diff --git a/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml b/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml
new file mode 100644
index 0000000000..f6114b9d7a
--- /dev/null
+++ b/.github/workflows/kbs-e2e-az-tdx-vtpm.yaml
@@ -0,0 +1,65 @@
+name: KBS e2e with az-tdx-vtpm TEE
+
+on:
+  push:
+    branches:
+    - main
+  # Note on repository checkout: pull_request_target sets `GITHUB_SHA` to the
+  # "last commit on the PR base branch", meaning that by default `actions/checkout`
+  # is going to checkout the repository main branch. In order to pick up the pull
+  # request code, this workflow uses the `github.event.pull_request.head.sha`
+  # property to get the last commit on the HEAD branch. One limitation of this approach
+  # is that, unlike the `pull_request` event, the checked pull request isn't necessarily
+  # rebased to main (so it is up to the workflow to ensure the pull request is rebased
+  # **before* the workflow is triggering)
+  pull_request_target:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    # This workflow will be run if the pull request is labeled 'test_e2e'
+    - labeled
+    branches:
+    - 'main'
+
+jobs:
+  authorize:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test_e2e')
+    steps:
+    - run: "true"
+
+  checkout-and-rebase:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        # fetch main on push, otherwise the head of the PR
+        ref: ${{ github.event_name == 'push' && 'main' || github.event.pull_request.head.sha }}
+
+    - name: Rebase the source
+      if: github.event_name != 'push'
+      run: |
+        git config --global user.name "GH Actions Workflow"
+        git config --global user.email "<rebase@gh-actions-workflow>"
+        ./kbs/hack/ci-helper.sh rebase-atop-of-the-latest-target-branch
+
+    - name: Archive source
+      run: git archive -o kbs.tar.gz HEAD
+
+    - uses: actions/upload-artifact@v4
+      with:
+        path: ./kbs.tar.gz
+
+  e2e-test:
+    needs:
+    - authorize
+    - checkout-and-rebase
+    uses: ./.github/workflows/kbs-e2e.yaml
+    with:
+      runs-on: '["self-hosted","azure-cvm-tdx"]'
+      tarball: kbs.tar.gz
+    secrets:
+      sgx-pccs-apikey: ${{ secrets.SGX_PCCS_APIKEY }}
diff --git a/.github/workflows/kbs-e2e.yaml b/.github/workflows/kbs-e2e.yaml
index 9ce3816601..609dc564d7 100644
--- a/.github/workflows/kbs-e2e.yaml
+++ b/.github/workflows/kbs-e2e.yaml
@@ -14,6 +14,9 @@ on:
         type: string
         description: Artifact containing checked out source from a prior job
         required: true
+    secrets:
+      sgx-pccs-apikey:
+        required: false
 
 # Self-hosted runners do not set -o pipefail otherwise
 defaults:
@@ -23,6 +26,8 @@ defaults:
 jobs:
   e2e-test:
     runs-on: ${{ fromJSON(inputs.runs-on) }}
+    env:
+      SGX_PCCS_APIKEY: ${{ secrets.sgx-pccs-apikey }}
 
     steps:
     - uses: actions/download-artifact@v4
@@ -68,6 +73,11 @@ jobs:
       if: inputs.sample == true
       run: echo "AA_SAMPLE_ATTESTER_TEST=1" >> "$GITHUB_ENV"
 
+    - name: Install SGX certificate cache
+      if: env.SGX_PCCS_APIKEY != '' 
+      working-directory: kbs/test
+      run: sudo make install-sgx-pccs
+
     - name: Run e2e test
       working-directory: kbs/test
       run: sudo -E make e2e-test
diff --git a/kbs/test/Makefile b/kbs/test/Makefile
index feaec706f3..62f2dc3853 100644
--- a/kbs/test/Makefile
+++ b/kbs/test/Makefile
@@ -1,6 +1,9 @@
 OS := $(shell lsb_release -si)
 RELEASE := $(shell lsb_release -sr)
 SGX_REPO_URL := https://download.01.org/intel-sgx/sgx_repo/ubuntu
+SGX_QCNL_CONFIG := /etc/sgx_default_qcnl.conf
+SGX_PCCS_PATH := /opt/intel/sgx-dcap-pccs
+SGX_PCCS_CONFIG := $(SGX_PCCS_PATH)/config/default.json
 KBS_REPO_PATH := ./data/repository
 KBS_CONFIG_PATH := ./data/e2e
 MAKEFILE_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
@@ -16,6 +19,31 @@ else
     $(error "This Makefile requires Ubuntu")
 endif
 
+.PHONY: install-nodejs-lts
+install-nodejs-lts:
+	curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash - && \
+	sudo apt-get install -y nodejs
+
+.PHONY: install-sgx-pccs
+install-sgx-pccs: install-dependencies install-nodejs-lts
+	$(if $(SGX_PCCS_APIKEY),,$(error Must set SGX_PCCS_APIKEY))
+	sudo -E apt-get install -y \
+		cracklib-runtime \
+		jq \
+		moreutils \
+		python3 \
+		sgx-dcap-pccs && \
+	sudo npm install --prefix=$(SGX_PCCS_PATH) && \
+	openssl genrsa -out /tmp/pccs-key.pem 2048 && \
+	openssl req -new -key /tmp/pccs-key.pem -out /tmp/pccs-csr.pem -subj "/O=CNCF/OU=CoCo/CN=sgx-pccs-root" && \
+	openssl x509 -req -days 365 -in /tmp/pccs-csr.pem -signkey /tmp/pccs-key.pem -out /tmp/pccs.crt && \
+	sudo install -D -o pccs -g pccs --compare /tmp/pccs.crt $(SGX_PCCS_PATH)/ssl_key/file.crt && \
+	sudo install -D -o pccs -g pccs --compare /tmp/pccs-key.pem $(SGX_PCCS_PATH)/ssl_key/private.pem && \
+	sudo jq --arg apikey "$(SGX_PCCS_APIKEY)" '.ApiKey = $$apikey' $(SGX_PCCS_CONFIG) | sudo sponge $(SGX_PCCS_CONFIG) && \
+	sudo chown pccs:pccs $(SGX_PCCS_CONFIG) && \
+	sudo systemctl restart pccs && \
+	echo '{"pccs_url": "https://localhost:8081/sgx/certification/v4/", "use_secure_cert": false}' | sudo tee $(SGX_QCNL_CONFIG)
+
 .PHONY: install-dependencies
 install-dependencies:
 	curl -L "$(SGX_REPO_URL)/intel-sgx-deb.key" | sudo apt-key add - && \
@@ -26,8 +54,11 @@ install-dependencies:
 		build-essential \
 		clang \
 		libsgx-dcap-default-qpl \
+		libsgx-dcap-quote-verify \
 		libsgx-dcap-quote-verify-dev \
+		libsgx-urts \
 		libssl-dev \
+		libtdx-attest \
 		libtdx-attest-dev \
 		libtss2-dev \
 		openssl \