Security of Confidential Computing in Open Infrastructure

20 May 2022

Confidential computing enables isolation of sensitive data in a secure domain during processing. It protects data in use by running the computation in a Trusted Execution Environment created using a combination of firmware and hardware features. Next, we review the security considerations of Confidential Computing in Open Infrastructure projects.

Confidential Computing Platforms

Confidential Computing started off with a process-based isolation, implemented in Intel SGX. Nowadays, vendors are introducing hardware and firmware support for virtualization-based confidential computing. Several Open Infrastructure projects introduced support for confidential computing. The work goes on, motivated by strong interest from the user community. OpenStack supports since version Train launching virtual machines with memory protection. The Kata containers community is integrating support for virtualization-based confidential computing since early 2021. Right now it focuses on IBM Protected Execution Facility (IBM PEF) and AMD Secure Encrypted Virtualization (AMD SEV). Another upcoming technology is Intel Trusted Domain Extensions (Intel TDX). Support for Intel TDX is also in the scope but lagging behind since the hardware is not available yet. We hope to see other technologies – such as ARM Confidential Computing Architecture (ARM CCA) – also supported by Kata Containers once hardware becomes available. While the range of supported confidential computing features is already extensive, the Kata backlog is full of exciting issues to work on.

Diverse Implementations

As it often comes with paradigm-changing technologies, implementing support for confidential computing is a bumpy ride: the technology stack supporting confidential computing is eclectic; moreover threat models implementation and functionality vary across vendor platforms and results in diverging capabilities, trade-offs and security guarantees. This diversity is a good thing – since it allows addressing a more diverse set of use cases. However, making the right choices that enable new security features without compromising functionality is hard. To do this, it helps to understand the capabilities and limitations of each confidential computing technology. Next, the table below reviews several aspects across four leading enterprise server architectures for confidential computing.

Feature support

  • Memory encryption is supported on most architectures, except for IBM PEF which opted for memory isolation (at least in OpenPOWER 9).
  • Remote attestation is a defining feature of confidential computing. It helps to establish trust between the end user and the execution environment, by allowing end users to obtain a verifiable claim about the security properties of the trusted execution environment. Imagine the padlock in a web browser showing that an HTTPS connection is protected – except that this time it’s for workloads running in the cloud.
  • Secure Direct Memory Access to confidential computing environments is tricky. So far, only ARM CCA features support for this in its specifications.
  • Migration of Confidential Computing VMs has patchy support across the board; it is supported by AMD SEV-SNP and Intel TDX (in its specifications), is undefined for ARM CCA and is not supported out of the box in IBM PEF (at least according to a recent academic paper).
  • Finally, open implementation helps both wider community adoption and building trust in the solution. Out of the four leading enterprise server architectures, only the IBM PEF ultra-visor is available open source, while the ARM CCA specification is available to the licences. The implementations of either AMD SEV-SNP or Intel TDX are not openly available at this point.




Memory Encryption



Remote Attestation



Secure DMA



VM Migration







✅ * ✅ *


Knowing in depth the capabilities, trade-offs and limitations of confidential computing technologies is crucial to making full use of the functionality of each platform – whether it is Intel SGX, AMD SEV-SNP, IBM PEF, or the upcoming Intel TDX and ARM CCA. Thoughtful selection of the confidential computing technology can help address customer requirements with the best security guarantees and broadest functionality.

CanaryBit uses this expertise to build its Confidential Cloud platform for secure data sharing. Confidential Cloud currently supports Intel SGX and AMD SEV-SNP, and we are working on adding IBM PEF, Intel TDX and ARM CCA functionality whenever hardware support becomes broadly available. In a follow-up blog post, we will review several use cases that can be addressed using confidential computing support in OpenStack and Kata containers. We already address some of them at CanaryBit through our confidential data collaboration SaaS.

(This post was first released on Medium for the Kata Containers Community)


Luca Staboli joins our team as Software Engineer

Luca Staboli joins our team as Software Engineer

After receiving his M.Sc., double degree from the University of Trento and KTH Royal Institute of Technology within the EIT Digital Master School programme, Luca Staboli joins our team as Software Engineer. His thesis project on Trusted Execution Environments (TEE)...

read more
The EU Data Act and Future of Data Sharing

The EU Data Act and Future of Data Sharing

Towards a fair data sharing economy During the recent MyData 2022 conference we attended a panel discussion about the EU Data Act and the future of data sharing. According to the legislative train schedule, the Council of the European Union debated this piece of...

read more