Narrowing the Gap between TEEs Threat Model and Deployment Strategies

TL;DR

This paper examines the gap between TEE threat models and deployment strategies for Confidential Virtual Machines, emphasizing the need for end-to-end security assurances and proposing extensions to improve attestation and trust.

Contribution

It identifies the misalignment in TEE threat models and proposes extensions to attestation mechanisms to better bind CVMs with their hosting infrastructure.

Findings

Current TEE attestations lack host identity verification

Variability in TEE implementations complicates attestation

Proposed extensions can improve security and trustworthiness

Abstract

Confidential Virtual Machines (CVMs) provide isolation guarantees for data in use, but their threat model does not include physical level protection and side-channel attacks. Therefore, current deployments rely on trusted cloud providers to host the CVMs' underlying infrastructure. However, TEE attestations do not provide information about the operator hosting a CVM. Without knowing whether a Trusted Execution Environment (TEE) runs within a provider's infrastructure, a user cannot accurately assess the risks of physical attacks. We observe a misalignment in the threat model where the workloads are protected against other tenants but do not offer end-to-end security assurances to external users without relying on cloud providers. The attestation should be extended to bind the CVM with the provider. A possible solution can rely on the Protected Platform Identifier (PPID), a unique CPU identifier. However, the implementation details of various TEE manufacturers, attestation flows, and providers vary. This makes verification of attestations, ease of migration, and building applications without relying on a trusted party challenging, highlighting a key limitation that must be addressed for the adoption of CVMs. We discuss two points focusing on hardening and extensions of TEEs' attestation.