Intel SGX (Software Guard Extensions) and Intel TDX (Trust Domain Extensions) are confidential-computing features available on modern Intel Xeon processors. OpenMetal’s v4 bare metal servers (Medium, Large, XL, and XXL v4) use 5th Gen Intel Xeon Scalable CPUs, and the v5 line (Medium, Large, and XL v5) uses Intel Xeon 6 (Granite Rapids, Intel 3 process). All of them support SGX and TDX at the silicon level. What differs, and what this guide is about, is the hardware configuration each feature actually needs.
The single most important thing to get right is that SGX and TDX have different requirements:
- Intel SGX is enabled by default on OpenMetal v4 and v5 servers, including base memory configurations. It does not require a full-channel memory population or a 1 TB upgrade.
- Intel TDX is gated by the memory subsystem. It requires every memory channel populated (at least 8 identical DIMMs per CPU socket, symmetric across both sockets) and, as OpenMetal’s production spec, 1 TB of total RAM. TDX is also bare-metal-only; SGX works on both bare metal and the Hosted Private Cloud.
This guide focuses on the hardware requirements only, especially memory layout and total memory size. It compares the typical memory configurations of each v4 and v5 model with the configuration needed for TDX, outlines the upgrades involved, and provides a cost comparison.
CPU and Memory Prerequisites
CPU Support
Every OpenMetal v4 and v5 server is equipped with dual Intel Xeon processors that are both SGX-capable and TDX-capable, so no CPU change is ever required to use these features:
- v5 (Intel Xeon 6, Granite Rapids, Intel 3): Xeon 6505P (Medium v5), Xeon 6517P (Large v5), Xeon 6530P (XL v5).
- v4 (5th Gen Intel Xeon Scalable): Silver 4510 (Medium v4), Gold 6526Y (Large v4), Gold 6530 (XL v4 and XXL v4).
The processor requirement is already met on every model. What determines whether TDX can be turned on is the memory.
Intel SGX: enabled by default, no upgrade required
Intel SGX isolates an enclave inside an application. On OpenMetal it is enabled by default on every v4 and v5 server, at the shipped memory configuration. There is no need to fully populate the memory channels or reach 1 TB to use SGX.
What varies by CPU is the size of the SGX Enclave Page Cache (EPC), the protected memory an enclave runs in:
| Server | CPU | SGX EPC (per CPU) |
|---|---|---|
| Medium v4 | Xeon Silver 4510 | 64 GB |
| Large v4 / XL v4 / XXL v4 | Xeon Gold 6526Y / 6530 | 128 GB |
| Medium v5 | Xeon 6505P | 128 GB |
| XL v5 | Xeon 6530P | 128 GB |
| Large v5 | Xeon 6517P | 512 GB |
The Large v5 is the standout: its Xeon 6517P exposes a 512 GB SGX EPC, four times the 128 GB on the other tiers. When an enclave’s working set exceeds the EPC the platform pages encrypted memory in and out, which is expensive, so the 512 GB EPC makes the Large v5 the natural choice for SGX workloads with large protected datasets (confidential databases, large key-management services, secure analytics). This capacity is a property of the CPU and is available at the base configuration, independent of any TDX memory upgrade.
Intel TDX: the memory-channel gate
Intel TDX protects an entire virtual machine (a Trust Domain). Unlike SGX, the platform will not expose the TDX activation path until the memory is populated correctly. The requirement, enforced in BIOS on these platforms, is:
- One DIMM in the first slot of every memory channel, which means at least 8 identical DIMMs per CPU socket (these are 8-channel CPUs).
- Symmetric population across both CPU sockets.
If even one channel is empty on a socket, TDX stays disabled in firmware. Partial memory configurations (fewer than 8 DIMMs per CPU) are not compatible with TDX.
On the v5 line there is a bonus to filling every channel: the same full-channel population that satisfies the TDX gate is also what brings the node to its full DDR5-6400 memory bandwidth. A half-populated v5 node runs at roughly half its memory bandwidth, so the TDX memory upgrade and the path to full bandwidth are the same single change.
Total Memory Requirement for TDX: 1 TB
OpenMetal’s production spec for TDX is 1 TB of total RAM. On these 8-channel platforms with 64 GB DIMMs, the full-channel gate and the 1 TB spec are satisfied by the same physical fill (16 x 64 GB across both sockets), by design rather than coincidence.
