How Is Confidential Computing Transforming Trusted Execution?


The concept of confidential computing has been increasingly visible in the last couple of years, but what does it actually entail? There are varied technology definitions, a newly founded consortium, and plenty of vendors touting such abilities. Michela Menting, Sr. Research Director of ABI Research seeks to demystify the concept and provide an overview of what currently qualifies as confidential computing and its impact on existing industry definitions.

The push for confidential computing is currently being led by the confidential computing consortium (CCC), a project community at the Linux Foundation, which intends to provide the leading definition of what that is: essentially trusted execution environment (TEE) technologies and standards. 

TEE is not a new concept; in fact, it has been around since the early 2000s. There is a TEE standard, developed by GlobalPlatform, and various specifications have been defined over the last decade by the group for the internal mechanisms, the user interface, secure external memories, microprocessor units (MPU) and microcontroller units (MCU), the system architecture, application programming interfaces (APIs), and trusted applications.

Essentially, GlobalPlatform defines the TEE as a secure area of the main processor in a smartphone (and today, in any connected device). It ensures that sensitive data are stored, processed, and protected in an isolated, trusted environment. The TEE’s ability to offer isolated safe execution of authorized security software, known as “trusted applications,” enables it to provide end-to-end security by enforcing protected execution of authenticated code, confidentiality, authenticity, privacy, system integrity, and data access rights. Compared to other security environments on the device, the TEE also offers high processing speeds and a large amount of accessible memory.

Today, there are many proprietary and open-source TEE implementations derived from the GlobalPlatform standard, including (but not limited to) the proprietary Arm TrustZone, Samsung TEEGRIS, Trustonic Kinibi, Alibaba Cloud Link TEE, Qualcomm QTEE, TrustKernel T6, Watchdata WatchTrust, and open-source alternatives, such as Open-TEE, OP-TEE, Trusty TEE, and RISC-V TEE implementations, which have generated proprietary versions from Hex Five, Penglai, SiFive, and ProvenRun.

These various implementations can be found in MCUs and MPUs from semiconductors, and feature in many different types of connected devices today.

TEE technology, to date, has been focused on end devices, which has been GlobalPlatform’s focus with its specifications that have become de facto standards. However, the CCC is looking to push that technology up the stack into cloud computing. The consortium published a “Technical Analysis of Confidential Computing”Opens a new window in November 2022, but oddly, it makes no mention of GlobalPlatform’s TEE standard, except in a reference at the end that has somehow been omitted from the body of the document.

See More: Are Your Connected Device Firmware and Application Updates Secure?

How TEE Technologies Work

It can be interesting to make a correlation here with other TEE-type technologies that do not adhere to GlobalPlatform’s specifications: Intel’s SGX and AMD SEV. These technologies were developed primarily for personal computers (PCs) and servers, around 2015-2016. They contrast with Arm’s TrustZone (introduced originally in 2004), which initially focused exclusively on smartphones and tablets, before moving down to smaller form factors targeting the Internet of Things (IoT).

In essence, SGX and SEV can also be said to fit the general idea of TEE, but are not based on the GlobalPlatform standard. While TrustZone was licensed to some Intel agencies (in 2007, Intel endorsed TrustZone as a trusted security solution to complement the features of its Authenticated Flash technology), Intel was not heavily inclined to actively promote Arm or TEE technology at the time. Instead, its focus remained fixed on the trusted platform module (TPM) through the promotion of trusted execution technology (TXT) and the UEFI standard at the time. However, since SGX, which was introduced with the sixth-generation Intel core MPUs, it has been converging slowly toward the TEE sphere of influence with it. While AMD SEV does not use the TPM specifically, it does leverage a dedicated co-processor, the Platform Security Processor. These two latter technologies have rarely been referred to as TEEs, but this appears to be changing with the CCC. 

Intel is a founding member of the CCC, alongside Microsoft, Google, and Red Hat. AMD is also a member and Arm joined a little while later, about the time it introduced its concept of Realms and the Arm Confidential Compute Architecture. It’s difficult to see what the primary difference with its TrustZone technology is, but it appears to be a more dynamic implementation of TrustZone (in the sense that it can be spun up and destroyed more easily). Arm appears to be moving away from its GlobalPlatform base—without dismissing it completely—to align itself with Intel, AMD, and the cloud service provider definition of confidential computing, even if this means redefining the concept of TEE outside of the strict GlobalPlatform specification. Under the new terminology defined by CCC, both Intel and AMD technologies can now be considered TEEs. 

It is unclear why there is little or no collaboration with GlobalPlatform to redefine a new TEE specification, but this could prove confusing for the market. Intel, for a time, referred to SGX as a secure execution environment but, clearly, there is something bigger at stake that warrants the CCC to take possession of the TEE nomenclature.

See More: Why and Where the PQC Market is Gaining Traction

The TEE Marketplace

Currently, from a market perspective, the TEE space, as defined by the CCC, is split between Intel and AMD, with vendors opting for one or the other (and in AWS’ case both) to provide their confidential computing solutions.

Some clarification from both the CCC and GlobalPlatform is clearly in order. But that is not the CCC’s only issue; other existing technologies are also clamoring to be labeled as such: homomorphic encryption, multi-party computation, hybrid post-quantum cryptography, tokenization, blockchain and distributed ledger technologies, etc. The CCC still has a lot of work to do if it wants to be a leader in the confidential computing space; it needs to collaborate more widely with other industry consortia and provide more clarity on the role that other technologies will play. 

How do you think confidential computing will change how existing technologies function? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to hear from you!

Image Source: Shutterstock


About Expert Contributors: The Expert Contributor program is designed to help kickstart meaningful conversations around the priorities and challenges most critical to C-level executives. The insights and perspectives will help CIOs tackle what’s most important to them. We are always looking for industry thinkers who can help set the narrative for our enterprise audience. To know more about this program, and submit your ideas, reach out to the Spiceworks News & Insights Editorial team at [email protected]Opens a new window .