MCP server confidential computing: Intel TDX, AMD SEV-SNP, and TEE attestation for agentic workloads
A compromised hypervisor or a malicious cloud operator can read any virtual machine's memory on traditional infrastructure. Confidential computing eliminates this threat by encrypting VM memory in hardware — the cloud provider's own management plane cannot read the contents of a confidential VM. For MCP servers that process regulated data, this changes the threat model in a fundamental way.
What confidential computing provides
Confidential computing is a hardware-enforced isolation model built on two primitives: encrypted memory and remote attestation.
Encrypted memory means the VM's physical DRAM pages are encrypted with a key held in the CPU. The hypervisor, BIOS, and other VMs on the same physical host cannot read the contents even with DMA attacks or cold-boot access. The encryption is transparent to the guest OS and the MCP server process — they see and use plaintext, but the bytes on the memory bus are ciphertext.
Remote attestation means the TEE (Trusted Execution Environment) can produce a cryptographic measurement of its exact state — the loaded code, configuration, and initial memory — signed by the CPU vendor's root certificate. A remote party (an HSM, a secrets manager, or another service) can verify this measurement before releasing sensitive data. This allows an architecture where credentials are never stored in the VM image and are only injected into a verified, running TEE at startup.
Intel TDX for MCP servers
Intel Trust Domain Extensions (TDX) is a VM-level confidentiality technology available on 4th and 5th generation Xeon processors. A TDX Trust Domain (TD) is a hardened VM with encrypted memory managed by the CPU's Multi-Key Total Memory Encryption (MKTME) engine. The TD is isolated from the VMM (Virtual Machine Manager) — the hypervisor cannot directly introspect the TD's memory or registers.
Running an MCP server in a TDX TD means the tool call arguments, in-flight PHI, API credentials, and JWT signing keys in memory are inaccessible to the cloud provider's infrastructure. This addresses the supply-chain trust boundary where multi-tenant cloud workloads can theoretically be inspected by the provider.
Azure Confidential VMs (the DCasv5 / ECasv5 series) and Google Confidential VMs (C3 instances with TDX) support TDX today. MCP server deployments on these VM types get memory encryption with no application changes required — the only difference is the VM SKU selection.
AMD SEV-SNP for MCP servers
AMD Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP) is the AMD equivalent, available on EPYC processors from the Milan generation forward. SEV-SNP adds integrity protection on top of AMD SEV-ES's register encryption: the CPU detects and halts execution if the hypervisor attempts to remap guest memory pages. This prevents the "replay attack" class of hypervisor memory tampering that earlier AMD SEV generations were vulnerable to.
AWS Nitro Enclaves use a different model but achieve similar goals — they carve out isolated enclave environments within an EC2 instance that the host OS cannot access, with an attestation mechanism via the Nitro Attestation Document. For MCP servers with sensitive key material, Nitro Enclaves can serve as an HSM alternative: the enclave holds signing keys and processes signing requests from the main MCP server process through a secure local channel.
Remote attestation in agentic pipelines
The most powerful application of confidential computing for MCP deployments is attestation-gated credential release. The pattern:
- The MCP server boots in a TDX or SEV-SNP VM with no credentials in the image or environment variables.
- At startup, the MCP server calls its secrets manager (Vault, AWS Secrets Manager) with a TEE attestation quote as the authentication credential.
- The secrets manager policy verifies the attestation — it checks that the measurement matches the expected MCP server code hash, that the TEE is running on a genuine Intel/AMD processor (verified by the vendor certificate chain), and that the policy conditions are met (e.g., the build hash matches the approved deployment).
- If attestation passes, the secrets manager releases the EHR API key, JWT signing key, or database credential — which is injected into the running process and never written to disk.
- If attestation fails (because the image was modified, the VM is not a genuine TEE, or the measurement doesn't match), no credentials are released and the MCP server cannot serve tool calls.
This architecture means that even a complete compromise of the cloud infrastructure management plane cannot cause credential disclosure — the credentials are only released to a cryptographically verified TEE running the exact expected code.
Limitations and what confidential computing does not protect
Confidential computing protects against infrastructure-level attackers. It does not protect against application-level vulnerabilities. An MCP server with prompt injection vulnerabilities, SQL injection, or SSRF is still exploitable by an attacker who can influence the tool call arguments — the TEE just means the exploitable code runs in an encrypted environment. The output of a successful prompt injection attack (exfiltrating PHI) still works even inside a TEE, because the exfiltration goes through the MCP server's legitimate network interfaces.
SkillAudit's application-level scan is complementary to confidential computing: TEEs protect the infrastructure layer, while SkillAudit findings protect the application layer. Both are needed for a complete defense in depth posture.
Application-layer security first. A confidential VM with application vulnerabilities is still exploitable. Run a SkillAudit scan to validate the MCP server's application security posture before investing in TEE infrastructure.