Everything in
A Trusted Execution Environment (TEE) flips the trust model on its head. Instead of the
OS protecting apps from each other, hardware protects a small piece of an app from the OS
itself — from the kernel, the hypervisor, even someone with a probe on the memory bus. The
Intel's SGX (Software Guard Extensions) carves out an enclave: a region of a process's address space that even the kernel and hypervisor cannot read. The CPU's memory-encryption engine encrypts enclave pages in DRAM with a key that never leaves the silicon, so a bus probe or a cold memory dump yields only ciphertext. Code outside the enclave — including ring-0 code — that tries to read enclave memory gets aborts or garbage. The threat model is startling: the enclave trusts only the CPU.
Two mechanisms make an enclave useful rather than merely private:
And yet SGX has been side-channel-plagued. It deliberately does not defend
against microarchitectural leakage, and a parade of attacks — Foreshadow (L1TF), Plundervolt (undervolting
to induce faults), SGAxe, ÆPIC — have repeatedly extracted enclave secrets or forged attestations. The
enclave's memory is encrypted, but its access patterns, timing, and speculative behaviour leak
through the same
ARM took a coarser, whole-system approach with TrustZone. The processor is split into two
worlds: a Normal World that runs your ordinary OS (Android, Linux) and a
Secure World that runs a tiny trusted OS (OP-TEE, Qualcomm's QSEE, Trusty). A single
hardware bit — the
This is why your phone's fingerprint template, DRM keys, and mobile-payment secrets survive even a fully rooted Android: they live in the Secure World, and the compromised Normal-World kernel simply has no path to them. TrustZone protects a whole subsystem (a trusted OS plus its apps), where SGX protects a single enclave inside one process — different granularities of the same trust inversion.
Enclaves ask you to rewrite your app to split out a tiny trusted core — painful. The cloud wanted something coarser: run an entire, unmodified virtual machine such that the hypervisor cannot read it. That is confidential computing, and AMD's SEV (Secure Encrypted Virtualization), Intel's TDX, and ARM's CCA all deliver it: the VM's memory is transparently encrypted with a per-guest key managed by a dedicated security processor, so the host hypervisor sees only ciphertext. SEV-SNP adds integrity protection against a malicious hypervisor remapping or replaying the guest's pages, and the whole VM can be attested as a unit.
The trade-off is the size of the trusted base. An SGX enclave trusts only the CPU and a few thousand lines of your code — tiny, but you must re-architect. A confidential VM trusts the entire guest OS and your unmodified app — huge, but you change nothing. The industry has largely voted for the latter: lifting a whole VM out of the host's reach fits how clouds already work, even if the TCB is a whole Linux.
Attestation and enclaves all rest on one hard question: if the OS can lie, and the firmware can lie, whom
do you believe first? The answer is a hardware root of trust — a small piece of
immutable code (a mask-ROM burned into the chip) and fused keys the attacker physically cannot alter. From
that anchor, secure boot builds a chain: each stage verifies the signature of the
next stage before executing it. The root ROM checks the firmware; UEFI Secure Boot
checks the bootloader (the
There are two distinct flavours, and they are often confused. Secure Boot is enforcing: it refuses to run anything whose signature does not verify — a gate. Measured Boot is recording: each stage computes a hash of the next and extends it into a TPM (Trusted Platform Module) register called a PCR — it does not block anything, but it leaves an unforgeable record of exactly what ran, which a remote verifier can later demand (remote attestation). One stops bad boots; the other proves what booted.
A PCR is never written, only extended:
Because each new value folds in the old one, the final PCR is a hash of the entire ordered sequence of everything that ran. You cannot forge it: to hit a target PCR you would have to have loaded exactly the right components in exactly the right order — and malware that loads after a stage can never retroactively change what that earlier stage already extended. This one-way, append-only accumulation is what makes "prove to me what you booted" possible. Run the extend chain and watch a single tampered stage cascade into a completely different final measurement.
This is the question that makes confidential computing actually mean something. The trick is that the attestation is signed by a key fused into the CPU at manufacture, whose private half never leaves the chip and is certified by the vendor (Intel, AMD, ARM) — not by the cloud provider. When your enclave attests, the signature chains up to Intel's or AMD's certificate authority, and you verify it against the vendor's root, which the cloud operator does not control. So a malicious provider can run whatever they like, but they cannot produce a vendor-signed quote saying "your exact code is running in a genuine enclave" unless it genuinely is — the private key to forge it lives in silicon they don't own. Of course, this merely moves the trust: now you must trust the CPU vendor and their key-management, and the Foreshadow attacks showed that even those hardware keys can leak. Trust is never eliminated in security — only relocated to a smaller, more scrutable place. That relocation, from "trust the whole datacentre" to "trust the CPU vendor's root key," is the entire value proposition of a TEE.
The most dangerous misconception about TEEs is to treat "runs in an enclave" as a synonym for "secure." An enclave guarantees confidentiality and integrity of memory against a privileged outsider — and nothing else. If your enclave code has a buffer overflow, the attacker exploits it just the same, now with the bonus that your defenders can't inspect the encrypted memory to catch them. If your enclave's access patterns depend on a secret (a branch or a table index keyed on a private bit), the microarchitectural side channels of Spectre/Meltdown leak it straight through the encryption — which is exactly how Foreshadow, SGAxe and friends broke SGX. And a TEE does nothing about a compromised input: garbage attested is still garbage. "Confidential" is a property of the memory bus, not of your logic. Build a TEE app as if it were ordinary security-critical code — constant-time, bounds-checked, minimal — because the encryption defends only one specific flank.