Confidential Computing: A Comprehensive Technical Analysis of Hardware-Based Trusted Execution Environments

Posted on by uplatzblog

The Paradigm Shift to Protecting Data-In-Use

The evolution of data security has traditionally focused on two primary states: data at rest and data in transit. Encryption for data at rest protects information stored on disks, in databases, or in object storage, while cryptographic protocols like Transport Layer Security (TLS) protect data in transit as it moves across networks.1 While essential, this two-pronged approach leaves a critical vulnerability: data must be decrypted in memory to be processed by an application. During this “data-in-use” phase, sensitive information is exposed in plaintext, creating a window of opportunity for sophisticated attacks such as memory dumps, root user compromises, or direct inspection by a malicious or compromised cloud provider hypervisor.5 Confidential computing is a technological paradigm designed explicitly to close this final security gap, thereby completing the data security triad and enabling end-to-end encryption throughout the entire data lifecycle.

This paradigm shift is not merely a technical advancement but a market-driven necessity, born from the success of the public cloud and its inherent trust deficit. The cloud’s shared responsibility model requires customers to place a significant degree of trust in the cloud service provider (CSP), its personnel, its software stack, and its legal jurisdiction.5 For organizations in highly regulated industries such as finance and healthcare, this level of required trust has been a formidable barrier to migrating their most sensitive core workloads to the cloud.5 Confidential computing directly addresses this fundamental trust problem by providing the technical means to remove the cloud provider from the Trusted Computing Base (TCB)—the collection of all hardware, firmware, and software components that are critical to a system’s security.5 It enables the creation of a “trustless” cloud environment, where the security of a workload is guaranteed by verifiable hardware, not by operational promises or contractual agreements from the CSP.

bundle-course—data-analysis-with-ms-excel–google-sheets By Uplatz

Completing the Data Security Triad: Beyond Rest and Transit

 

For years, the standard for comprehensive data protection has been the encryption of data at rest and in transit. Data at rest encryption safeguards archives, databases, and storage volumes from physical theft or unauthorized access to storage media. Data in transit encryption protects data from eavesdropping and modification as it traverses untrusted networks. However, the moment an application needs to perform a computation, this protection is necessarily removed. Data is loaded from storage into system memory (RAM) and decrypted for the CPU to process. It is in this decrypted, in-use state that data is at its most vulnerable.5

An attacker who gains privileged access to the host system—whether a cloud administrator, a malicious insider, or an external actor who has compromised the hypervisor or operating system—can potentially access the entire system memory. This allows them to read sensitive data, such as cryptographic keys, personally identifiable information (PII), or proprietary algorithms, directly from the memory of running applications.5 Confidential computing fundamentally eliminates this security gap by ensuring data can remain encrypted in memory and is only decrypted inside a protected, hardware-isolated environment within the CPU itself.4

 

Core Tenets: Confidentiality, Integrity, and Attestability

 

The term “Confidential Computing” was strategically defined and promoted by the Confidential Computing Consortium (CCC), an industry group formed under the Linux Foundation, to unify disparate hardware technologies from vendors like Intel, AMD, and ARM under a single, understandable value proposition.10 This effort transformed a collection of complex hardware features into a cohesive industry movement focused on protecting data-in-use. The CCC formally defines confidential computing as “the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment”.10 This protection is founded upon a minimum of three core properties:

  • Data Confidentiality: Unauthorized entities cannot view data while it is in use within the TEE. This ensures that even if an attacker has full control over the host system, the contents of the protected memory remain opaque.1
  • Data Integrity: Unauthorized entities cannot add, remove, or alter data while it is in use within the TEE. This prevents tampering with the results of a computation or corrupting the data being processed.1
  • Code Integrity: Unauthorized entities cannot add, remove, or alter the code executing within the TEE. This guarantees that the computation being performed is the one that was intended, without malicious modification.1

Together, these properties provide a powerful assurance: not only is the data kept secret, but the computations performed on that data are correct and can be trusted.3 This is a critical distinction from purely cryptographic privacy-enhancing technologies like Fully Homomorphic Encryption (FHE). While FHE allows computation on encrypted data, thereby preserving confidentiality, it does not, by itself, provide any guarantee that the correct computation was performed or that the code was not tampered with.3 Confidential computing, through its hardware-enforced code integrity, provides this missing piece of trust.

 

Defining the Trusted Execution Environment (TEE) as the Hardware Root of Trust

 

The mechanism that delivers the core tenets of confidential computing is the Trusted Execution Environment (TEE). A TEE is a secure and isolated area of a main processor that runs in parallel with the host operating system, often referred to as the “normal world” or Rich Execution Environment (REE).15 It leverages hardware-backed techniques, such as CPU-based memory encryption and strict access controls, to protect the code and data loaded inside it from all software running outside the TEE, regardless of privilege level.15

The foundation of a TEE’s security is its hardware root of trust. This means that the trust anchor for the entire system is embedded directly into the silicon of the CPU during manufacturing. This typically involves fusing cryptographic keys into the chip that are immutable and inaccessible to any software.10 These hardware-bound keys are the basis for all security operations, including memory encryption and the critical process of attestation.

By grounding security in the hardware, confidential computing dramatically reduces the system’s Trusted Computing Base (TCB). In a traditional computing model, the TCB includes the application, the operating system, the hypervisor, and various firmware components—a massive and complex attack surface. In a confidential computing model, the TCB is shrunk to just the application code running inside the TEE and the CPU hardware itself.3 The host OS, hypervisor, and cloud provider are explicitly moved outside the trust boundary, treated as untrusted or even potentially malicious. This minimization of the TCB is the central architectural principle that enables confidential computing to deliver on its security promises.

 

A Comparative Architectural Deep Dive into TEE Implementations

 

The confidential computing landscape is defined by several distinct hardware architectures, each with a unique approach to creating and managing Trusted Execution Environments. The three most prominent implementations are Intel’s Software Guard Extensions (SGX), AMD’s Secure Encrypted Virtualization (SEV), and ARM’s TrustZone. The fundamental differences in their design philosophies—from fine-grained application isolation to full virtual machine protection and system-wide partitioning—dictate their respective strengths, weaknesses, developer experience, and ideal use cases. This has led to a bifurcation in the ecosystem, with one branch focused on refactoring applications for maximum security and the other on seamlessly migrating existing workloads.

