# Abstract

Confidential computing with VM-based trusted execution environments (TEEs) promises to protect code and data from a privileged cloud operator, enabling privacy-preserving workloads ranging from medical analytics to AI inference. However, most deployments exclude microarchitectural side channels from their threat model, shifting the burden to application developers who lack practical, general-purpose tools to assess (let alone mitigate) leakage. In particular, it remains unclear which host-observable signals persist under TDX’s strict isolation and whether these signals can reveal sensitive information about confidential workloads. In this paper, we systematically investigate the side-channel attack surface in Intel TDX. We identify four new side-channel primitives: SEPTrace, Load+Probe, TSX-Probe, and MWAIT-Probe. Together, they expose page-level and cache-level activity with varying temporal precision. By combining these primitives, we construct TDXRay, a host-side measurement framework that produces highly accurate, cache-line-granular memory access traces of unmodified confidential VMs. Using TDXRay, we build two case studies: (1) a classic AES T-table attack in which a malicious hypervisor recovers the secret key from access-pattern leakage, and (2) an attack against large language models in which the host infers user prompts by monitoring memory accesses during tokenization. Our evaluation demonstrates that TDXRay can reliably recover user prompts from a single memory access trace, thus posing a severe threat to private LLM inference. Finally, we investigate and discuss mitigation strategies at system and application level. While effective countermeasures based on ORAM can be a short-term solution, our results highlight the need for long-term investment in improving Intel TDX and similar architectures against this class of attacks.