This matrix provides an overview of key terms related to Confidential Computing, their definitions, and references for further exploration. It aims to clarify terminology and reduce confusion across different technology stacks.
| Term | Definition (Summarized) | Linked Resources | Underspecified? |
|---|---|---|---|
| Confidential Computing | The protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment. | CCC | No |
| Confidential Payload | A set of code and data specifically designed to be executed within Trusted Execution Environments (TEEs) while maintaining strict confidentiality and integrity. | No | |
| Workload Identity | Unique identity assigned to software workloads for authentication and access management across services and resources. | Microsoft Learn, | Yes, different usages across cloud providers (Microsoft, AWS, Google Cloud). |
| Remote Attestation | A process whereby a system produces information about itself (typically cryptographically-backed) and another party verifies that information, allowing decisions to be made about what types of trust relationships are appropriate to the first system. | IETF RFC 9334, CCC Blog | No |
| Enclave | CCC does not currently support this definition as it's not industry wide. | No | |
| TEE (Trusted Execution Environment) | An environment that provides a level of assurance of data confidentiality, integrity, and code integrity by preventing unauthorized entities from viewing, altering, or tampering with data and code in use within the TEE. | CCC | No |
| TCB (Trusted Computing Base) | A set of components that can be known and defined, evaluated and verified by a trusting party or its agents, expected to continue in the same state, and used as the foundation for other services or systems. This represents the critical security components including hardware, firmware, and software. | Wikipedia, Bursell, Mike (2021) Trust in Computer Systems and the Cloud, NIST, Microsoft Azure | Yes, broad in tech, with variations in trust relationships and confidential computing contexts. |
| Memory Isolation | Security feature preventing unauthorized access to data in memory. | Microsoft Azure | Yes, common in computing |
| Measurements | Process of assessing the state of a system or components to ensure integrity. | NIST | Yes, varies in context. Assistance needed in good definition for this. |
| Root of Trust | A static component in a system whereby an endorsing authority allows trustors to assume trust in the system in which the anchor is contained. Trust in the root of trust is assumed, based on the endorsing authority, rather than derived. | Wikipedia on Trust Anchor, Bursell, Mike (2021) Trust in Computer Systems and the Cloud | No, but distinct from a trust anchor. |
| Attestation Verification Service | Services that verify the integrity and authenticity of attestations in secure computing environments, playing a critical role in establishing trust. | Azure Attestation, Red Hat on Confidential Computing, Veraison Project on GitHub | Yes, application varies across technology stacks (e.g., Azure Confidential Computing, TPM-based systems, and broader confidential computing scenarios). |
The terminology matrix aims to clarify and standardize terms within the realm of Confidential Computing. It acknowledges the diverse application of these terms across different technologies and seeks to reduce confusion by providing clear definitions and resources for further exploration.
We actively welcome contributions to this matrix to keep it current and comprehensive. If you have suggestions or additional terms to include, please submit a pull request for or open an issue.