 

Application-Level Isolation: Intel® Software Guard Extensions (SGX)

 

Intel SGX represents the most granular approach to confidential computing, providing a mechanism to isolate and protect small, specific portions of an application’s code and data within a secure container known as an “enclave”.18 This model forces a “confidentiality-by-design” development process, where developers must explicitly partition their application into trusted and untrusted components.19

 

The Enclave Model: Architecture and Lifecycle

 

The core architectural principle of SGX is the enclave, a protected region of memory within an application’s virtual address space.18 The application is split into two parts: an untrusted “host” application that handles general tasks like I/O and user interface management, and one or more trusted enclaves that contain only the most sensitive code and data.19 This design minimizes the attack surface to the greatest extent possible, as the TCB is reduced to only the specific functions inside the enclave and the CPU hardware itself.21

The lifecycle of an SGX enclave is meticulously managed by a set of new CPU instructions, ensuring that each step of its creation, execution, and destruction is securely controlled 23:

  1. Creation (ECREATE): A privileged instruction, typically called by the OS or a driver, that allocates a page in protected memory to serve as the Secure Enclave Control Structure (SECS). The SECS is the root of the enclave and defines its fundamental attributes, such as its size and whether it can be debugged.24
  2. Loading (EADD, EEXTEND): The host application uses the EADD instruction to copy pages of code and data into the protected memory region. As each page is added, the EEXTEND instruction updates a cryptographic measurement of the enclave’s contents. This measurement, known as MRENCLAVE, is a SHA-256 hash of the enclave’s code, data, and their placement, and serves as its unique identity.24
  3. Initialization (EINIT): Once all code and data have been loaded and measured, the EINIT instruction finalizes the enclave. It takes a signature from the software vendor (a SIGSTRUCT) and verifies that the enclave’s measurement (MRENCLAVE) matches the one signed by the vendor. Upon successful verification, the enclave is considered initialized and ready to be executed.24
  4. Execution (EENTER, EEXIT): An unprivileged instruction, EENTER, is used to transition CPU execution from the untrusted host application into the enclave at a predefined entry point. While inside, the code executes with full access to the enclave’s private memory. To call out to the untrusted host (e.g., for a system call), the enclave uses the EEXIT instruction. These controlled entry and exit points form the strict interface between the trusted and untrusted worlds.24
  5. Teardown (EREMOVE): A privileged instruction that deallocates the memory pages associated with an enclave, securely destroying its contents.24

This highly structured lifecycle provides strong security guarantees but imposes a significant burden on developers, who must carefully refactor their applications to fit this partitioned model. This complexity has been a major barrier to SGX adoption and has spurred the development of abstraction layers like Gramine and Occlum to ease the porting of existing applications.20

 

Memory Protection: The Enclave Page Cache (EPC) and Metadata (EPCM)

 

The hardware enforcement of SGX’s isolation guarantees relies on two key architectural components 21:

  • Enclave Page Cache (EPC): A reserved portion of physical DRAM that is set aside by the BIOS at boot time. All enclave code and data must reside within the EPC. The size of the EPC is physically limited, typically to a few hundred megabytes (e.g., 128 MB or 256 MB).26 Any data moving between the CPU and the EPC is automatically encrypted and integrity-protected by a hardware
    Memory Encryption Engine (MEE), making it opaque to physical memory snooping attacks.29
  • Enclave Page Cache Metadata (EPCM): A secure, on-chip data structure managed by the CPU. The EPCM contains an entry for every 4 KB page in the EPC, tracking its ownership, access permissions, and type. When the OS (which manages the virtual-to-physical page tables) attempts to map a memory page, the CPU consults the EPCM to ensure the mapping is valid and consistent with the enclave’s security policies. This prevents a malicious OS from illicitly mapping or remapping enclave memory.21

While powerful, the limited size of the EPC has been a persistent performance challenge. For applications with memory footprints larger than the available EPC, the system must engage in frequent and computationally expensive paging, where encrypted pages are swapped out to untrusted system memory and later swapped back in. This process, managed by the untrusted OS but secured by SGX’s cryptographic protections, can introduce significant overhead.28

 

Virtual Machine-Level Isolation: AMD Secure Encrypted Virtualization (SEV)

 

In contrast to SGX’s application-level focus, AMD’s SEV family of technologies is designed to protect entire virtual machines (VMs) at the infrastructure level.28 This “lift-and-shift” approach allows enterprises to migrate existing, unmodified applications and operating systems to a secure cloud environment, dramatically lowering the barrier to adoption.17

 

The Evolution of VM Protection: From SEV to SEV-ES and SEV-SNP

 

The development of SEV showcases a clear architectural evolution, with each generation responding to security challenges identified in its predecessor, often through academic research. This feedback loop between the security community and the hardware vendor has been instrumental in hardening the technology.

  • SEV (Secure Encrypted Virtualization): The first generation introduced the core capability of full VM memory encryption.31 An on-chip
    AMD Secure Processor (AMD-SP), which is an integrated ARM core, generates and manages a unique AES encryption key for each confidential VM. The hardware memory controllers automatically encrypt data as it is written to DRAM and decrypt it upon being read back into the CPU, making the VM’s memory completely opaque to the hypervisor.31 However, the initial SEV implementation focused solely on confidentiality and critically lacked memory integrity protection. This left it vulnerable to attacks where a malicious hypervisor could replay old encrypted memory pages or maliciously remap memory, corrupting the VM’s state.20
  • SEV-ES (Encrypted State): This second generation added protection for the CPU register state.31 When a VM exits (i.e., transitions control to the hypervisor), SEV-ES encrypts the contents of the CPU registers, preventing the hypervisor from snooping on data being actively processed by the CPU cores.34
  • SEV-SNP (Secure Nested Paging): This is the most significant architectural leap, directly addressing the integrity weaknesses of the original SEV. SEV-SNP introduces strong, hardware-enforced memory integrity protection.34 Its central security promise is that when a VM reads from a private memory location, it is guaranteed to either receive the exact data it last wrote or get a fault; it will never silently receive stale or corrupted data.34 This enhancement allows the threat model to be strengthened to treat the hypervisor as fully malicious, not just “benign but vulnerable”.34

 

Architectural Underpinnings: Memory Encryption and the Reverse Map Table (RMP)

 

The cornerstone of SEV-SNP’s integrity guarantee is the Reverse Map Table (RMP).34 The RMP is a large, hardware-managed data structure residing in system memory that maintains an entry for every 4 KB page of physical DRAM. Each RMP entry tracks the ownership of the corresponding physical page (e.g., whether it belongs to the hypervisor or a specific guest VM) and its validation state.34

When the hypervisor attempts to map a guest physical address to a system physical address in the page tables, the CPU’s memory management unit performs a hardware-level check against the RMP. This check enforces two critical rules 34:

  1. Ownership: A page assigned to a specific VM can only be modified by that VM. Any write attempt by the hypervisor or another VM to that page will be blocked by the hardware.
  2. Mapping Integrity: A physical page can only be mapped to one guest virtual address at a time. This prevents the hypervisor from carrying out memory aliasing or re-mapping attacks, where it might map the same physical page to two different locations in the guest’s address space to corrupt its state.

