Sharing is caring: Attestable and Trusted Workflows out of Distrustful Components

TL;DR

Mica is a confidential computing architecture that enhances security in TEEs by enabling explicit, attestable control over communication paths between components, addressing trust issues in modern cloud workloads.

Contribution

Mica introduces a novel architecture with a policy language for attesting and controlling component communication in TEEs, requiring minimal changes to existing trusted computing bases.

Findings

Supports realistic cloud pipelines with minimal trusted base increase

Provides strong, attestable confidentiality guarantees

Enables explicit control over communication paths

Abstract

Confidential computing protects data in use within Trusted Execution Environments (TEEs), but current TEEs provide little support for secure communication between components. As a result, pipelines of independently developed and deployed TEEs must trust one another to avoid the leakage of sensitive information they exchange -- a fragile assumption that is unrealistic for modern cloud workloads. We present Mica, a confidential computing architecture that decouples confidentiality from trust. Mica provides tenants with explicit mechanisms to define, restrict, and attest all communication paths between components, ensuring that sensitive data cannot leak through shared resources or interactions. We implement Mica on Arm CCA using existing primitives, requiring only modest changes to the trusted computing base. Our extension adds a policy language to control and attest communication paths among Realms and with the untrusted world via shared protected and unprotected memory and control transfers. Our evaluation shows that Mica supports realistic cloud pipelines with only a small increase to the trusted computing base while providing strong, attestable confidentiality guarantees.