What confidential computing can and can't do

Confidential computing serves to protect workloads from potential threats originating within the underlying infrastructure. It can protect from all risks posed by malicious co-tenants, cloud administrators, and datacenter employees. This aspect is crucial for those considering migrating sensitive workloads to the cloud. Nevertheless, it's important to recognize that confidential computing doesn't assist in securing the "front door" of a system. For instance, if there is a vulnerability in the login form of an application, confidential computing does not offer protection in such cases. Attackers can still exploit the identified vulnerability.

Trusted Computing Base

If used correctly, confidential computing can remove large parts of the hardware and software infrastructure from the trusted computing base (TCB). The following diagram shows the remaining TCB for the two main confidential-computing approaches, namely secure enclaves and confidential VMs (CVMs). It also show the TCB for Nitro Enclaves in comparison.

Trusted computing base of confidential computing and related approaches

What confidential computing can and can't do

Trusted Computing Base​

Trusted Computing Base