The RMP effectively acts as an authoritative, hardware-enforced audit of the hypervisor’s memory management activities, allowing the system to operate securely even under the assumption of a fully compromised virtualization stack.

 

System-Wide Partitioning: ARM® TrustZone®

 

ARM TrustZone takes a fundamentally different approach from both Intel and AMD. Instead of creating isolated enclaves or VMs, TrustZone provides a framework for partitioning the entire System-on-Chip (SoC) into two distinct execution environments, or “worlds”.39 This system-wide isolation model is deeply integrated into the hardware and extends beyond the CPU to the system bus, memory, and peripherals.42

 

The Two Worlds: Secure and Normal World Architecture

 

The TrustZone architecture divides all system resources into two domains 39:

  • The Normal World: This is the environment where a rich, complex operating system like Linux or Android and its applications run. It is considered the untrusted domain.
  • The Secure World: This is a separate, isolated environment designed to run a smaller, highly trusted operating system (a TEE OS) and a set of security-critical applications known as Trusted Applications (TAs).

This partitioning is enforced by a special security state in the processor. An additional signal on the system bus, often called the Non-Secure (NS) bit, tags every transaction (e.g., memory access) as originating from either the Secure or Normal World.39 Hardware components like memory controllers and peripheral access layers are designed to be “TrustZone-aware” and can enforce access control policies based on this NS bit. For example, a memory region can be configured to be accessible only by transactions from the Secure World, physically preventing any Normal World software from reading or writing to it.39

This architecture is exceptionally well-suited for embedded and mobile devices, where a single vendor often controls the entire hardware and software stack. It is widely used to protect sensitive operations like mobile payments, digital rights management (DRM), and biometric authentication.15 However, its model of a single, monolithic Secure World makes it less applicable to multi-tenant cloud environments, which require strong isolation

between different tenants’ secure workloads.20

 

The Secure Monitor: Mediating Cross-World Communication

 

The transition of the processor between the Normal and Secure Worlds is managed by a small, highly privileged piece of software called the Secure Monitor.39 The Secure Monitor runs at the highest hardware exception level (EL3 in ARMv8-A) and acts as the sole gatekeeper between the two worlds.

When a Normal World application needs to access a service in the Secure World, it executes a special Secure Monitor Call (SMC) instruction. This instruction triggers a trap to the Secure Monitor, which then performs a secure context switch: it saves the complete state of the Normal World (registers, etc.), restores the previously saved state of the Secure World, and resumes execution within the TEE OS.39 The reverse process occurs when the Secure World service completes and needs to return a result to the Normal World. The Secure Monitor is a highly critical component of the TrustZone TCB; any vulnerability within it could compromise the isolation guarantees of the entire system.

Feature Intel® SGX AMD SEV-SNP ARM® TrustZone
Isolation Granularity Application / Process / Function (Enclave) Virtual Machine (Confidential VM) System-wide (Secure/Normal World)
Primary Use Case Public Cloud Workloads, IP Protection Public Cloud (Lift-and-Shift), Multi-tenant Mobile, IoT, Embedded Systems, DRM
Developer Effort High (Requires application refactoring) Low (No code changes needed for app) High (Requires Secure World OS/apps)
TCB Size Smallest (CPU + Enclave code only) Medium (CPU + Guest OS + App) Large (CPU + Secure Monitor + Secure OS + TAs)
Memory Protection Encrypted EPC (Limited size) Full VM Memory Encryption + Integrity System-wide memory partitioning (NS-bit)
Key Hardware Mechanism MEE, EPC, EPCM AMD-SP, RMP Secure Monitor Call (SMC), NS-bit
Legacy Application Support Poor (Requires porting) Excellent (“Lift-and-Shift”) Poor (Requires porting to Secure World)

 

Establishing Trust in an Untrusted World: The Remote Attestation Process

 

The hardware-enforced isolation of a TEE provides a secure environment for computation, but it solves only half the problem. A critical question remains: how can a remote user or service be certain that the environment they are communicating with is a genuine TEE and is running the intended, unmodified software? Without a mechanism to verify this, a malicious host could simply simulate a TEE and steal any sensitive data sent to it.44

Remote attestation is the cryptographic process that solves this problem. It is the cornerstone that allows trust to be established in an otherwise untrusted environment, transforming the abstract security promises of a TEE into a concrete, verifiable proof of integrity and authenticity.1

 

The Foundational Protocol: Attester, Verifier, and Relying Party

 

The remote attestation process, as defined by standards bodies like the IETF in its RATS (Remote ATtestation ProcedureS) architecture, involves three primary roles 46:

  1. The Attester: This is the TEE itself, the entity that produces evidence about its own state. In a cloud context, this could be an SGX enclave or an SEV-SNP confidential VM.47
  2. The Verifier: This is a trusted entity that evaluates the evidence provided by the Attester. The Verifier checks the evidence against a set of policies and known-good reference values to determine if the Attester is trustworthy. The Verifier is often a service run by the hardware manufacturer (e.g., Intel Attestation Service) or the cloud provider (e.g., Microsoft Azure Attestation, Google Cloud Attestation).46
  3. The Relying Party: This is the end-user or service that needs to make a trust decision about the Attester before interacting with it. For example, a key management service is a relying party that will only release a secret key to an application after it has successfully verified its attestation.46

The general workflow involves the Attester generating a piece of cryptographic evidence, which is then assessed by the Verifier. The Verifier issues a signed attestation result (often called a “quote” or “token”), which the Attester can then present to the Relying Party as proof of its trustworthiness.46 This process creates a new and complex supply chain of trust. For a relying party to trust a TEE, it must trust the attestation report. To trust the report, it must trust the signature from the hardware-bound attestation key. To trust that key, it must trust the certificate chain leading back to the hardware vendor’s root of trust. Finally, to trust the software running inside, it must trust that the cryptographic measurement in the report matches a known-good value published by the application developer. A failure at any point in this chain—a compromised vendor key, a flawed attestation service, or a developer publishing a malicious measurement—can break the entire security model.

