Collection of materials to help with the understanding of this fascinating technology.
Confidential computing protects your workload from unauthorised entities — the host or hypervisor, system administrators, service providers, other VMs, and processes on the host.
A Trusted Execution Environment (TEE) is at the heart of a confidential computing solution. TEEs are secure and isolated environments provided by confidential computing (CC) enabled hardware that prevents unauthorised access or modification of applications and data while in use
The following diagram provides a logical view of confidential computing solution. This can be used as a mental model to have a better understanding of the technology.
Source: Understanding a confidential computing solution
- Confidential Computing Overview and Use cases
- Process based and VM based TEEs
- Confidential Computing across Edge-to-Cloud for Machine Learning: A Survey Study
- Survey of research on confidential computing (IET 2024)
- Confidential Computing Consortium – White Papers & Reports
- IDC Research: Confidential Computing as Strategic Imperative (2025)
- AMD SEV
- ARM TrustZone
- ARM Confidential Compute Architecture (CCA)
- IBM Secure Execution
- IBM PEF
- Intel SGX
- Intel TDX
- NVIDIA H100/H200 Confidential Computing
- RISC-V CoVE (Confidential VM Extension)
- Linux support - SEV
- Linux support - SGX
- Linux support - TDX
- Linux support - PEF
- Linux support - ARM CCA
- CNCF Confidential Containers
- Libkrun
- Apache Teaclave
- SCONE
- Gramine Library OS
- Ego
- Enarx
- Keystone Enclave (RISC-V)
- Microsoft Confidential Consortium Framework
- MarbleRun
- Occlum Library OS
- Openenclave SDK
- Veracruz
- Remote ATtestation procedureS (RATS) Architecture – RFC 9334
- Trustee - Remote Attestation Services
- IETF CoRIM - Concise Reference Integrity Manifest
- ARM CCA Attestation Token Specification
- Intel CoRIM Profile for Remote Attestation
- Comparing Attestation Process across different silicon vendors
- Understanding Attestation Process
- Azure attestation service
- Intel Trust Authority
- Veraison - Open source attestation verification (CCC project)
- Keylime - TPM-based remote attestation (CNCF project)
- Tinfoil - Verifiable Secure Enclaves
- Private Mode AI
- NVIDIA Confidential Computing for Secure AI
- NVIDIA Secure AI Whitepaper (Blackwell & Hopper)
- Google Confidential Accelerators for AI Workloads
- Red Hat: AI Inference with Confidential Computing
- Red Hat: Confidential Containers with NVIDIA Accelerated Computing
- dstack
- TEE.Fail - DDR5 Memory Bus Attack on Intel SGX/TDX and AMD SEV-SNP (2025)
- BadRAM
- Heracles - Chosen Plaintext Attack on AMD SEV-SNP (2025)
- CounterSEVeillance - Performance Counter Attacks on AMD SEV-SNP
- A Survey of RISC-V Secure Enclaves and TEE Vulnerabilities (2025)
- TEE Security Analysis - Trust Issues in Execution Environments
- Azure Confidential Computing Offerings
- Google Confidential Computing Offerings
- IBMCloud Confidential Computing Offerings
- AWS Confidential Computing Offerings
- Red Hat Confidential Containers
- ISV Offerings
- CCC / Linux Foundation Study on Confidential Computing Adoption
- IDC Spotlight: Confidential Computing Use Is Growing
- SCONE: Secure Linux Containers with Intel SGX (OSDI 2016)
- Keystone: An Open Framework for Architecting TEEs
- CoVE: Confidential Computing on RISC-V Platforms
- virtCCA: Virtualized ARM CCA with TrustZone
- PORTAL: Fast Device Access with ARM CCA (2025)
- GATOR-V: Production-Grade TEE for RISC-V
- NVIDIA GPU Confidential Computing Demystified
- Confidential Computing across Edge-to-Cloud for ML: A Survey
- Privacy-Preserving Decentralized AI with Confidential Computing
- Efficient Privacy-Preserving ML with Lightweight TEE (PETS 2024)