Confidential Computing Infrastructure

This design does not assume the traditional cloud trust model. It explicitly defines untrusted entities and eliminates them from the trust boundary.

Defined Adversaries

• Cloud administrators (including root privileges)
• Hypervisor
• Host operating system
• VM snapshots and memory dumps
• Physical storage extraction and offline analysis
• Forensic analysts

All of the above are assumed to be fully compromised. This system does not rely on software-based access control. Runtime memory is encrypted by hardware, and decryption keys never leave the CPU boundary.

1. Physical Layer: AMD SEV-SNP

Each VM is assigned an independent memory encryption key generated in hardware. All memory access is transparently encrypted at all times. The hypervisor has no access to decryption keys. Memory dumps contain no meaningful information.

As a result, the following are not possible: guest memory tampering, replay attacks, page substitution attacks.

2. Root of Trust: vTPM

The vTPM is not a key store. It is an anchor that binds cryptographic material to system integrity. Measurements taken during the boot process are recorded in the TPM. Unless these measurements match expected values, keys cannot be retrieved.

• A modified kernel can boot, but cannot access keys.
• Bootloader changes render the system non-functional.
• Any mismatch in measured state prevents decryption.

3. Attestation: External Verification

At boot, a hardware-signed attestation report is generated. This report enables external verification that the workload is running on genuine hardware, firmware is in a trusted state, and the system was initialized without tampering. Until verification is completed, the system does not release keys.

4. Clone Resistance

VM snapshots and disk copies are ineffective. TPM secrets are not transferable, measurements do not match, and attestation fails. A copied VM may boot, but it cannot operate.

5. Software Layer

The binary is not designed to be readable. It is designed to increase the cost of analysis. Symbols are removed. Strings do not exist in plaintext. Control flow is non-trivial to follow. Debugger attachment triggers immediate termination.

However, this is not the primary defense. The primary defense resides in hardware.

Conclusion

Under this architecture: root privileges provide no access to data, the hypervisor is rendered ineffective, snapshots have no value, cloned environments cannot operate.

In other words, the cloud does not need to be trusted. This is the core property.