Understanding Threat Models and Their Role in Confidential Computing

‍Background

In existing virtualization deployments, such as cloud hosting, a virtual machine needs to fully trust the hosting environment and system administrators for the security of any data stored by the machine. While a virtual machine could encrypt data at rest, there is little it can do to fully protect the runtime state (data in use). The hosting environment has the privilege to inspect and modify memory and CPU contexts, which can expose secret information during operation.

Confidential Computing (CC) significantly reduces the attack surface for data and applications in modern IT environments. It uses hardware-based techniques to isolate sensitive workloads. By leveraging a 3D encryption, it keeps data fully secure in all three dimensions, including data in use. This lowers exposure to threats, but organizations must still consider residual risks and evaluate how they fit into enterprise risk management. Understanding threat models is key. They outline what remains vulnerable and guide the mitigation strategies you should adopt. This blog analyzes threat models, explains insights from AMD SEV-SNP and Intel TDX, compares their approaches, and shows why Confidential Computing adds value.

The Need for Trust Models in Virtualized Environments

Virtualized environments add layers of abstraction. They let cloud providers host many workloads on shared physical infrastructure. This raises security challenges because tenants rely on the provider’s software stack for protection. A compromised hypervisor or a malicious co-tenant can breach data, making legacy security models insufficient.

Hardware-based trust models, such as AMD SEV-SNP and Intel TDX, mitigate these risks. They let virtual machines operate securely even in untrusted environments. Cloud providers once focused on perimeter-based defenses, but attacks have become more sophisticated. Isolation at the workload level is now crucial. CC achieves this by creating execution environments that remain secure from privileged access. It restricts unauthorized code from viewing or modifying data in use. This approach also cuts down on attacks from malicious insiders and vulnerabilities in shared infrastructure.

AMD SEV-SNP Threat Model Analysis

AMD Secure Encrypted Virtualization–Secure Nested Paging (SEV-SNP) enhances VM security by adding memory encryption and integrity checks. The SEV-SNP threat model assumes only the AMD Secure Processor (AMD-SP) and the VM are trusted. Host system components, such as the BIOS, hypervisor, and management software, are not trusted. Other CPU software components and PCI devices are also untrusted (See Figure 1 below).

SEV-SNP protects VM memory using unique AES-256 keys per VM. This design blocks hypervisor access to plaintext memory. Integrity is safeguarded by the Reverse Map Table (RMP), which validates memory page ownership. This prevents unauthorized remapping, replay attacks, and memory corruption.

To strengthen protection, SEV-SNP offers:

• Guest Owner Policy Enforcement (GOPE): Only the VM’s owner can modify its memory.
• Nested Paging Protection: Restricts memory access from untrusted components.

Despite these features, not all threats are neutralized. Physical attacks, such as direct memory access (DMA) attacks, remain possible. Side-channel attacks (such as timing or power analysis) also remain a risk. In addition, a hypervisor can still cause denial-of-service (DoS) by not scheduling CPU cycles or allocating insufficient resources.

‍Intel TDX Threat Model Analysis

Intel Trust Domain Extensions (TDX) introduce Trust Domains (TDs) to isolate VMs from the host using hardware enforcement. The TDX threat model assumes that only the Intel TDX Module, Secure Arbitration Mode (SEAM) Loader, and CPU hardware are trusted. The BIOS, System Management Mode (SMM), and Virtual Machine Monitor (VMM) are untrusted.TDX protects VM data with Total Memory Encryption – Multi-Key (TME-MK). Each TD has a separate encryption key, which blocks hypervisor or host OS access to plaintext data. Intel TDX also includes attestation, letting users confirm the runtime environment’s integrity before deploying sensitive workloads.Further TDX protections include:

• Virtual Machine Control Structure (VMCS) shadowing: Guards TD execution state from unauthorized changes.
• Secure Event Reporting: Provides logging of security events within the TD.

TDX faces residual risks. The complexity of its initialization exposes potential attack vectors if the SEAM loader is compromised. Speculative execution vulnerabilities, including Spectre and Meltdown, remain a concern and demand additional mitigations.

‍Comparing AMD SEV-SNP and Intel TDX

‍Both SEV-SNP and TDX aim to achieve the same goal—secure workload isolation—but their approaches differ in key areas. SEV-SNP relies on AES-256 encryption and the Reverse Map Table for memory protection, while TDX utilizes TME-MK and memory poisoning detection to prevent unauthorized access and tampering.SEV-SNP integrates directly with the AMD Secure Processor to manage encryption keys and enforce memory protection policies, whereas Intel TDX uses the SEAM Loader to establish a secure execution environment. Additionally, while SEV-SNP focuses on memory encryption and validation, TDX places greater emphasis on attestation, allowing for more robust verification of the environment's integrity. The detailed comparison can be seen in the table below.Despite these differences, both technologies share common principles, such as minimizing trust in the hypervisor and using hardware-backed isolation to protect runtime data. However, their effectiveness against emerging threats such as side-channel attacks and firmware exploits continues to be a challenge.Table 1: AMD SEV-SNP and Intel TDX ComparisonFeature

Why Confidential Computing Matters

‍Confidential Computing significantly reduces the attack surface for data and applications by providing strong isolation from the host environment. Traditional security measures focus on protecting data at rest and in transit, but they often leave data exposed during processing. CC ensures that data remains encrypted and inaccessible even when actively processed, limiting the exposure to potential attackers within the cloud environment.Confidential Computing is a key technology for modern IT environments, supported by major hardware providers such as Intel and AMD. These companies have integrated CC features into their processors through technologies like Intel TDX and AMD SEV-SNP, allowing businesses to benefit from hardware-enforced security guarantees.One of the primary benefits of Confidential Computing is the reduction of trust assumptions. As seen in the explanation above, cloud customers no longer need to fully trust their cloud service providers, administrators, or co-tenants, as the underlying hardware-based protections ensure the confidentiality and integrity of their workloads. This enables businesses to move sensitive workloads to the cloud with greater confidence.However, while CC offers substantial security improvements, it does not eliminate all risks. Enterprises need to remain aware of residual threats, including:

• Side-Channel Attacks: Techniques such as cache timing attacks and speculative execution vulnerabilities, which can still be exploited to infer sensitive information.
• Physical Attacks: Attackers with physical access to hardware could attempt to bypass security measures, though this is a more complex threat scenario.
• Software Vulnerabilities: Even with encrypted memory, vulnerabilities in guest applications or operating systems can still be exploited by attackers to gain unauthorized access.
• Denial-of-Service (DoS): Confidential Computing does not protect against availability attacks where a compromised hypervisor or malicious co-tenant might disrupt VM operations.

Organizations adopting Confidential Computing should implement complementary measures such as continuous monitoring, secure software development practices, and layered defense strategies to mitigate these remaining risks.

‍Conclusion

AMD SEV-SNP and Intel TDX each provide solid methods for isolating workloads in shared environments. They cut down on attack paths and boost cloud security. Yet neither solution stops all threats. Confidential Computing significantly reduces the attack surface but requires ongoing efforts to address side-channel risks, physical attacks, software flaws, and denial-of-service scenarios.By understanding these threat models and their strengths and gaps, organizations can make informed decisions when adopting Confidential Computing. They will know which mitigations to add and how to align CC technologies with their broader security strategies.