Confidential Virtual Machines (CVMs)

Next to secure enclaves, confidential virtual machines (CVMs) are the second existing form of confidential-computing environment (CCE). In simplified terms, the concept of CVMs can be described as follows: “Take the three defining CCE properties and apply them to entire virtual machines.” Thus, other than secure enclaves, CVMs can basically run any workload without requiring modifications. Ease-of-use is the key advantage of CVMs. On the other hand, at least when compared to SGX, CVMs have a larger attack surface, because they run an entire operating system and directly interact with a potentially complex set of hardware. Still, other than Nitro Enclaves, CVMs are explicitly designed to shield workloads from the infrastructure, including the cloud operator.

CVMs were pioneered by AMD with its Secure Encrypted Virtualization (SEV) feature. Since then, Intel brought its Trust Domain Extensions (TDX) to market and Arm has announced its Confidential Computing Architecture (CCA). All three approaches are similar. Given the support from the three major processor vendors and designers, it seems fair to predict that the CVM concept will dominate the confidential computing landscape going forward.