TEE Security Without the Complexity

AI inference with sensitive data demands hardware-grade security. But confidential computing is fragmented across vendors with incompatible APIs, attestation formats, and trust models. Tenzro solves this with a unified abstraction layer that works across Intel TDX, AMD SEV-SNP, AWS Nitro, and NVIDIA GPU confidential computing.

The Problem: Security Through Obscurity

When you send sensitive data to an AI model provider, you're placing enormous trust in their infrastructure. Healthcare queries, financial data, proprietary business information — all of it flows through systems you don't control. Traditional cloud security relies on trusting the provider, the hypervisor, the operating system, and every layer of the stack.

Confidential computing changes this model by using Trusted Execution Environments (TEEs) — hardware-isolated enclaves that encrypt memory and restrict access even from privileged software. Code running inside a TEE can't be inspected or tampered with by the host OS, hypervisor, or cloud provider. Cryptographic attestations prove what code is running and in what environment.

The challenge? Every vendor implements this differently. Intel has TDX. AMD has SEV-SNP. AWS has Nitro Enclaves. NVIDIA has H100/B200 GPU confidential computing. Each uses different attestation formats, certificate chains, and trust models. Building cross-platform confidential AI infrastructure means integrating four separate ecosystems with four separate APIs.

The TEE Landscape: Four Vendors, Four Standards

Let's walk through what each platform provides and where they diverge.

Intel TDX: VM-Level Isolation

Intel Trust Domain Extensions (TDX) provides VM-level isolation on 4th-gen Xeon Scalable processors and newer. Each Trust Domain is an encrypted virtual machine with its own cryptographic identity. The CPU encrypts all memory using the Memory Encryption Engine and uses integrity checks to prevent rollback attacks.

Attestation works through TDCALL instructions. Your guest VM calls TDCALL[TDG.MR.REPORT] to generate a TD Report containing measurements of the VM's initial state, firmware, and kernel. This report goes to the Quoting Enclave, a separate SGX enclave that signs it with Intel's provisioned key and produces a quote. That quote can be verified against Intel's Provisioning Certification Service (PCS), which provides the certificate chain anchored to Intel's root of trust.

AMD SEV-SNP: Encrypted VMs with Versioned Attestation

AMD Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP) encrypts guest VM memory with per-VM keys and prevents the hypervisor from tampering with guest page tables. It's available on 3rd-gen EPYC processors (Milan) and newer.

Attestation happens through /dev/sev-guest. The guest kernel requests an attestation report containing platform measurements, the VM's launch digest, and chip-specific identifiers. This report is signed by the Versioned Chip Endorsement Key (VCEK), which chains up through the AMD Signing Key (ASK) to the AMD Root Key (ARK). You verify the report by downloading the VCEK certificate from AMD's Key Distribution Service (KDS) using the chip's reported security version number and checking the signature chain.

AWS Nitro Enclaves: Isolated Compute with COSE Attestation

AWS Nitro Enclaves run on the Nitro hypervisor, which offloads virtualization and I/O to dedicated hardware cards. Enclaves are isolated CPU and memory partitions with no persistent storage, no interactive access, and no external networking except a local vsock channel to the parent instance.

The Nitro Security Module (NSM) device provides attestation. You call nsm_get_attestation_doc, and the NSM returns a COSE-signed CBOR document containing PCR measurements (like TPM hashes, but for the enclave image), the enclave's public key, instance metadata, and a timestamp. The signature uses P-384 ECDSA. You verify it against AWS's public root certificate, checking the certificate chain and validating the PCR values against your expected enclave image hash.

NVIDIA GPU Confidential Computing: Accelerated Inference in Hardware Enclaves

NVIDIA's Hopper (H100/H200), Blackwell (B100/B200), and Ada Lovelace architectures support confidential computing with CPU-to-GPU encrypted channels and GPU memory encryption. This is critical for AI workloads — inference happens orders of magnitude faster on GPUs, but without confidential computing, model weights and input data sit in GPU memory unencrypted.

Attestation uses the NVIDIA Remote Attestation Service (NRAS). The GPU generates a hardware attestation report containing the GPU's identity, firmware measurements, and session keys. This goes to NRAS, which validates the GPU's certificate chain and returns a signed JSON Web Token. You verify the JWT signature using NVIDIA's public key and check that the claimed GPU matches the expected model and security version.