 

Implementation in Practice: Intel SGX vs. AMD SEV-SNP Attestation

 

While the conceptual roles are similar, the specific implementations of remote attestation differ significantly between Intel SGX and AMD SEV-SNP, reflecting their distinct architectural philosophies.

 

Intel SGX Attestation

 

The SGX attestation process is intricate, involving multiple specialized enclaves and a privacy-preserving cryptographic scheme 48:

  1. Report Generation: The application enclave first generates a local REPORT. This data structure contains critical information about the enclave, including its security properties and its unique cryptographic measurement (MRENCLAVE). The REPORT is MAC-tagged by the CPU using a key that is only available to other enclaves on the same platform, making it verifiable locally but not remotely.49
  2. Quoting: The application passes this REPORT to a special, Intel-provided Quoting Enclave (QE). The QE is a standardized, signed enclave that runs on every SGX-enabled system.48 The QE’s role is to verify the local
    REPORT and then convert it into a remotely verifiable QUOTE. It does this by signing the REPORT with a special, platform-unique attestation key.48
  3. Attestation Key Provisioning: The attestation key is not permanently fused into the chip. Instead, it is provisioned to the platform by Intel’s online Provisioning Service. This process involves another specialized enclave, the Provisioning Enclave (PvE), which proves the platform’s authenticity to Intel and receives the attestation key.49
  4. EPID Group Signatures: The attestation key is an Enhanced Privacy ID (EPID) key. EPID is a group signature scheme where many processors share a single group public key. When a QE signs a QUOTE, the signature proves that it came from a genuine SGX processor belonging to that group, but it does not reveal which specific processor. This provides a strong degree of privacy, preventing remote services from tracking users based on their CPU’s identity.48
  5. Verification: The final QUOTE is sent to the relying party, which typically forwards it to the Intel Attestation Service (IAS) for verification. IAS validates the EPID signature and checks the TCB status of the platform against a revocation list, returning a final verdict to the relying party.49

The complexity of this model, particularly the reliance on EPID, balances strong security with user privacy. However, the discovery that a single compromised EPID private key could potentially be used to forge attestations for a large group of CPUs has highlighted the critical importance of protecting the Quoting Enclave.50

 

AMD SEV-SNP Attestation

 

The attestation model for SEV-SNP is more direct and ties trust explicitly to the identity and patch level of the specific hardware platform 34:

  1. Report Request: A guest VM running in SEV-SNP mode can directly request an attestation report from the on-chip AMD Secure Processor (AMD-SP) at any point during its execution.34 The guest can include custom data (such as a nonce from the relying party) in the request to ensure the report’s freshness.
  2. Report Generation: The AMD-SP generates a report containing cryptographic measurements of the initial VM memory contents, the guest owner’s security policy, and the platform’s TCB version (including firmware and microcode patch levels).34
  3. VCEK Signing: The report is digitally signed by the AMD-SP using a Versioned Chip Endorsement Key (VCEK). The VCEK is a unique cryptographic key derived from a combination of the chip’s unique fused secret and the current version numbers of all TCB components.34 This means that if the platform’s firmware is updated, the VCEK changes.
  4. Certificate Chain Verification: To verify the report, the relying party must validate the signature made by the VCEK. It does this by fetching the VCEK’s public key certificate from the AMD Key Distribution Service (KDS). The KDS also provides the certificate chain, including the AMD SEV Key (ASK) and the AMD Root Key (ARK), allowing the relying party to build a complete chain of trust from the attestation report all the way back to AMD’s hardware root of trust.51

This model trades the privacy of SGX’s EPID for more granular and explicit verifiability. The VCEK allows a relying party to enforce very specific policies, such as “I will only provision secrets to VMs running on a specific server with the latest security patches,” which is a powerful capability for maintaining a strong security posture in the cloud.

 

The Role of Attestation in Securely Provisioning Secrets and Establishing Secure Channels

 

The ultimate purpose of remote attestation is not merely to prove a TEE’s state but to enable a secure workflow for handling sensitive information. The canonical pattern for confidential computing applications is a two-step “attest then provision” process.45

Once the relying party has successfully verified the attestation report, it has established a high degree of trust in the identity and integrity of the remote TEE. The attestation report typically includes a public key that belongs to the code running inside the TEE.44 The relying party can now use this public key to negotiate a secure, end-to-end encrypted communication channel (e.g., using TLS) directly with the TEE.45

Through this trusted and encrypted channel, the relying party can safely provision the secrets that the TEE needs to perform its function. These secrets could be database credentials, API keys, private keys for a digital wallet, or a master key for decrypting a large dataset.49 This entire process ensures that these critical secrets are never exposed in plaintext to any of the untrusted components of the system, including the host operating system, the hypervisor, the network infrastructure, or the cloud provider’s administrators. Attestation is the foundational step that makes this secure provisioning possible.

 

The Security Frontier: Threat Models, Vulnerabilities, and Countermeasures

 

While confidential computing offers a powerful new security paradigm, it is not a panacea. The hardware and software that constitute a TEE are complex systems and, like all complex systems, they have vulnerabilities. The security of confidential computing is best understood as a continuous arms race between hardware vendors implementing protections and security researchers discovering new attack vectors. A critical examination of the technology’s threat model, the types of attacks that have been successfully demonstrated, and the ongoing mitigation efforts is essential for any organization looking to adopt it.

 

The Confidential Computing Threat Model: Who is the Adversary?

