Enroll a Compute Node (bare metal) - Intel TDX

1.0 Introduction

This document describes how to enroll a compute node on a bare-metal Intel TDX platform in Fortanix Confidential Computing Manager (CCM).

2.0 Enroll A Compute Node (bare Metal) – Intel TDX

2.1 Prerequisites

• Ensure that you have completed all required CPU, GPU, and system configuration prerequisites as outlined in the NVIDIA Deployment Guide for Confidential Computing.

  • Check the "Secure AI Compatibility Matrix" to view the supported combinations of NVIDIA GPUs, VBIOS versions, CUDA driver versions, and Confidential Computing modes.

• Ensure Simultaneous Multithreading (SMT) is disabled in the BIOS when using Intel TDX. If enabled, the Confidential Virtual Machine (CVM) launch may fail with fw_error=7 'Policy is not allowed' error.

• Before enrolling an Intel TDX compute node, ensure that the Intel SGX Registration Agent service is installed and the platform is registered with Intel. For detailed instructions, refer to the following sections:

  • Section 2.2: Install Intel SGX Registration Agent Service

  • Section 2.3: Automatic Platform Registration

  • Section 2.4: Manual Platform Registration

2.2 Install Intel SGX Registration Agent Service

The Intel SGX Registration Agent service is required to register the platform with Intel. Perform the following steps:

1. Run the following command to configure the Intel SGX package repository:

   wget -q https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key -O /tmp/intel-sgx.key
   
   sudo gpg --dearmor -o /usr/share/keyrings/intel-sgx-keyring.gpg /tmp/intel-sgx.key
   
   echo "deb [signed-by=/usr/share/keyrings/intel-sgx-keyring.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main" | sudo tee /etc/apt/sources.list.d/intel-sgx.list
   
   sudo apt-get update

2. Run the following command to install the Intel SGX Registration Agent service:

   sudo apt-get install -y sgx-ra-service
   

3. Run the following command to verify that the package is installed:

   dpkg -l | grep sgx-ra-service

2.3 Automatic Platform Registration

Use this procedure if the system BIOS supports Intel SGX Auto Multi-Package (MP) Registration.

1. Verify that SGX Auto MP Registration is enabled in the system BIOS.

   This setting allows the Intel Multi-Package Registration Agent (MPA) to automatically register the platform with Intel during system startup. By default, SGX Auto MP Registration is disabled, and the MPA does not automatically run at boot.

2. Reboot the system if you changed the BIOS setting.

3. Run the following command to verify that platform registration completed successfully by reviewing the MPA registration log:

   cat /var/log/mpa_registration.log

4. Confirm that the log indicates successful registration.

   If the registration is unsuccessful, perform manual platform registration as described in 2.4: Manual Platform Registration.

2.4 Manual Platform Registration

Use this procedure if SGX Auto MP Registration is disabled.

1. Run the following command to generate a platform manifest:

   /opt/intel/sgx-ra-service/mpa_manage -get_platform_manifest platform_manifest

   This command creates a file named platform_manifest.

2. Run the following command to register the platform with Intel:

   curl -H "Content-Type: application/octet-stream" \
        -v \
        --data-binary @platform_manifest \
        -X POST "https://api.trustedservices.intel.com/sgx/registration/v1/platform"
   

3. Verify that the request succeeds.

   A successful registration returns HTTP status code 201 Created and displays the platform PPID.

4. Run the following command to verify that platform registration completed successfully:

   cat /var/log/mpa_registration.log

5. Confirm that the log indicates successful registration.

After completing either the Automatic Platform Registration or Manual Platform Registration procedure, continue with the Intel TDX node enrollment steps described in Section 2.5: Ubuntu 25.10 Node Agent.

2.5 Ubuntu 25.10 Node Agent

Download the Ubuntu Node Agent installer from here.

Perform the following steps to enroll the Ubuntu 25.10 compute node:

1. Run the following commands to extract the contents of the Node-Agent-installer.tar.gz package and open the folder:

   tar -zxvf Node-Agent-Installer.tar.gz
   cd em-agent-installer-tdx

2. Open the INSTALLER_README.md file containing the steps to enroll the compute node in Fortanix CCM.

   

3. Run the following command to execute the installer.sh script:

   sudo bash installer.sh <join-token>

   Where, <join-token> is the token copied from Fortanix CCM. For more information, refer to Section 3.0: Generate a Join Token.

3.0 Generate a Join Token

Perform the following steps to generate a join token in Fortanix CCM:

1. Log in to https://ccm.fortanix.com/.

2. Click the Infrastructure → Compute Nodes in the CCM UI left navigation bar and click + ADD NODE on the Compute Nodes page.

3. In the ENROLL COMPUTE NODE window, a Join Token will be generated in the text box for "Generate Join Token".  This Join Token is used by the compute node to authenticate itself.

   

4. In the Enroll Compute Node window, click COPY to copy the Join Token. This Join Token is used by the compute node to authenticate itself.

4.0 Validate the Enrolled Compute Node

After the compute node is successfully enrolled, it appears in the COMPUTE NODES overview table in Fortanix CCM.

Perform the following steps to debug the em-agent service:

1. Run the following command to view the logs:

   journalctl -xe | grep em-agent

2. Run the following command to view the status of the em-agent service or check the system logs directly:

   systemctl status em-agent