Confidential Computing & TEEs
Confidential Computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment (TEE).
What is a TEE?
A Trusted Execution Environment (TEE), or Enclave, is a secure area of a main processor. It guarantees that code and data loaded inside are protected with respect to confidentiality and integrity.
Key properties include: - Data-in-use encryption: Memory used by the enclave is encrypted. - Isolation: The OS, Hypervisor, and other processes cannot peek inside the TEE. - Attestation: The hardware provides a cryptographic proof that a specific piece of code is running on genuine hardware.
Why TEEs Matter for AI
Traditional AI deployments have a trust problem:
| Scenario | Without TEE | With TEE |
|---|---|---|
| Data privacy | You must trust the operator won't log your data | Hardware guarantees data isolation |
| Model integrity | You must trust the model hasn't been modified | Cryptographic hash proves exact code running |
| Guardrail enforcement | You must trust safety checks are enabled | Attestation proves auditors are active |
| Geographic compliance | You must trust data stays in-region | Hardware proves execution location |
With TEEs, you don't need to trust — you can verify.
Supported Hardware
Lucid supports the following TEE technologies:
| Technology | Vendor | Cloud Availability |
|---|---|---|
| Intel TDX | Intel | Azure, GCP |
| AMD SEV-SNP | AMD | Azure, AWS, GCP |
| AWS Nitro Enclaves | AWS | AWS |
| Intel SGX | Intel | Azure (legacy) |
All provide similar security guarantees but differ in implementation details. Lucid abstracts these differences, allowing you to deploy to any supported platform.
Attestation in Lucid
Lucid leverages remote attestation to provide users with an AI Passport. This passport contains:
- Hardware Quote: Proof it's a real TEE (e.g., Intel TDX, AMD SEV-SNP, AWS Nitro).
- Software Measurement (MRENCLAVE): A hash of the exact code running.
- Public Key: Used to verify subsequent results signed by the enclave.
Attestation Flow
sequenceDiagram
participant User
participant Lucid Verifier
participant TEE Enclave
participant Hardware Root of Trust
User->>Lucid Verifier: Request AI Passport
Lucid Verifier->>TEE Enclave: Request attestation report
TEE Enclave->>Hardware Root of Trust: Generate signed quote
Hardware Root of Trust-->>TEE Enclave: Signed attestation
TEE Enclave-->>Lucid Verifier: Attestation report + measurements
Lucid Verifier->>Hardware Root of Trust: Verify signature chain
Hardware Root of Trust-->>Lucid Verifier: Verification result
Lucid Verifier-->>User: AI Passport (if valid)What Gets Attested?
| Component | Measurement | What It Proves |
|---|---|---|
| Model | Hash of model weights | Model hasn't been tampered with |
| Auditors | Hash of auditor code | Exact safety checks running |
| Runtime | Hash of execution environment | No malicious code injection |
| Configuration | Hash of policy config | Correct settings applied |
Verifying Attestation
You can verify TEE attestation using the CLI:
# Verify a specific environment
lucid verify environment env-abc123
# Check attestation details
lucid passport show pass-001 --attestation
Or programmatically:
import requests
# Fetch AI Passport
response = requests.get("https://verifier.lucid.sh/v1/passports/pass-001")
passport = response.json()
# Check attestation status
if passport["hardware_attested"]:
print(f"TEE Type: {passport['tee_type']}")
print(f"Measurement: {passport['mrenclave']}")
else:
print("Warning: Not hardware attested")
Serverless Mode
In serverless mode, Lucid manages shared TEE resource pools. The same hardware-backed security guarantees apply — TEE memory encryption and attestation verification ensure equivalent isolation to dedicated deployments. See the Deployment Modes guide for details on getting started with serverless.
Mock Mode
Since TEE hardware is specialized and not available on most development machines, Lucid provides a Mock Mode for local development. It simulates the attestation handshake using software-based keys, allowing you to build and test your logic before deploying to cloud infrastructure.
Enabling Mock Mode
Mock mode is enabled via the TEE_PROVIDER=MOCK environment variable on the operator:
# Create a local Kind cluster for development
kind create cluster --name lucid-dev
# Deploy your environment (mock TEE is auto-detected for local clusters)
lucid apply -f environment.yaml -y
Mock vs Production
| Aspect | Mock Mode | Production |
|---|---|---|
| Attestation | Software-simulated | Hardware-backed |
| Security | Development only | Full security guarantees |
| AI Passport | hardware_attested: false |
hardware_attested: true |
| Use case | Local testing | Production deployments |
Never use Mock Mode in production
Mock mode provides no security guarantees. It exists solely for development and testing workflows.
Security Guarantees
What TEEs Protect Against
- Malicious cloud operators: Even the cloud provider cannot read enclave memory
- Compromised hypervisors: The hypervisor cannot access TEE data
- Memory attacks: Enclave memory is encrypted in hardware
- Tampering: Any code modification is detected via measurements
What TEEs Don't Protect Against
- Side-channel attacks: Some timing/power analysis attacks may be possible (mitigated in newer hardware)
- Bugs in enclave code: TEEs protect the environment, not the application logic
- Denial of service: An attacker can prevent the enclave from running (but not read its data)
Further Reading
- Architecture Overview — How TEEs fit into the Lucid platform
- Glossary — Definitions of TEE-related terms
- RATS RFC 9334 — Remote ATtestation procedureS standard