 

The threat model for confidential computing is exceptionally strong compared to traditional systems. It is designed to protect workloads even when the host infrastructure is fully compromised. The primary adversary is assumed to be any entity with privileged software or physical access to the machine.3

In-Scope Threats:

  • Malicious or Compromised Host Software: This includes the host operating system, the hypervisor, BIOS/UEFI firmware, and any other privileged software on the system. The model assumes these components can actively try to inspect or tamper with the TEE’s memory and execution.1
  • Malicious Insiders and Administrators: This includes cloud provider system administrators, data center employees, or any user with root/administrator privileges on the host machine.1
  • Other Tenants: In a multi-tenant cloud environment, the threat model protects a TEE from attacks originating from other customers’ workloads running on the same physical server.1
  • Physical Access Attacks: The model aims to protect against certain physical attacks, primarily memory snooping (e.g., an attacker probing the DRAM bus), which is mitigated by hardware memory encryption.1

Out-of-Scope Threats:

  • Denial-of-Service (DoS) Attacks: The untrusted host OS and hypervisor are responsible for scheduling the TEE and allocating resources. As such, they can always refuse to run the TEE or starve it of resources, making DoS attacks fundamentally out of scope for the TEE’s protection guarantees.3
  • Vulnerabilities within the TEE Application: Confidential computing protects the container (the TEE), not necessarily the content (the application code). If the application code loaded into the TEE has its own vulnerabilities, such as a buffer overflow or a logic flaw, those can still be exploited, typically by providing malicious input to the application.18 The TEE threat model can, in fact, amplify the severity of such bugs. For instance, in a traditional system, a null-pointer dereference in an application typically results in a benign crash handled by the trusted OS. In the SGX model, where the OS is the adversary, the OS can map the null page to attacker-controlled memory. Now, the same bug can be transformed from a simple crash into a critical vulnerability that allows the attacker to read from or write to arbitrary memory locations within the enclave.54
  • Side-Channel Attacks: While vendors are continuously adding mitigations, sophisticated side-channel attacks that exploit information leakage from the hardware’s physical implementation often represent the bleeding edge of the threat landscape and are sometimes considered partially or fully out of scope.1

 

A Taxonomy of Attacks: Side-Channels, Memory Corruption, and Physical Threats

 

Security research has uncovered a wide range of attacks against TEEs. These can be broadly categorized as follows:

 

Side-Channel Attacks

 

These are the most prominent and researched class of attacks against TEEs. They do not break the cryptographic or logical protections of the TEE directly but instead infer secrets by observing physical side effects of the computation.56

  • Cache-Timing Attacks: An adversary sharing a CPU core with a TEE can use techniques like Prime+Probe to determine which cache lines the TEE is accessing. By repeatedly filling the cache with their own data (prime) and then measuring the time it takes to access it again after the TEE has executed (probe), the attacker can identify which cache lines were evicted by the TEE’s memory accesses, thereby leaking information about its data access patterns.18
  • Speculative Execution Attacks: Vulnerabilities like Spectre and Meltdown exploit the speculative execution features of modern CPUs. An attacker can trick the CPU into speculatively executing code within the TEE that accesses a secret, and then leaking that secret through a microarchitectural side channel like the cache. Foreshadow (L1TF) was a particularly damaging variant for SGX, as it allowed an attacker to read almost any data within the L1 cache, including data from SGX enclaves.18
  • Fault Injection Attacks: Attacks like Plundervolt demonstrated that an attacker with privileged access to control CPU voltage and frequency could induce precise faults in the computation occurring inside an SGX enclave. These faults could cause incorrect operations that lead to the leakage of secret keys from cryptographic algorithms.18
  • Ciphertext Side-Channels: Specific to TEEs that use deterministic memory encryption (like AMD SEV), these attacks exploit the hypervisor’s ability to read the encrypted memory (ciphertext). If an application repeatedly writes the same plaintext value to the same memory address, it will generate the same ciphertext each time. A malicious hypervisor can observe these repeating ciphertext patterns to infer information about the internal state of the VM, such as whether a conditional branch was taken or what values are being processed.60

 

Memory Corruption Attacks

 

While a TEE’s memory is protected from external tampering, the code running inside the TEE is often written in memory-unsafe languages like C/C++. This means it is still susceptible to classic memory corruption vulnerabilities.53 The interface between the untrusted host application and the TEE (e.g., ECALLs and OCALLs in SGX) is a particularly critical attack surface. A malicious host can pass carefully crafted, malformed inputs to the TEE’s interface functions to trigger vulnerabilities like buffer overflows or use-after-free bugs within the trusted code, potentially leading to arbitrary code execution inside the TEE itself.54

 

Case Studies in Vulnerability: Analyzing Heracles, CrossLine, and TeeRex

 

Several high-profile academic attacks have demonstrated the practical exploitability of these vulnerabilities:

  • Heracles (AMD SEV-SNP): This is a powerful chosen-plaintext attack that exploits the hypervisor’s legitimate memory management capabilities. A malicious hypervisor can take an encrypted memory page from a victim VM and move it to a new physical address. This forces the hardware to re-encrypt the page’s content using a new, address-dependent cryptographic tweak. By repeatedly moving victim pages and attacker-controlled pages with known plaintext, and comparing the resulting ciphertexts, the hypervisor can construct a cryptographic oracle. This oracle allows the attacker to guess the contents of the victim’s memory one byte at a time, enabling the leakage of sensitive data like user passwords and cryptographic keys.62
  • CrossLine (AMD SEV): This attack targeted early versions of AMD SEV that lacked strong integrity protection. It exploited a design flaw where the assignment of a VM’s Address Space Identifier (ASID), which is used to tag its memory, was controlled by the hypervisor without authentication. An attacker could create their own VM and instruct the hypervisor to run it using the victim VM’s ASID. This would cause the attacker’s VM to crash, but not before the CPU’s page table walker would speculatively fetch and decrypt memory pages belonging to the victim, leaking their contents through side channels.64
  • TeeRex (Intel SGX): This was not a single attack but a research project that developed a framework for systematically finding and exploiting memory corruption vulnerabilities in real-world SGX enclaves. The research uncovered critical vulnerabilities in enclaves developed by major vendors, including Intel and Baidu. It demonstrated how unsafe interfaces, such as passing pointers from the untrusted host into the enclave without proper validation, could lead to complete compromise of the enclave. TeeRex highlighted that even enclaves written in memory-safe languages like Rust could be vulnerable if the boundary between the unsafe host and the trusted enclave was not managed with extreme care.53

 

The Arms Race: An Analysis of Software and Hardware-Based Mitigation Strategies

 

The discovery of these vulnerabilities has prompted an ongoing arms race, with a wide range of mitigation techniques being developed across the hardware and software stack:

