200/latest/api/token") region_id=$(curl -s -H "X-aliyun-ecs-metadata-token: $token" http://100.100.100.200/latest/meta-data/region-id) sudo yum install -y yum-utils sudo yum-config-manager --add-repo https://enclave-${region_id}.oss-${region_id}-internal.aliyuncs.com/repo/alinux/enclave-expr.repo
-
-
Install build tools and sample code.
sudo yum groupinstall -y "Development Tools" sudo yum install -y sgxsdk libtdx-attest-devel -
Build the TDXReportParse sample.
-
Go to the TDXReportParse directory.
cd /opt/alibaba/teesdk/intel/sgxsdk/SampleCode/TDXReportParse -
Build TDXReportParse.
sudo make
-
-
Run the compiled executable file.
sudo ./tdx_report_parseNO_DEBUGin theattributesfield indicates non-debug mode (secure mode).
Verify TDX remote attestation
In an Alibaba Cloud TDX environment, remote attestation verifies the platform's trustworthiness and the integrity and confidentiality of the code that runs on it. See Remote attestation service.
-
Platform: the hardware and virtualization stack that Alibaba Cloud uses.
-
Code that runs on the platform: the operating system (such as Alibaba Cloud Linux) and applications (such as Nginx and Java) in the TDX environment.
-
Install TDX remote attestation dependencies.
sudo yum install -y gcc gcc-c++ make openssl-devel git jq sudo yum install -y tdx-quote-generation-sample tee-appraisal-tool libsgx-dcap-ql-devel libsgx-dcap-quote-verify-devel libsgx-dcap-default-qpl-devel tdx-quote-verification-sample -
Configure the Alibaba Cloud TDX remote attestation service.
Set
PCCS_URLin/etc/sgx_default_qcnl.conf. The following example uses instance metadata to dynamically obtain the region ID and configure the DCAP service:token=$(curl -s -X PUT -H "X-aliyun-ecs-metadata-token-ttl-seconds: 5" "http://100.100.100.200/latest/api/token") region_id=$(curl -s -H "X-aliyun-ecs-metadata-token: $token" http://100.100.100.200/latest/meta-data/region-id) sudo sed -i.$(date "+%m%d%y") 's|PCCS_URL=.*|PCCS_URL=https://sgx-dcap-server.${region_id}.aliyuncs.com/sgx/certification/v4/|' /etc/sgx_default_qcnl.conf -
Go to the tdx-quote-generation-sample directory and build the application.
cd /opt/alibaba/tdx-quote-generation-sample sudo make -
Generate a quote.
-
Randomly generate
report_dataand issue a quote:sudo ./app -
Specify
report_dataand issue a quote:sudo ./app -d <report_data_in_hex>-
<report_data_in_hex>is a 64-byte hexadecimal string. -
Custom data in
report_data_in_hexis included in the generated quote. -
Due to its limited length,
report_data_in_hexis typically a hash value, such as a public key hash for key agreement.
NoteFor example:
sudo ./app -d 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef sudo ./app -d $(cat data.dat | xxd -p) -
If similar output is returned, the quote is generated.

-
-
Verify the quote.
-
Configure and sign an appraisal policy.
ImportantPerform this operation in a trusted, secure environment, not in a production environment.
Define your security appraisal policy in JSON format.
-
For example, the following policy verifies that your TDX ECS instance runs in an encrypted, non-debuggable state (secure mode).
-
You can also add parameters to verify OS and application integrity. See Intel DCAP Appraisal Engine Developer Guide.
{ "policy_array":[ { "environment":{ "class_id":"45b734fc-aa4e-4c3d-ad28-e43d08880e68", "description":"Application TD TCB 1.5" }, "reference":{ "tdx_attributes":"0000000010000000", "#NOTE": "0000000010000000 means for NO_DEBUG and SPTE_VE_DISABLE" } } ] }
Use the default policy (at
/opt/alibaba/tdx-quote-verification-sample/Policies/tenant_td_policy.json) or write a custom policy to generate a Policy Token for verification. This token can be transferred to any environment where remote attestation is needed.cd /opt/alibaba/tdx-quote-verification-sample sudo make Policies/tenant_td_policy.jwtIf similar output is returned, a Policy Token is generated.

-
-
Build the remaining components for TDX remote attestation.
cd /opt/alibaba/tdx-quote-verification-sample sudo make allIf similar output is returned, the components are built.

-
Verify the quote.