The 1 TB figure exists because TDX carries real memory overhead. The TDX module reserves per-page metadata before any Trust Domain launches (roughly 1/256 of system RAM, about 4 GB on a 1 TB node), each confidential VM carries its own encryption and integrity-tracking overhead, and cross-socket memory access is encrypted over the inter-socket link. At 1 TB on a dual-socket node you have 512 GB local per socket and enough headroom to run several Trust Domains. Below 1 TB those overheads consume a larger share of a smaller envelope, and you fall below the configuration Intel used for its published TDX overhead figures.
| Total RAM | SGX | TDX | Notes |
|---|---|---|---|
| 256 GB | Enabled by default | Not eligible | SGX works; channels half-populated, so TDX is unavailable |
| 512 GB | Enabled by default | Entry-level only | SGX works; TDX tight for multiple Trust Domains, below production spec |
| 1 TB | Enabled by default | Production spec | Full-channel population; headroom for reservations, encryption, and workloads |
To summarize: SGX needs nothing beyond the shipped configuration. TDX needs full-channel population and 1 TB total.
Figure: SGX is enabled by default on every tier; only TDX depends on filling all memory channels, which also reaches 1 TB and, on v5, full DDR5-6400 bandwidth.
Memory Configurations on OpenMetal Servers
Each model differs in total memory and how that memory is populated. Below is each model’s typical setup and what is needed to meet the 8-DIMM-per-CPU TDX requirement. SGX is enabled by default on all of them, so the “needs an upgrade” discussion applies to TDX only.
v5 servers
Medium v5 (default 256 GB). Dual Xeon 6505P, shipped at 8 of 16 slots (4 of 8 channels per socket, 32 GB modules). Not TDX-eligible as shipped, and running roughly half its DDR5-6400 bandwidth. To enable TDX, move to 64 GB DIMMs across all 16 slots (1 TB total), which both activates TDX and reaches full memory bandwidth. SGX (128 GB EPC) is enabled by default now.
Large v5 (default 512 GB). Dual Xeon 6517P, shipped at 8 of 16 slots (4 of 8 channels per socket). Not TDX-eligible as shipped. To enable TDX, fill the 8 open slots with 64 GB DIMMs to reach a symmetric 1 TB, which also unlocks full bandwidth. SGX is enabled by default with a 512 GB EPC, the largest in the lineup, so even a base Large v5 is well suited to large SGX enclaves before any TDX upgrade.
XL v5 (default 1 TB). Dual Xeon 6530P, shipped at one DIMM per channel across both sockets (16 x 64 GB, 1 TB). This is full-channel population, so the XL v5 is TDX-ready out of the box and already running full DDR5-6400 bandwidth. SGX (128 GB EPC) is enabled by default. Enable TDX in firmware, no memory change needed.
v4 servers
Medium v4 (default 256 GB). Dual Xeon Silver 4510, typically 4 x 32 GB per CPU. This populates only half of the 8 channels per socket, so it is not TDX-eligible as shipped. To enable TDX and meet the 1 TB spec, upgrade to 8 x 64 GB per CPU (512 GB per CPU, 1 TB total). This replaces the existing memory and is a scheduled physical change. SGX is available now, no change required.
Large v4 (default 512 GB). Dual Xeon Gold 6526Y, typically 4 x 64 GB per CPU, again filling only half the channels, so not TDX-eligible by default. To enable TDX, upgrade to 8 x 64 GB per CPU (1 TB total), adding four 64 GB DIMMs per socket. SGX is available now.
XL v4 (default 1 TB). Dual Xeon Gold 6530, shipped with 8 x 64 GB per CPU (512 GB per socket, 1 TB total). All channels are populated, so the XL v4 is TDX-ready out of the box. Enable TDX in firmware, no memory change needed.
XXL v4 (default 2 TB). Dual Xeon Gold 6530, with all channels populated to reach 2 TB (either 16 x 64 GB per CPU at two DIMMs per channel, or 8 x 128 GB per CPU). The 8-DIMM-per-socket requirement is met by default, so the XXL v4 is TDX-ready out of the box.
Provisioning Changes, Upgrades, and Timeline
Enabling TDX on a server that was not initially configured for it requires a memory provisioning change. SGX needs none of this, it is already on.
- TDX-ready today (no change): XL v4, XXL v4, and XL v5. Enable TDX in firmware.