  • Hardware Mitigations: In response to discovered attacks, hardware vendors regularly release microcode updates that patch the CPU’s behavior to close vulnerabilities like Spectre, Meltdown, and Plundervolt.18 Furthermore, next-generation CPU architectures often include new, built-in defenses. For example, AMD’s 5th generation EPYC processors introduced an optional “ciphertext hiding” feature to directly counter ciphertext side-channel attacks by limiting the hypervisor’s ability to view guest memory.60
  • System-Level Software Mitigations: Researchers have proposed system-level changes to mitigate certain classes of attacks. For instance, the Varys system proposes mitigating cache-timing attacks by strictly dedicating physical CPU cores to running enclaves, preventing an attacker from sharing the L1/L2 cache with the victim.58
  • Compiler-Based Mitigations: To combat ciphertext side-channels, automated tools like CipherGuard and CipherFix have been developed. These tools, often implemented as compiler extensions, automatically instrument an application’s binary code. They identify instructions that write sensitive data to memory and insert additional code to “mask” or “blind” the data with a random value before it is written. This breaks the deterministic relationship between the plaintext and the ciphertext, preventing an attacker from learning anything by observing ciphertext patterns.61
  • Developer Best Practices: Ultimately, a significant portion of the responsibility falls on the application developer. Writing constant-time cryptographic code that avoids secret-dependent branches or memory accesses can mitigate timing attacks. Rigorously validating all data and pointers passed across the TEE boundary is essential to prevent memory corruption attacks. Adopting memory-safe programming languages can help, but as TeeRex showed, it does not eliminate the need for careful design at the trust boundary.54

This multi-layered approach demonstrates that securing confidential computing is a shared responsibility. Robust security is not achieved by a single hardware feature but through a defense-in-depth strategy that combines stronger hardware, smarter system software, automated hardening tools, and disciplined, security-aware application development.

 

The Ecosystem in Action: Cloud Services and Industry Use Cases

 

The theoretical promise of confidential computing is being translated into practical reality through a growing ecosystem of cloud services, open-source projects, and industry-specific applications. Major cloud providers are no longer just offering TEEs as a raw infrastructure primitive but are integrating them into higher-level managed services. This is driving adoption across sectors like finance, healthcare, and artificial intelligence, where the technology is enabling new forms of secure collaboration that were previously impossible.

 

The Role of the Confidential Computing Consortium (CCC) and Open Source Initiatives

 

The Confidential Computing Consortium (CCC), operating under the umbrella of the Linux Foundation, serves as the central hub for industry collaboration.10 Its primary mission is to accelerate the adoption of TEE technologies by bringing together competing hardware vendors (Intel, AMD, ARM), cloud providers (Microsoft, Google), and software developers in a pre-competitive environment.13

The CCC’s most significant contribution is preventing market fragmentation. It establishes common terminology, defines the core properties of confidential computing, and provides a neutral home for critical open-source projects.13 Key initiatives under the CCC’s stewardship include 13:

  • Open Enclave SDK: An open-source SDK that provides a hardware-agnostic abstraction layer for developing enclave applications, allowing code to be written once and potentially run on different TEE architectures.
  • Gramine: A library OS that enables unmodified Linux applications to run inside Intel SGX enclaves, significantly simplifying the process of porting legacy applications to SGX.
  • Occlum: Another library OS with a focus on multithreading, file systems, and networking for SGX, aiming to make enclave programming more efficient and developer-friendly.

By fostering these open-source tools and promoting common standards, the CCC makes confidential computing more accessible, portable, and easier for developers to adopt, which is crucial for building a healthy and interoperable ecosystem.

 

Confidential Computing in the Public Cloud: A Review of AWS, Azure, and Google Cloud Offerings

 

The major cloud providers have embraced confidential computing, each with a distinct strategy and portfolio of services. They are increasingly moving beyond basic Infrastructure-as-a-Service (IaaS) offerings to build higher-level Platform-as-a-Service (PaaS) solutions that leverage confidential computing as an enabling technology, hiding the complexity from the end-user.

 

AWS Nitro Enclaves

 

Amazon Web Services (AWS) has taken a unique approach with AWS Nitro Enclaves. Instead of directly exposing Intel SGX or AMD SEV as the primary user-facing product, AWS built a custom solution on top of its Nitro System hypervisor.71

  • Architecture: Nitro Enclaves allows a user to carve out a portion of an existing EC2 instance’s CPU and memory to create a separate, isolated virtual machine—the enclave.71 This enclave has its own minimal kernel, no persistent storage, no external network access, and no interactive shell access (SSH).72 Communication between the parent instance and the enclave is restricted to a secure, local virtual socket (
    vsock) channel.71
  • Features: Nitro Enclaves provides a cryptographic attestation mechanism that allows the enclave to prove its identity and the integrity of its code to other services. This is tightly integrated with AWS Key Management Service (KMS), enabling policies that, for example, only allow a specific, verified enclave to decrypt a certain piece of data.72
  • Strategic Position: This model is ideal for use cases where an organization wants to process highly sensitive data (e.g., tokenizing credit card numbers, managing private keys) by offloading just that specific function to a highly constrained and verifiable environment, while the rest of the application runs on the standard parent instance.72

 

Microsoft Azure Confidential Computing

 

Microsoft has pursued a comprehensive “big tent” strategy, offering the broadest portfolio of confidential computing services based on multiple underlying hardware technologies.75

  • Infrastructure Offerings: Azure provides two main infrastructure models.
  1. Confidential VMs: Based on AMD SEV-SNP and Intel Trust Domain Extensions (TDX), these allow customers to run entire virtual machines in a protected environment with full memory encryption and integrity. This “lift-and-shift” model requires no changes to existing applications.75
  2. Application Enclaves: Based on Intel SGX, these provide more granular, process-level isolation for customers who need to build highly secure applications with a minimal TCB.17
  • Managed Services: Building on this foundation, Azure offers a suite of “confidentially-aware” PaaS solutions, including:
  • Confidential Containers on Azure Kubernetes Service (AKS): Allows containerized applications to run on nodes that are themselves confidential VMs, protecting container workloads.75
  • Azure SQL Always Encrypted with secure enclaves: Enables rich computations (e.g., pattern matching, range queries) on encrypted data within a SQL database by executing the query engine inside a secure SGX enclave.75
  • Azure Confidential Ledger: A tamper-proof ledger service for storing sensitive data, where the ledger itself runs within a TEE.75
  • Attestation: Azure provides its own centralized Microsoft Azure Attestation service to verify the integrity of all its TEE offerings.75

 

Google Cloud Confidential Computing

 

Google Cloud’s strategy focuses on making confidential computing simple, performant, and seamlessly integrated into its data and analytics ecosystem.

