Toward Process-Level TEEs with OS Compatibility and Minimal TCB

概要

This paper introduces a new trusted execution environment (TEE) abstraction called a Confidential Process, which aims to combine the strong compatibility of confidential virtual machines (CVMs) with the minimal trusted computing base (TCB) of enclave-based TEEs. By confining only a single user-level process within the TEE and securely delegating system calls to an untrusted host OS, Confidential Processes allow unmodified applications to run securely without including the OS kernel in the TCB. The prototype, implemented on AMD SEV-SNP, demonstrates the practicality of this approach while identifying data copying overhead as the main performance bottleneck to be optimized in future work.

参照

Guojun Wu, Keisuke Iida, Satoru Takekoshi, and Takahiro Shinagawa. Toward Process-Level TEEs with OS Compatibility and Minimal TCB. In 30th ACM Symposium on Operating Systems Principles, Oct, 2025. .