Physics / mechanism
A Trusted Execution Environment is a hardware-isolated compute enclave running alongside the main OS, enforcing confidentiality and integrity of code and data even against a privileged attacker. Implemented via dedicated silicon — ARM TrustZone partitions the CPU into Normal/Secure worlds; Intel TDX and AMD SEV-SNP extend isolation to full VMs using memory encryption. Key parameters: memory encryption latency overhead (~5–15%), attestation round-trip (<100 ms for remote attestation via ECDSA/DCAP), and TCB surface area (smaller = better; measured in lines of verified firmware). Current SoA: CCA (Confidential Compute Architecture) on ARMv9 introduces Realm Management Extensions, enabling dynamic realm creation without OEM key dependency.
Competitive landscape
Competing approaches: homomorphic encryption (HE) handles computation on encrypted data without hardware trust anchors but carries 1,000–10,000× compute overhead — impractical for inference workloads today. Secure multi-party computation (SMPC) distributes trust across parties but requires coordination overhead. RISC-V enclaves (Keystone, Penglai) offer open-source TCB alternatives. The confidential computing stack is increasingly converging around CCA/TDX/SEV-SNP as the hyperscaler-validated trio.
| Approach | Perf overhead | Trust anchor | Maturity |
|---|---|---|---|
| TEE (TDX/SEV) | Low (5–15%) | Hardware | Production |
| HE | Extreme (>1000×) | Cryptographic | Research/niche |
| SMPC | Medium-high | Protocol | Limited deploy |
Companies using
Connected ideas
Sources
Frontier (open questions)
- To be added.