  • Core Offerings: The portfolio is centered on Confidential VMs (powered by AMD SEV, SEV-SNP, and now Intel TDX) and Confidential GKE Nodes.2 The emphasis is on ease of use, often enabling the feature with a single checkbox during deployment.82
  • Confidential Space: This is Google’s flagship innovation in the area. It is a purpose-built solution designed to solve the multi-party data collaboration problem.2 Confidential Space allows multiple organizations to contribute their sensitive data to a common workload running in a TEE. The architecture provides strong trust guarantees that no party—not the other data contributors, not the workload operator, and not even Google Cloud—can view the combined dataset. It achieves this through a hardened OS, workload identity federation, and reliance on the attestation service to mediate access to data.80
  • Integration: Google has integrated confidential computing capabilities into its major data platforms, including Confidential Dataproc and Confidential Dataflow, allowing customers to run large-scale data processing and analytics jobs on protected data.2

 

Industry Applications

 

The availability of these robust cloud services is driving adoption across several key industries.

 

Finance: Secure Multi-Party Analytics and Fraud Detection

 

The financial sector faces a classic dilemma: individual institutions possess valuable transaction data, but the most effective models for detecting large-scale fraud and money laundering require a view across multiple institutions.1 Confidential computing provides the trusted technological “meeting ground” to solve this. Competing banks can pool their encrypted data into a shared TEE to collaboratively train a more powerful AI model for fraud detection. The TEE ensures that no bank can see another’s raw data, yet all benefit from the insights of the combined model.1 This same pattern applies to multi-party risk analysis, credit scoring, and anti-money laundering (AML) investigations, enabling a new form of “co-opetition” where fierce rivals can collaborate on systemic threats without compromising their competitive data assets.8

 

Healthcare: Privacy-Preserving Data Aggregation and Research

 

Healthcare is another prime use case, as patient data is both extremely sensitive and enormously valuable when aggregated. Regulations like HIPAA and GDPR create significant barriers to data sharing, siloing data within individual hospitals and research centers, which slows medical progress.9 Confidential computing allows multiple institutions to contribute de-identified or pseudonymized patient records to a secure TEE for large-scale analysis.1 This can dramatically accelerate clinical trials, enable the training of more accurate diagnostic AI models on more diverse datasets, and support epidemiological research, all while providing strong, verifiable guarantees that patient privacy is preserved.9

 

Artificial Intelligence: Protecting Model IP and Training Data

 

As AI models become increasingly complex and valuable, they represent significant intellectual property (IP) for the organizations that build them. Confidential computing provides a two-fold protection for AI workloads 88:

  1. Protecting Training Data: When training a model on sensitive data (e.g., medical images, financial records), the entire training process can be run within a TEE, protecting the data from the cloud provider.
  2. Protecting the Model IP: Once a model is trained, it can be deployed for inference inside a TEE. This allows a company to offer its proprietary model as a service (“Model-as-a-Service”) without risking the theft or reverse-engineering of the model’s weights and architecture.88

The recent development of Confidential GPUs, such as the NVIDIA H100, is a critical enabler for this use case. These GPUs extend the TEE’s trust boundary from the CPU to the accelerator, ensuring data remains encrypted and protected throughout the entire high-performance AI pipeline.17 This demand for secure AI is now a primary driver shaping the architecture of next-generation hardware accelerators.

 

Digital Assets: Securing Blockchain Nodes and Custody Wallets

 

In the world of blockchain and digital assets, the security of private keys is paramount. Confidential computing offers a hardware-based solution to the fundamental trust problem in this space.93 Use cases include:

  • Secure Key Management: Private key generation, storage, and transaction signing can be performed inside a TEE. This provides strong protection against key theft even if the server hosting the wallet or custody solution is completely compromised.94
  • Non-Custodial Services: It enables the creation of non-custodial services where, by design, the service provider is technically incapable of accessing or misusing user funds, as the keys are locked within a TEE that only the user can authorize.95
  • Blockchain Integrity: Running blockchain validator nodes within a TEE can provide hardware-enforced protection against certain attacks, such as double-signing in proof-of-stake networks, by programming the TEE to enforce the protocol rules immutably.95

 

Developer Experience, Performance Implications, and Future Outlook

 

Despite its powerful security guarantees, the practical adoption of confidential computing hinges on addressing significant challenges related to developer experience and performance overhead. The industry is actively working to abstract complexity and improve efficiency, with a clear trajectory toward making confidential computing a ubiquitous, seamless feature of modern computing. The market appears to be converging on the “lift-and-shift” confidential VM model as the primary vehicle for mainstream adoption, while the more granular enclave model is being positioned for specialized, high-assurance use cases.

 

The Developer’s Dilemma: Application Refactoring vs. “Lift-and-Shift” Deployment

 

The confidential computing ecosystem presents developers with a fundamental choice between two distinct adoption models, each with profound implications for effort, cost, and the final security posture 96:

  1. Application Refactoring (The SGX Model): This model requires developers to meticulously partition their application into trusted and untrusted components. Sensitive code and data must be isolated within an enclave, and a strict, well-defined interface (using ECALLs and OCALLs) must be created to mediate all communication with the untrusted host.20 This approach is intellectually demanding, time-consuming, and highly susceptible to implementation errors that can undermine the security guarantees.96 However, its primary advantage is that it produces a minimal TCB, offering theoretically the highest level of security by only trusting the essential, security-critical code.35
  2. “Lift-and-Shift” (The SEV/TDX Model): This model allows developers to take entire existing applications, along with their guest operating systems, and deploy them inside a Confidential VM without any code modification.17 This “lift-and-shift” capability dramatically lowers the barrier to entry and enables organizations to quickly secure legacy workloads.97 The developer experience is nearly frictionless. The trade-off, however, is a significantly larger TCB. The entire guest OS (millions of lines of code), along with all its libraries and the application itself, is now part of the trusted base. A vulnerability anywhere within this large software stack could potentially be exploited to compromise the workload from within.35

This dichotomy represents the central tension in the confidential computing space: the trade-off between security purity and practical usability. While frameworks like Google’s Asylo and the Open Enclave SDK aim to provide a hardware-agnostic API to bridge this gap, the underlying architectural differences are so fundamental that this remains a significant challenge.98 The market’s direction is becoming clear: Intel, the original champion of the enclave model, has now developed its own confidential VM technology, Intel Trust Domain Extensions (TDX), signaling an industry-wide acknowledgment that the ease-of-use of the VM model is the most viable path to broad enterprise adoption.17

 

A Quantitative Look at Performance Overhead Across Workloads

 

Performance overhead is a critical consideration for any security technology, and in confidential computing, it is highly dependent on both the TEE architecture and the specific workload characteristics. There is no single “performance tax”; the impact must be evaluated on a case-by-case basis.

