This knowledge base is intended for experienced audience in confidential computing.

TEEs, past, now, and future.

Intel SGX-Related

TPM?

The Trusted Platform Module is complimentary to the TEE on platforms without such hardware-assisted confidential environment. TPM is able to perform measured boot and, like a TEE, can provide root of trust and perform remote attestation. While a TPM looks alike a TEE, it cannot provide a secure hardware-based computing environment as TEEs can do. The cryptographic operations must performed by the software stack and TPM can only manage the security keys.

In short, a TPM is a secure crypto processor: it creates, stores, and uses crypto keys.

TPM or TEE…?

In short, a TPM protects data in storage while a TEE protects data in use. See also

https://security.stackexchange.com/questions/122738/difference-between-tpm-tee-and-se

TPM also serves a root of trust when but TEE is stronger than TPM since TEE can emulate a TPM and provide another root of trust. The de-facto implementation of mobile TPMs today are protected environments through hardware-based trusted execution environment (TEE) [23, 24, 32, 45, 46, 54], like ARM TrustZone that is available on virtually all mobile platforms today, where the TPM is implemented as protected software application inside the TEE.

Remote Attestation

In Confidential Computing an attestation is the validation of a hardware signed report (an “attestation report”) of the measurements (you can think of as a hash) of the TCB. Attestation results may be used to support stateless communication, e.g., this datagram or computational result was produced by a specific TEE instance.

• Quote (evidence): Data structure used to provide proof to an off-platform entity that a TD is running with Intel® TDX protections on a trusted Intel® TDX–enabled platform, that the platform is patched to a certain level, and that the identity of a TD is accurate. Measurement (that is, hash) of the initial code and data of the VM.
• Report: Hardware report generated by the Intel® TDX HW that provides identity and measurement information of the TD and the platform. It can be MAC’d with a key available to an SGX enclave on the same platform.

RA establishes the trustedness of a remote entity but not its trustworthiness. A trusted component doesn’t mean it won’t behave maliciously (trustworthy). Knowing what code is executing on a platform does not necessarily translate into knowing whether that code can be trusted.

“Measurement”?

Confidential Computing technology like Intel TDX provides isolated encryption runtime environment to protect data-in-use based on hardware Trusted Execution Environment (TEE). It requires a full chain integrity measurement on the launch-time or runtime environment to guarantee “consistently behavior in expected way” (defined by Trusted Computing of confidential computing environment for tenant’s zero-trust use case.

In Trusted Computing Group (TCG) Trusted Platform Module (TPM) architecture specification, an integrity measurement is a value that represents a possible change in the trust state of the platform. The measured object may be anything of meaning but is often

• a data value