Tenzro's Unified Abstraction

Tenzro normalizes all of this into a single API surface. The tenzro-tee crate provides a TeeProvider trait with three methods: generate_attestation (produce an attestation report), verify_attestation (cryptographically verify a report), and get_capabilities (query hardware features). Four implementations — IntelTdxProvider, AmdSevSnpProvider, AwsNitroProvider, NvidiaGpuProvider — hide all vendor-specific details.

At runtime, detect_tee() probes the system and returns the appropriate provider. No conditional compilation, no feature flags required at the call site. The same inference server code runs on Intel, AMD, AWS, or NVIDIA without changes.

Behind the scenes, each provider handles its own certificate chain verification. Intel attestations are verified against PCS. AMD attestations download VCEK certificates from KDS. AWS attestations check the Nitro root CA. NVIDIA attestations validate NRAS JWTs. The application code just gets a boolean: verified or not.

Why This Matters for AI Inference

Consider a healthcare AI agent analyzing patient medical records. The agent needs to query a large language model, but the records contain protected health information (PHI). Traditional cloud inference would send this data in the clear to the model provider's servers, where it could be logged, cached, or accessed by administrators.

With TEE-based inference, the model provider loads their model into a confidential VM or GPU enclave, generates an attestation proving the environment's integrity, and publishes that attestation. The agent verifies the attestation before sending data — checking that the model code matches the expected hash, the TEE firmware is up to date, and no debug modes are enabled. Only after cryptographic verification does the agent send the query.

The inference runs inside the enclave. The model processes the data, generates a response, and optionally produces a second attestation covering the computation itself — proving the output came from the claimed model running in a verified TEE. The agent receives both the result and a proof that it was computed securely.

This model extends beyond healthcare. Financial institutions can run fraud detection queries without exposing transaction details. Enterprises can use proprietary data for model fine-tuning without uploading it to a third party's cloud. Law firms can leverage AI for document review while maintaining attorney-client privilege.

TEE-Weighted Consensus

Tenzro takes this further at the consensus layer. Validators in the network can run inside TEEs and submit attestations proving it. The HotStuff-2 consensus engine verifies these attestations at epoch boundaries. Validators with valid, fresh TEE attestations receive 2x weight in leader selection.

Why? Because a TEE-attested validator is demonstrably harder to compromise. You can't just SSH in and steal keys — the validator's signing keys are sealed to the enclave measurement, and extracting them requires either a hardware side-channel attack or compromising the CPU vendor's root of trust. By weighting TEE nodes more heavily, the network becomes more resistant to remote attacks and insider threats.

This creates an incentive gradient. Model providers and validators who invest in confidential computing hardware earn more — more inference requests, more validator selection, more TNZO rewards. The economic model aligns with security hardening.

Hybrid ZK-in-TEE

Tenzro combines TEEs with zero-knowledge proofs for defense in depth. A TEE attestation proves code ran in an isolated environment. A ZK proof proves the computation was performed correctly. Together, they cover both integrity (what ran) and correctness (what it computed).

For example, an inference request might include a ZK proof that the input satisfies certain constraints — a numerical range, a format requirement, a privacy policy. The TEE runs the model and produces an output along with a ZK proof that the output was derived correctly from the input. The requester verifies both the TEE attestation (hardware isolation) and the ZK proof (computational correctness).

Tenzro's tenzro-zk crate supports GPU-accelerated proving with batch proof generation. Since many TEE platforms now include GPUs (like NVIDIA H100 enclaves), a single machine can do confidential inference and generate ZK proofs without data ever leaving the enclave. The hybrid model ships today on Tenzro's testnet.

The Path Forward

Confidential computing is moving from niche applications to mainstream infrastructure. Google Cloud offers Confidential VMs on Intel TDX and AMD SEV. Azure supports SEV-SNP and Nitro-like enclaves. Every major cloud provider now has TEE offerings. But the fragmentation remains — different APIs, different attestation formats, different certificate chains.

Tenzro's abstraction layer solves this for AI workloads. One codebase. Four platforms. Attestation verification that just works. As new TEE platforms emerge — ARM CCA, RISC-V Keystone, future Intel and AMD generations — the abstraction extends to cover them. Applications keep running without code changes.

This is what confidential AI infrastructure should look like: hardware-grade security without vendor lock-in, cryptographic proofs without complexity, and economic incentives aligned with security hardening.