  • Intel SGX Performance: The overhead for SGX is primarily driven by two factors: the high cost of enclave transitions (EENTER/EEXIT) and the limited size of the Enclave Page Cache (EPC).30
  • CPU-bound workloads that can fit entirely within the EPC and have infrequent communication with the outside world can run with minimal overhead.
  • I/O-bound or highly interactive workloads that require frequent ECALLs and OCALLs suffer significant performance degradation due to the high latency of these context switches.27
  • Memory-intensive workloads that exceed the EPC size are subject to constant, costly page swapping, which can result in extreme slowdowns, with research reporting overheads ranging from 1.2x to as high as 126x for certain HPC applications.30
  • AMD SEV Performance: The overhead for SEV-based confidential VMs is dominated by the latency of the hardware memory encryption engine.30
  • For most general-purpose and memory-sequential workloads, the overhead is often negligible, typically in the single-digit percentage range, as the memory encryption is pipelined and highly optimized in the hardware.100
  • However, workloads with highly irregular, random memory access patterns, such as graph analytics, can be more sensitive to the added latency and may experience more noticeable degradation.30
  • NUMA-aware configuration is critical. On large, multi-socket servers, default configurations may allocate all encrypted memory to a single NUMA node, leading to severe performance bottlenecks for multi-threaded applications. Proper configuration to interleave memory across all NUMA nodes can mitigate most of this overhead, reducing slowdowns from as high as 3.4x down to a more manageable 1.15x in some HPC benchmarks.30

The general consensus from performance studies is that for migrating large, unmodified legacy applications, the VM-based approach of AMD SEV (and Intel TDX) is significantly more performant and practical than the enclave-based model of Intel SGX.20

 

The Future Trajectory: The Rise of Confidential GPUs, Standardization, and the Path to Mainstream Adoption

 

The confidential computing ecosystem is evolving rapidly, moving from niche hardware features to a foundational pillar of modern cloud infrastructure. Several key trends are shaping its future:

  • Expansion to Accelerators: The most significant trend is the extension of TEE protections beyond the CPU to specialized accelerators. The introduction of Confidential GPUs like the NVIDIA H100 and Confidential AI accelerators is a direct response to the massive growth of AI/ML workloads. These devices create a secure channel between the CPU TEE and the GPU TEE, ensuring that sensitive models and data remain encrypted and protected throughout the entire high-performance computing pipeline.17 This indicates that confidential computing is becoming a core architectural requirement for next-generation hardware.
  • Standardization and Abstraction: To combat complexity and promote interoperability, industry groups like the CCC and the major cloud providers are driving towards greater standardization, particularly in the complex domain of remote attestation.13 Concurrently, the rise of higher-level abstractions like
    Confidential Containers and managed PaaS offerings (e.g., confidential databases) hides the underlying hardware intricacies from developers, making the technology far easier to consume.75
  • A Focus on Transparency: As the technology matures, there is a growing understanding that cryptographic attestation of a “black box” is not sufficient to build true user trust. Users need transparency into what is actually running inside the TEE. This is driving a push towards a complete ecosystem of trust based on open-source software, verifiable and reproducible builds, and third-party auditing and endorsement. This allows users to not only verify that a TEE is genuine but also to have confidence in what software it is running.101

As these trends continue, the focus of security research and attacks will likely shift. As the core hardware isolation becomes more robust, attackers will increasingly target the weaker links in the chain: the software supply chain that produces the code running in the TEE, the attestation verification logic in the relying party, and classic application-level vulnerabilities that can be triggered through the TEE’s interfaces. The security challenge is moving up the stack from the hardware to the complex ecosystem of trust built around it.

 

Conclusion

 

Confidential computing represents a fundamental and necessary evolution in data security, directly addressing the long-standing vulnerability of data-in-use. By leveraging hardware-based Trusted Execution Environments, it establishes a new paradigm where data and applications can be protected even from the privileged infrastructure on which they run, including the cloud service provider. This capability is not merely an incremental improvement but a transformative technology that resolves the core trust deficit of the public cloud, unlocking new possibilities for secure collaboration, data analytics, and the migration of highly sensitive workloads.

The architectural landscape is currently defined by a key trade-off between the granular, high-assurance isolation of application-level enclaves like Intel SGX and the seamless, “lift-and-shift” usability of virtual machine-level protection offered by AMD SEV-SNP and Intel TDX. While the enclave model provides the smallest possible attack surface, its significant developer complexity has hindered broad adoption. Consequently, the industry is clearly converging on the confidential VM model as the primary path to making this technology mainstream, supported by a rich ecosystem of managed services from major cloud providers like AWS, Azure, and Google Cloud.

However, the technology is not without its challenges. The security of TEEs is the subject of an intense and ongoing arms race between hardware vendors and a sophisticated security research community that continues to uncover novel side-channel, fault-injection, and software-based attacks. Achieving robust security requires a defense-in-depth approach that spans the entire stack, from silicon-level mitigations to secure coding practices. Furthermore, performance overhead remains a critical consideration that must be carefully evaluated for specific workloads.

Looking forward, the trajectory of confidential computing is toward becoming an invisible and ubiquitous feature of the computing landscape. Its expansion into GPUs and other accelerators signals its importance for the future of AI and high-performance computing. The continued efforts toward standardization, higher-level abstractions, and greater software transparency will be crucial in simplifying its adoption. As confidential computing matures, it will move from being a specialized security feature to a foundational expectation for any environment handling sensitive data, ultimately fulfilling the vision of a truly confidential cloud.