ImportantReplace
<path_to_quote>with the actual quote path, such as/opt/alibaba/tdx-quote-generation-sample/quote.dat.-
Verify the quote against the policy in
Policies/tenant_td_policy.json. The result is output to stdout as a JWT../verifier -quote <path_to_quote>Sample output:

-
Use RelyingParty to verify the JWT signature.
./verifier -quote <path_to_quote> |./relying_party -v |grep "json payload" |awk -F 'payload:' '{print $2}'|jqNote-
Check the
overall_appraisal_resultfield inappraisal_resultto confirm whether the attester meets your appraisal policy../verifier -quote <path_to_quote> |./relying_party -v |grep "json payload" |awk -F 'payload:' '{print $2}'|jq '.[0].result.overall_appraisal_result' -
The
report_dataspecified during quote generation also appears in the verification result (in the tdx_reportdata field). Use this value for business logic such as key exchange../verifier -quote <path_to_quote> |./relying_party -v -a|grep "json payload" |awk -F 'payload:' '{print $2}'|jq '.. | .tdx_reportdata? | select(. != null)'
Sample output (some fields omitted):
[ { "result": { "appraisal_check_date": 1710400829000000000, "nonce": 502551065253582, "certification_data": [ { "certification_data": { "qe_identity_issuer_chain": "LS0t...", "root_ca_crl": "MzA4...", "pck_crl": "LS0t...", "pck_crl_issuer_chain": "LS0t...", "tcb_info": "eyJ0...", "qe_identity": "eyJl...", "tcb_info_issuer_chain": "LS0t..." } } ], "overall_appraisal_result": 1, "appraised_reports": [ { "appraisal_result": 1, "detailed_result": [ { "td_mrownerconfig_check": true, "td_xfam_check": true, "td_mrservicetd_check": true, "td_attributes_check": true, "td_rtmr3_check": true, "td_mrtd_check": true, "td_mrowner_check": true, "td_rtmr0_check": true, "td_mrconfigid_check": true, "td_rtmr1_check": true, "td_rtmr2_check": true } ], "policy": { "environment": { "description": "Application TD TCB 1.5", "class_id": "45b734fc-aa4e-4c3d-ad28-e43d08880e68" }, "signature": "-6C0-...", "reference": { ... }, "signing_key": { "kty": "EC", "crv": "P-384", "alg": "ES384", "y": "CeW8...", "x": "NmSa..." } }, "report": { "environment": { "Description": "Application TD TCB", "class_id": "45b734fc-aa4e-4c3d-ad28-e43d08880e68" }, "measurement": { "tdx_mrownerconfig": "0000...", "tdx_mrservicetd": "3D03...", "tdx_xfam": "00000000000642E7", "tdx_mrtd": "0A40...", "tdx_mrowner": "0000...", "tdx_attributes": "0000000010000000", "tdx_mrconfigid": "0000...", "tdx_reportdata": "D98B...", "tdx_rtmr3": "0000...", "tdx_rtmr2": "0000...", "tdx_rtmr1": "6368...", "tdx_rtmr0": "D0FD..." } } }, { "appraisal_result": 1, "detailed_result": [ { "platform_provider_id_check": true, "sgx_types_check": true, "cached_keys_check": true, "smt_enabled_check": true, "accepted_tcb_level_date_tag_check": true, "advisory_ids_check": true, "expiration_date_check": true, "tcb_eval_num_check": true, "earliest_accepted_tcb_level_date_tag_check": true, "tcb_status_check": true, "dynamic_platform_check": true } ], "policy": { "environment": { "description": "Alibaba Cloud Evaluation Num Policy for TDX Platform", "class_id": "f708b97f-0fb2-4e6b-8b03-8a5bcd1221d3" }, "signature": "l00p...", "reference": { "accepted_tcb_status": [ "UpToDate" ], "allow_dynamic_plaform": true, "min_eval_num": 16 }, "signing_key": { "kty": "EC", "crv": "P-384", "alg": "ES384", "y": "7hlr...", "x": "OSbD..." } }, "report": { "environment": { "description": "TDX Platform TCB", "class_id": "f708b97f-0fb2-4e6b-8b03-8a5bcd1221d3" }, "measurement": { "earliest_issue_date": "2018-05-21T10:45:10Z", "is_cached_keys_policy": true, "fmspc": "90C06F000000", "is_smt_enabled": true, "earliest_expiration_date": "2024-04-02T10:22:51Z", "root_ca_crl_num": 1, "root_key_id": "9309...", "pck_crl_num": 1, "tcb_eval_num": 16, "latest_issue_date": "2024-03-13T15:45:02Z", "tcb_status": [ "UpToDate" ], "tcb_level_date_tag": "2023-08-09T00:00:00Z", "is_dynamic_platform": true, "sgx_types": 