Confidential Computing has emerged to address data security challenges in cloud-centric deployments by protecting data in use through hardware-level isolation. However, reliance on a single hardware root of trust (RoT) limits user confidence in cloud platforms, especially for high-performance AI services, where end-to-end protection of sensitive models and data is critical. Furthermore, the lack of interoperability and a unified trust model in multi-cloud environments prevents the establishment of a cross-platform, cross-cloud chain of trust, creating a significant trust gap for users with high privacy requirements. To address the challenges mentioned above, this paper proposes CCxTrust (Confidential Computing with Trust), a confidential computing platform leveraging collaborative roots of trust from TEE and TPM. CCxTrust combines the black-box RoT embedded in the CPU-TEE with the flexible white-box RoT of TPM to establish a collaborative trust framework. The platform implements independent Roots of Trust for Measurement (RTM) for TEE and TPM, and a collaborative Root of Trust for Report (RTR) for composite attestation. The Root of Trust for Storage (RTS) is solely supported by TPM. We also present the design and implementation of a confidential TPM supporting multiple modes for secure use within confidential virtual machines. Additionally, we propose a composite attestation protocol integrating TEE and TPM to enhance security and attestation efficiency, which is proven secure under the PCL protocol security model. We implemented a prototype of CCxTrust on a confidential computing server with AMD SEV-SNP and TPM chips, requiring minimal modifications to the TPM and guest Linux kernel. The composite attestation efficiency improved by 24% without significant overhead, while Confidential TPM performance showed a 16.47% reduction compared to standard TPM.

翻译：机密计算旨在通过硬件级隔离保护使用中的数据，以应对以云为中心部署中的数据安全挑战。然而，对单一硬件信任根（RoT）的依赖限制了用户对云平台的信心，尤其对于高性能AI服务，其中敏感模型和数据的端到端保护至关重要。此外，多云环境中互操作性与统一信任模型的缺失阻碍了跨平台、跨云信任链的建立，为高隐私需求的用户造成了显著的信任鸿沟。为解决上述挑战，本文提出CCxTrust（Confidential Computing with Trust），一种利用TEE与TPM协同信任根的机密计算平台。CCxTrust将嵌入CPU-TEE的黑盒RoT与TPM的灵活白盒RoT相结合，构建协同信任框架。该平台为TEE和TPM分别实现独立的度量信任根（RTM），并为复合证明设计协同的报告信任根（RTR）。存储信任根（RTS）仅由TPM支持。我们还提出并实现了一种支持多模式的安全可信平台模块（Confidential TPM），用于在机密虚拟机内安全使用。此外，我们设计了一种集成TEE与TPM的复合证明协议，以增强安全性与证明效率，该协议在PCL协议安全模型下被证明是安全的。我们在配备AMD SEV-SNP与TPM芯片的机密计算服务器上实现了CCxTrust原型，仅需对TPM和客户机Linux内核进行最小修改。复合证明效率提升了24%且无显著开销，而机密TPM性能相比标准TPM降低了16.47%。