CCxTrust: Confidential Computing Platform Based on TEE and TPM Collaborative Trust
Ketong Shang, Jiangnan Lin, Yu Qin, Muyan Shen, Hongzhan Ma, Wei Feng, Dengguo Feng
TL;DR
CCxTrust introduces a collaborative root of trust framework that unites TEE and TPM to eliminate trust gaps in confidential cloud computing. By independently measuring RTMs for TEE and TPM, jointly producing an RTR, and managing storage trust via RTS in TPM, the platform enables user-controlled, cross-platform attestation and secure inter-node collaboration. The Confidential TPM (CTPM) and a composite attestation protocol extend secure TPM usage into confidential-Virtual Machines, achieving improved attestation efficiency and scalable security for large clusters. Prototype results on AMD SEV-SNP show feasible performance with modest overhead, validating the approach for secure data sharing and multi-party confidential computing across heterogeneous clouds.
Abstract
Confidential Computing has emerged to address data security challenges in cloud-centric deployments by protecting data in use through hardware-level isolation. However, reliance on a single hardware root of trust (RoT) limits user confidence in cloud platforms, especially for high-performance AI services, where end-to-end protection of sensitive models and data is critical. Furthermore, the lack of interoperability and a unified trust model in multi-cloud environments prevents the establishment of a cross-platform, cross-cloud chain of trust, creating a significant trust gap for users with high privacy requirements. To address the challenges mentioned above, this paper proposes CCxTrust (Confidential Computing with Trust), a confidential computing platform leveraging collaborative roots of trust from TEE and TPM. CCxTrust combines the black-box RoT embedded in the CPU-TEE with the flexible white-box RoT of TPM to establish a collaborative trust framework. The platform implements independent Roots of Trust for Measurement (RTM) for TEE and TPM, and a collaborative Root of Trust for Report (RTR) for composite attestation. The Root of Trust for Storage (RTS) is solely supported by TPM. We also present the design and implementation of a confidential TPM supporting multiple modes for secure use within confidential virtual machines. Additionally, we propose a composite attestation protocol integrating TEE and TPM to enhance security and attestation efficiency, which is proven secure under the PCL protocol security model. We implemented a prototype of CCxTrust on a confidential computing server with AMD SEV-SNP and TPM chips, requiring minimal modifications to the TPM and guest Linux kernel. The composite attestation efficiency improved by 24% without significant overhead, while Confidential TPM performance showed a 16.47% reduction compared to standard TPM.