1 } } }, { "appraisal_result": 1, "detailed_result": [ { "td_qe_expiration_date_check": true, "td_qe_tcb_eval_num_check": true, "td_qe_earliest_accepted_tcb_level_date_tag_check": true, "td_qe_tcb_status_check": true, "td_qe_accepted_tcb_level_date_tag_check": true } ], "policy": { "environment": { "description": "Alibaba Cloud Num Policy for Verified TDQE", "class_id": "3769258c-75e6-4bc7-8d72-d2b0e224cad2" }, "signature": "l00p...", "reference": { "accepted_tcb_status": [ "UpToDate" ], "min_eval_num": 16 }, "signing_key": { "kty": "EC", "crv": "P-384", "alg": "ES384", "y": "7hlr...", "x": "OSbD..." } }, "report": { "environment": { "Description": "RAW TDX QE Report", "class_id": "3769258c-75e6-4bc7-8d72-d2b0e224cad2" }, "measurement": { "earliest_expiration_date": "2025-05-21T10:50:10Z", "earliest_issue_date": "2018-05-21T10:45:10Z", "root_key_id": "9309...", "tcb_eval_num": 16, "latest_issue_date": "2018-05-21T10:50:10Z", "tcb_status": [ "UpToDate" ], "tcb_level_date_tag": "2023-08-09T00:00:00Z" } } } ] } } ] -
-
-
Supported regions, instance types, and images
Region and instance type limitations
Confidential computing is available only in specific zones. Supported instance types vary by zone.
|
Region and zone |
Instance types |
|
China (Beijing) Zone L |
ecs.g8i.xlarge and larger |
|
China (Beijing) Zone I |
|
|
China (Hangzhou) Zone J |
ecs.r9i.xlarge and larger |
|
China (Hong Kong) Zone B |
ecs.g8i.xlarge and larger |
|
China (Hong Kong) Zone C |
ecs.g8i.xlarge and larger |
|
China (Hong Kong) Zone D |
ecs.g8i.xlarge and larger |
|
Singapore Zone B |
ecs.g8i.xlarge and larger |
Images
We recommend that you use Alibaba Cloud Linux 3.
-
Debian13.1or later: Debian 13.1, Debian 13.2, Debian 13.3. -
Rocky9.5or later: Rocky 9.5, Rocky 9.6, Rocky 9.7, Rocky 10.0, Rocky 10.1. -
Ubuntu24.04or later: Ubuntu 24.04. -
Alibaba Cloud Linux3or later: Alibaba Cloud Linux 3, Alibaba Cloud Linux 4.
Limitations
-
TDX instances may have lower performance than regular instances because CPU registers and memory data are encrypted by CPU hardware.
-
Due to RTMR resets, interrupt protection, and register state recovery, TDX instances do not support in-OS reboots. You cannot run the
rebootcommand inside the OS. -
VNC logon is not supported. Use SSH via Workbench or a third-party client instead. For runtime logs, see View instance system logs and screenshots or GetInstanceConsoleOutput.
-
Image limitations:
-
Only UEFI images are supported.
-
Windows is not supported.
-
Images with outdated kernels are not supported. Kernel version must be 5.10.134-16.al8.x86_64 or later.
-
-
eRDMA and various types of accelerators are not supported.
-
Known issues with the Linux guest kernel SWIOTLB buffer:
-
Less memory is visible to the OS compared to a regular instance. A TDX instance reserves unencrypted memory (SWIOTLB) for peripheral communication. By default, this area is 6% of available memory, up to 1 GiB.
-
Attaching multiple elastic network interfaces (ENIs) to a large instance may cause a crash due to insufficient SWIOTLB memory in multi-queue network card scenarios. Stop the instance on the console and detach ENIs to recover.
-
High-I/O workloads may experience performance degradation from insufficient SWIOTLB. Check with:
dmesg| grep 'swiotlb buffer is full'ImportantIncorrect SWIOTLB settings may cause boot failure. Create a snapshot before proceeding so you can roll back if errors occur.
If this issue occurs, increase the SWIOTLB size:
-
Set the SWIOTLB size to 1 GiB.
grubby --update-kernel=ALL --args=swiotlb=524288 -
For kernel versions later than
5.10.134-18.al8.x86_64, add theanyparameter to support larger SWIOTLB sizes:grubby --update-kernel=ALL --args=swiotlb=2097152,any # Sets SWIOTLB to 4 GiB.NoteCalculate the SWIOTLB parameter value: Target size (in MiB) × 512. See The kernel's command-line parameters.
-
-




