What is Confidential Computing?
Confidential computing is the process of protecting data in use by performing computations inside a secure enclave (also known as a Trusted Execution Environment, or TEE). This provides a level of security and verifiability that is impossible to achieve with traditional cloud computing approaches where data is unencrypted and fully accessible to the hardware operator. Unlike encryption at rest (for stored data) or encryption in transit (for data being transferred over the network), confidential computing focuses on protecting data while it’s actively being processed on the host. This is achieved by using isolated regions of memory and CPU+GPU resources which form a secure “enclave” where even the host (such as the cloud provider) cannot see the internals of the computation or the data being processed. Secure enclaves prevent access from all privileged software, including the operating system and hypervisor, while allowing remote verification of the environment’s security through a remote attestation mechanism with a hardware root of trust. You can see how Tinfoil performs this verification automatically by learning more about our verification process. This hardware-backed security model enables sensitive workloads to run in untrusted environments while maintaining data privacy and integrity, even if the host is untrusted or compromised by an attacker.Terminology: We use “secure enclave” as the default term to describe the isolated
environment where computations are processed. When referring to
hardware standards, attestation artifacts, or vendor technologies, we use the
more formal term Trusted Execution Environment (TEE).
Supported hardware
There are several options for instantiating secure enclaves on modern processors. While traditionally enclaves were restricted to CPU-only workloads, the latest NVIDIA GPUs now offer the ability to run them by enabling a special “confidential compute mode.”| Vendor | Platform | Feature | Type |
|---|---|---|---|
| AMD | EPYC 3rd–5th Gen (7003, 8004, 9004, 9005 series) | SEV-SNP | CPU |
| Intel | Xeon Scalable 5th Gen, Xeon 6 | TDX | CPU |
| NVIDIA | H100, H200, B200 | Confidential Computing Mode | GPU |
Understanding Remote Attestation
Enclave verifiability is a critical security feature that allows users to confirm that code is running in genuine hardware with hardware security features enabled. Tinfoil’s integrity features ensure that all code and data remain unchanged and verifiable through cryptographic remote attestation.The attestation process
The attestation process establishes a chain of trust from the hardware level up to the application level. Each step builds upon the security guarantees of the previous one to create a chain of trust connecting the hardware to application code it is running.- Hardware Authentication The process begins by verifying the authenticity of the physical hardware components. This step ensures the enclave is running on genuine chips with proper security features enabled, not on simulated or misconfigured CPUs or GPUs.
- Configuration Verification Once hardware authenticity is confirmed, the system validates that all security-critical settings are properly configured. This ensures the enclave environment is set up with the correct parameters and isolation boundaries.
- Code Measurement The hardware creates cryptographic measurements of all code and configuration loaded into the enclave at launch. Clients can later verify these measurements to confirm the enclave is running the expected code.
Chain of trust
The attestation chain is established through a series of cryptographic validations:- Hardware Root of Trust: Hardware manufacturers (Intel, AMD, NVIDIA) embed cryptographic keys in their processors at manufacture time
- Firmware Validation: Hardware validates firmware integrity during boot
- Initialization: Firmware initializes the enclave with verified security parameters
- Measurement: The hardware measures the loaded code and records cryptographic evidence
- Attestation Report: A hardware-rooted component signs the measurements using keys chained to the manufacturer’s certificate authority
- Verification: Clients verify signatures and measurements against known-good values
On AMD SEV-SNP, the CPU’s secure processor (PSP) signs with the VCEK, a per-chip key chained to AMD’s root key. On Intel TDX, a Quoting Enclave signs with an attestation key chained to Intel’s PCK certificate.
Understanding confidentiality
Secure enclaves provide an isolated execution environment directly at the hardware level. You can think of it as a “computer within a computer,” with its own dedicated memory regions and processing capabilities that remain completely isolated from the rest of the system and the hardware operator (e.g., Tinfoil). When code runs within a secure enclave, it is executed in a protected region where even privileged system software like the operating system, hypervisor, and system administrators cannot access or modify the data being processed. In modern secure hardware processors like Intel TDX and AMD SEV-SNP, all data in memory is automatically encrypted using keys that never leave the processor. Because memory is always encrypted, data outside the processor is inaccessible to software-based attackers:- Memory dumps cannot reveal sensitive information.
- Cold boot attacks are ineffective since memory contents remain encrypted.
- Direct Memory Access (DMA) attacks are blocked.
- Physical memory probing yields only encrypted data.
- Encryption keys are generated within the processor and never leave the processor.
- Keys are automatically destroyed when the enclave terminates.
Limitations of enclaves in practice
While secure enclaves provide strong guarantees, they are not a silver bullet.- Physical attacks: An attacker with physical access to the hardware can potentially compromise the enclave. For Intel TDX, attestation forgery has been demonstrated; for AMD SEV-SNP, researchers achieved confidentiality breaches through key extraction (tee.fail). These attacks require significant resources and physical proximity to the machine.
- Side-channel attacks: Enclaves can be vulnerable to timing attacks, power analysis, and electromagnetic emissions that leak information about the data being processed.
- I/O pattern leakage: The host can observe data access patterns and I/O behavior, which may reveal sensitive metadata even though the data itself remains encrypted.
- Denial of service: The cloud provider controls resource allocation and can restrict or terminate access to the enclave at any time.