- TDX after a memory upgrade: Medium v4, Large v4, Medium v5, and Large v5. Each reaches a symmetric 1 TB by filling all channels (on v5, this also brings the node to full bandwidth).
- Coordinate with OpenMetal Support to add or swap DIMMs, or to move to a model that ships TDX-ready. Support can advise whether your existing server can be reconfigured in place or whether a migration is the better path.
- Downtime and migration: changing memory means powering the server down to add or replace DIMMs, so plan a maintenance window. Moving to a different model also means migrating your workloads.
- Timeframe: a memory reconfiguration or a new-server provision can take a couple of days, up to about a week, since OpenMetal may need to source the modules and schedule a technician. If you know you need TDX, communicate early. The BIOS TDX setting stays unavailable until the memory population meets the requirement, so the hardware has to be right first.
A note on OpenStack and the Hosted Private Cloud: TDX is bare-metal-only. OpenMetal does not pre-configure TDX within OpenStack Nova, so it is not offered as a guest feature on the standard Hosted Private Cloud (upstream Nova TDX support is a proposal targeting the 2026.2 release, not yet in mainline). SGX is available on the Hosted Private Cloud. For VM-level Trust Domain isolation, deploy a bare-metal TDX server, and pair it with a Hosted Private Cloud cluster for general workloads if needed. A managed-OpenStack TDX path may be possible via a custom engagement for sufficiently large deployments.
Cost Comparison: TDX-Ready OpenMetal Servers
The cost of “enabling confidential computing” depends on which feature you need. SGX adds nothing, it is already enabled at the shipped configuration. The monthly figures below are OpenMetal’s committed (long-term-use) rate from the live products catalog as of 2026-06-11; confirm current pricing and availability with OpenMetal before relying on it.
v5 Bare Metal
| Server Tier | Default Memory | Monthly | TDX Status |
|---|---|---|---|
| Medium v5 | 256 GB (4 of 8 ch/CPU) | $1,123.20 | Needs 1 TB upgrade |
| Large v5 | 512 GB (4 of 8 ch/CPU) | $2,008.80 | Needs 1 TB upgrade |
| XL v5 | 1 TB (8x64G/CPU, 1DPC) | $3,859.20 | Ready out of the box |
v4 Bare Metal
| Server Tier | Default Memory | Monthly | TDX Status |
|---|---|---|---|
| Medium v4 | 256 GB (4x32G/CPU) | $928.80 | Needs 1 TB upgrade |
| Large v4 | 512 GB (4x64G/CPU) | $1,591.20 | Needs 1 TB upgrade |
| XL v4 | 1 TB (8x64G/CPU) | $2,044.80 | Ready out of the box |
| XXL v4 | 2 TB (>=8x128G/CPU) | $4,593.60 | Ready out of the box |
Bare Metal Catalog Questions? Schedule a meeting
For the tiers that need a memory upgrade, the 1 TB configuration is reached by populating all channels with 64 GB DDR5 modules, listed at about $50.40 per module per month in the add-on catalog. Because the upgrade is a physical DIMM change that also removes the smaller modules in the base configuration, confirm the exact upgrade price with OpenMetal Support rather than estimating from the module count. The XL v4, XXL v4, and XL v5 need no memory change and carry no upgrade cost. The Large v5 is worth a second look here: it ships with the 512 GB SGX EPC at its base monthly price, so large SGX-enclave workloads do not pay for the TDX memory upgrade at all.
Summary
Intel SGX and TDX have different hardware requirements on OpenMetal, and treating them as one is the most common mistake:
- Intel SGX is enabled by default on every v4 and v5 server, at the shipped memory configuration. No full-channel population, no 1 TB upgrade. EPC ranges from 64 GB to 512 GB per CPU, with the Large v5 (512 GB) being the tier for large enclaves.
- Intel TDX requires full-channel memory population (8 identical DIMMs per socket, symmetric) and OpenMetal’s 1 TB production spec. XL v4, XXL v4, and XL v5 ship TDX-ready; Medium and Large (v4 and v5) reach it with a 1 TB memory upgrade, which on v5 also unlocks full DDR5-6400 bandwidth. TDX is bare-metal-only.
If you need SGX, you can start today on any tier. If you need TDX, choose a tier that ships ready (XL v4, XXL v4, XL v5) or plan the 1 TB upgrade, and allow a few days to a week for the provisioning change. Contact OpenMetal Sales or Support to review your configuration and begin provisioning.
Explore More OpenMetal Confidential Computing Content