An Experimental Evaluation of TEE technology Evolution: Benchmarking Transparent Approaches based on SGX, SEV, and TDX
Luigi Coppolino, Salvatore D'Antonio, Davide Iasio, Giovanni Mazzeo, Luigi Romano
TL;DR
This work provides a comprehensive, near-transparent performance comparison of process-based TEEs (SGX with Gramine-SGX and Occlum-SGX) and VM-based TEEs (AMD SEV and Intel TDX) across CPU-, memory-, and I/O-intensive legacy workloads. It introduces the first experimental evaluation of Intel TDX in a context where public TDX hardware was not yet widely available, using normalization to account for CPU frequency differences and 10-repetition measurements to ensure confidence. Key findings show VM-based TEEs generally outperform process-based ones for memory and I/O tasks, with TDX often outperforming SEV in efficiency, while CPU-intensive workloads can favor Gramine-SGX over TDX depending on the workload. The study also analyzes cloud cost implications, highlighting SGX as the most expensive option, SEV as the cheapest, and TDX as a middle ground, thereby guiding deployment and budgeting decisions in confidential computing deployments.
Abstract
Protection of data-in-use is a key priority, for which Trusted Execution Environment (TEE) technology has unarguably emerged as a, possibly the most, promising solution. Multiple server-side TEE offerings have been released over the years, exhibiting substantial differences with respect to several aspects. The first comer was Intel SGX, which featured Process-based TEE protection, an efficient yet difficult to use approach. Some SGX limitations were (partially) overcome by runtimes, notably: Gramine, Scone, and Occlum. A major paradigm shift was later brought by AMD SEV, with VM-based TEE protection, which enabled lift-and-shift deployment of legacy applications. This new paradigm has been implemented by Intel only recently, in TDX. While the threat model of the aforementioned TEE solutions has been widely discussed, a thorough performance comparison is still lacking in the literature. This paper provides a comparative evaluation of TDX, SEV, Gramine-SGX, and Occlum-SGX. We study computational overhead and resource usage, under different operational scenarios and using a diverse suite of legacy applications. By doing so, we provide a reliable performance assessment under realistic conditions. We explicitly emphasize that, at the time of writing, TDX was not yet available to the public. Thus, the evaluation of TDX is a unique feature of this study.