Enroll a Compute Node (bare metal) - Intel TDX

  • Published on May 25, 2026
  • 1 minute(s) read
Prev Next

1.0 Introduction

This document describes how to enroll a compute node on a bare-metal Intel TDX platform in Fortanix Confidential Computing Manager (CCM).

2.0 Enroll A Compute Node (bare Metal) – Intel TDX

2.1 Prerequisites

  • Ensure Simultaneous Multithreading (SMT) is disabled in BIOS when using Intel TDX. If enabled, the Confidential Virtual Machine (CVM) launch may fail with fw_error=7 'Policy is not allowed' error.

  • Ensure that you have completed all required CPU, GPU, and system configuration prerequisites as outlined in the NVIDIA Confidential Computing Deployment Guide (TDX), including enabling TEE support (Intel TDX / AMD SEV-SNP), configuring BIOS settings, and using supported NVIDIA GPUs.

2.2 Ubuntu 25.10 Node Agent

Download the Ubuntu Node Agent installer from here.

Perform the following steps to enroll the Ubuntu 25.10 compute node:

  1. Extract the content of the Node-Agent-installer.tar.gz package and open the folder:

    tar -zxvf Node-Agent-Installer.tar.gz 
cd em-agent-installer-tdx

  2. Open the INSTALLER_README.md file containing the steps to enroll the compute node in Fortanix CCM.

    Text Description automatically generated with medium confidence

    Figure 1: Readme.txt

    The INSTALLER_README.md has the steps to enroll a compute node in Fortanix CCM.

  3. Run the installer.sh using the command:

    sudo bash installer.sh <join-token>

    Where, <join-token> is the token copied from Fortanix CCM. For more information, refer to Section 3.0: Generate a Join Token.

3.0 Generate a Join Token

Perform the following steps to generate a join token in Fortanix CCM:

  1. Log in to https://ccm.fortanix.com/.

  2. Click the Infrastructure → Compute Nodes in the CCM UI left navigation bar and click + ADD NODE on the Compute Nodes page.

  3. In the ENROLL COMPUTE NODE window, a Join Token will be generated in the text box for "Generate Join Token".  This Join Token is used by the compute node to authenticate itself.

    Figure 2: Copy Join Token

  4. Click COPY to copy the Join Token. 

4.0 Validating the Enrolled Compute Node

After the compute node is enrolled in Fortanix CCM, you will see it under the Compute Nodes overview table.

Figure 3: Enrolled Node

Debug:

  1. To view the logs, run the following command:

    journalctl -xe | grep em-agent

  2. To view the status, run the following command or directly check the syslog:

    systemctl status em-agent

Related articles

Platform
Fortanix Armor
Armet AI Key Insight Data Security Manager Confidential Computing Manager
Open Source Platform
Enclave Development Platform®

Solutions
Use Cases
Legacy to Cloud Infrastructure Migration Regulatory Compliance Post-Quantum Readiness Secure, Data-Driven Innovation
Industry
Healthcare Banking & Financial Services Fintech Manufacturing Federal Government

Company
About Us Partners Careers Confidential Computing University Blog FAQ Contact Us Awards Events Webinars Press News Services Media Kit Newsletters

Customers

Resources

Support
Fortanix-logo

4.6

star-ratings

As of August 2025

Request a Demo