Problem statement

Confidential computing technologies such as Intel TDX and AMD SNP rely on hardware-controlled Roots of Trust (RoT), inherently binding remote attestation to specific CPU vendors. While these solutions offer strong security guarantees, they also introduce challenges for enterprises seeking compliance, transparency, and independence in managing their Trusted Execution Environments (TEEs). This raises key questions:

Scenario

Consider a large enterprise deploying Intel TDX or AMD SNP servers, but with a requirement that the Root of Trust (RoT) be shared with a third-party authority—such as an internal certificate authority (CA) or an industry-wide trust anchor—to enable independent verification and operational flexibility. The goal is to retain the security benefits of TEEs while mitigating vendor lock-in.

Representative existing approaches

1. HyperEnclave

2. Azure vTPM

Our solution: Hybrid attestation with TPM and TEE integration

We propose a unified attestation framework that combines TEE-native reports (e.g., TDX/SNP attestation) with TPM-based quotes, enabling a shared RoT between hardware and third-party authorities.

unified attestation framework

This solution presents a hybrid root-of-trust attestation framework for confidential computing environments, integrating both hardware-based Trusted Execution Environments (TEEs) and Trusted Platform Modules (TPMs), while supporting flexible certificate authority (CA) management.

Workflow overview

1. Deployment (registration) phase

2. Runtime phase

3. Verification phase

4. Combined attestation approach

The architecture supports aggregation of TEE and TPM attestation evidence into a combined attestation report, providing comprehensive trust guarantees for both hardware and software integrity. This hybrid approach enables enterprises to flexibly manage root-of-trust anchors, enhance transparency, and support independent verification by trusted third-party CAs.In addition, our solution offers significant cost advantages. The TPM hardware modules required are highly standardized, modular, and inexpensive, making our architecture both practical and economical for large-scale deployment.

Implementation with Hygon CSV

Implementation with Hygon CSV

The current solution has been successfully developed and deployed in production on the Hygon CSV platform, where the first version is already supporting real-world applications. This implementation is based on the CoCo/trustee remote attestation framework, which provides the foundation for secure attestation and trust management. In addition, development efforts are underway to extend support to AMD SNP and Intel TDX platforms, further enhancing the versatility and coverage of this hybrid attestation architecture.

Advantages of the combined approach