📃
Confidential Computing 101
HomeTechnologyTry CC!
  • Welcome
  • Confidential Computing
    • What is Confidential Computing
    • What problems Confidential Computing solves
      • Bare Metal
      • Docker
      • Kubernetes
      • Knative
    • Why Confidential Computing
    • How Confidential Computing works
      • Memory Encryption
      • Workload Attestation
      • Confidential Boot
      • Sealing / Binding
      • Secret Provisioning
    • Technology Overview
    • Cloud Service Providers
  • Technology in depth
    • Intel SGX
      • Getting Started
        • Bare Metal Server Installation
        • Enclave Development Environment
        • Intel SGX SDK Setup
      • Technology
        • 🎭Features
        • 💂Threat Model
        • 🆚Versions
        • 🟦Concepts
          • 🏦Memory Encryption
          • 👮Local and Remote Attestation
          • 🖼️DCAP-Attestation Framework
          • 🔑Secret Key Provisioning
      • enclaive Development Kit
        • 🏢Architecture
        • 🌪️Workflow
        • 🌍Tutorials
          • Azure DCdsv3, DCsv2, or DCsv3 Setup
          • Redis in cK8s
          • MongoDB in cK8s
          • K8s + HashiCorp Vault on Azure DCsv3
      • Vault Remote Attestation Plug-In
        • 🏃‍♂️Initialization
        • 👮Attestation
        • ⚙️Configuration
    • Intel TDX
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
          • VT
          • TME/MKTME
          • SGX
        • Features
        • Threat Model
        • Concepts
          • Architecture
            • TDX Module
          • Memory Encryption
            • Confidentiality and Integrity
            • Keys and Key Management
          • TD Partitioning
          • DCAP-Attestation
            • Overview
            • Platform Registration
            • Attestation Report
    • AMD SEV
      • Getting Started
        • Azure
        • AWS
        • GCP
      • Technology
        • History
        • Threat Model
        • SME Concepts
          • Use Models
        • SEV-SNP Concepts
          • Features
            • Integrity Threats
            • Reverse Map Table
            • Page Validation
            • Page States
            • Virtual Machine Privilege Levels
            • Interrupt/Exception Protection
            • Trusted Platform Information
            • TCB Versioning
            • VM Launch & Attestation
            • VM Migration
            • Side Channels
          • Use Cases
          • Architecture
            • Encrypted Memory
            • Key Management
          • Software Implications
    • ARM CC
      • Technology
        • Introduction
        • Threat Model
        • Design
        • Comparison
    • Attestation Methods
      • Raw Attestation
      • Raw Attestation with Secure-Boot
      • Raw Attestation with a vTPM
        • AMD Secure VM Service Module and vTPMs
      • Raw Attestation with paravirtualized TPM
  • Resources
    • Youtube
    • Github
    • Products
Powered by GitBook
On this page

Was this helpful?

  1. Confidential Computing

Technology Overview

Last Update: July 2023

Last updated 9 months ago

Was this helpful?

Hardware-based secure enclave establishes isolated environments for specific applications, effectively segregating them from the rest of the software stack.

Enclave provides sophisticated hardware-based security features and encryption capabilities. By running application-specific code and data within an enclave, we can have an additional layer of security, privacy, and trust in the execution environment. As a result, deploying applications within containers becomes an excellent choice, particularly in potentially untrusted cloud environments.

Hardware secure enclave technologies include , , , , and . GPU-based technologies include.

Intel SGX

Intel SGX provides a secure execution environment called an enclave to protect sensitive code and data. It allows applications to isolate portions of their code and data in enclaves, ensuring confidentiality and integrity. SGX enables secure computations even on compromised systems, preventing access to the enclave's contents.

Intel TDX

Intel TDX safeguards confidential guest virtual machines (VMs) from both host and physical attacks by isolating the register state of the guest and encrypting its memory. TDX employs a specialized module operating in a dedicated mode that acts as an intermediary between the host and guest, ensuring effective separation between them.

AMD SEV

AMD SEV is designed to protect virtual machines (VMs) in cloud environments. SEV encrypts the VM's memory, isolating it from the hypervisor and other VMs. This technology provides a secure execution environment for VMs, protecting them from unauthorized access and tampering.

ARM CCA

ARM CCA is a hardware-based security technology that enables confidential computing on ARM-based processors. CCA provides mechanisms for isolating and protecting sensitive code and data within secure enclaves. It allows applications to execute securely and protects against unauthorized access or tampering.

RISC-V AP-TEE

RISC-V AP-TEE is a trusted execution environment designed for the RISC-V (pronounced "risk-five", ) architecture, an open standard instruction set architecture (ISA) based on established reduced instruction set computer (RISC) principles. AP-TEE provides a secure execution environment for applications, protecting sensitive code and data from unauthorized access. Unlike most other ISA designs, RISC-V AP-TEE is provided under royalty-free open-source licenses.

Intel SGX
Intel TDX
AMD SEV
ARM CCA
RISC-V AP-TEE
NVIDIA CC