]> China Mobile

No.32 Xuanwumen West Street Beijing China yangpenglin@chinamobile.com

China Mobile

No.32 Xuanwumen West Street Beijing China chenmeiling@chinamobile.com

China Mobile

No.32 Xuanwumen West Street Beijing China suli@chinamobile.com

Huawei Technology Co.,Ltd.

127 Jinye Road, Yanta District Xi'an China pangting@huawei.com

Security TEEP confidential computing Confidential computing is the protection of data in use by performing computation in a hardware-based Trusted Execution Environment. Confidential computing could provide integrity and confidentiality for users who want to run applications and process data in that environment. When confidential computing is used in scenarios which need network to provision user data and applications in the TEE environment, TEEP architecture and protocol could be used. This document focuses on using TEEP to provision Network User data and applications in confidential computing. This document is a use case and extension of TEEP and could provide guidance for cloud computing, and other scenarios to use confidential computing in network.

Introduction The Confidential Computing Consortium defined the concept of confidential computing as the protection of data in use by performing computation in a hardware-based Trusted Execution Environment . In detail, computing unit with confidential computing feature could generate an isolated hardware-protected area, in which data and applications will be protected from illegal access or tampering. When using network to provision confidential computing environment, users need to attest and deploy their data and applications in the TEE environment inside confidential computing device by network. This network could be a cloud, MEC or other network that provide confidential computing resource to users. The TEEP WG defined the standardization of an architecture and protocol for managing the lifecycle of trusted applications running inside a TEE. In confidential computing, the TEE can also be provisioned and managed by TEEP architecture and protocol. This document illustrates how a network user uses the TEEP protocol to provision its private data and applications in confidential computing device. The intended audiences for this use case are network users and operators who are interested in using confidential computing in network.

Terminology ## Terms

• Network Management/Orchestration Center(Network M/OC): MO/C exists in the management and orchestration layer of network. Network User uses the M/OC to request for computing resource. The TAM is inside the M/OC to provide management function to TEEP Agent via TEEP broker.
• Network User: Network User possesses personalization data and applications that need to be deployed on confidential computing device. For example in MEC, the autonomous vehicles could deploy private applications and data on confidential computing device to calculate on-vehicle and destination road information without knowing by MEC platform.
• Confidential Computing Device: Confidential Computing Device is connected by the network and can provide confidential computing service to Network User.
• Package: Package is a unit that is owned by Network User and could be deployed on TEE/REE or treated as application data. TA (Trusted Application) in confidential computing could be an application, or packaged with other components like library, TEE shim or even Guest OS. The specific package of confidential computing could refers to the white paper of by CCC.
• Personalization Data(PD): Data that holds by Network User and needs to be protected by TEE during processing. Other terms like TAM, TEE, REE, TA will reuse the term definition defined in .

Requirement Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

Architecture Figure 1 is the architecture of confidential computing in network. Two new components Network User and Network M/OC are introduced in this document. The connection between Network User and M/OC depends on the implementation of specific network. The connection between network user and UA (Untrusted Application) or TA depends on the implementation of application. The connection between TAM, TEEP Broker and TEEP Agent refers to the TEEP protocol. Interactions of all components in this scenario are described in the Usecase section.

Notional Architecture of Confidential Computing in Network Broker <-----------> | | | | | TEEP | | | | | | | | TAM | | | | | Agent |<----+ | | | | | | | | | +--------+ | | <--+ | | +---^---+ | | | | +--------+ | | +-----|------+ | | +--------+ | | | | | | | TA | | +-------+ | | | | | | |<--------> |<--+ | | | | +--------+ | | UA | | +-----V------+ | +-------------+ | |<--------->Network User| | +-------+ | | (Package) | +--------------------------------------+ +------------+ ]]>

Use Cases The basic process of how a Network User utilizes confidential computing is shown below. In confidential computing, the bundle of an UA, TA, and PD refers to case 1,2,3,4 of TEEP architecture section 4.4. Case 5 and 6 are new cases that possible in implementation. At present, the main instances types exist in industry of confidential computing are confidential process, confidential container and confidential VM.

UA, TA and PD are bundled as a package This use case refers to the case 1 of TEEP architecture. If the Network User provides this package, the process of TEEP is as follow. 1. Network User requests for confidential computing resource to the network M/OC. 2. M/OC orchestrates confidential computing device to undertake the request. 3. TAM requests remote attestation to the TEEP Agent, TEEP Agent then sends the evidence to TAM. The TAM works as Verifier in . 4. After verification, Network User works as Relying Party to receive the attestation result. If positive, Network User establishes secure channel with TEEP Agent, and transfers this package to TEEP Agent. 5. TEEP Agent deploys TA and personalization data in TEE, then deploy UA in REE. As for informing Network Users to develop their applications and data, the mapping of UA, TA and implementations are shown in figure 2. This document gathers the main hardware architectures that support confidential computing, which include , , , and . The brace means the operation steps to deploy packages. The arrow means deploy package to a destination. The "att" means attestation challenge for the target.

TEEP Implementation of Case 1 TEE, | TA->Trsuted | TA->Trsuted VM | | Sequence | PD->TA, | Container, | PD->TA, | | | UA->REE} | PD->TA, | UA->Untrusted | | | | UA->REE} | VM} | +-------------+----------------+----------------+----------------+ ]]>

PD is a separate package, TA and UA are separate or integrated This usecase refers to the case 2 and case 3 of TEEP architecture. The PD is a separate package, the UA and TA could be separated or integrated as a package. If the Network User provides packages like this, the process of TEEP is as follow. 1. Network User requests for confidential computing resource to the network M/OC. 2. M/OC orchestrates confidential computing device to undertake the request. 3. Network User transfers UA and TA to confidential computing device via TAM. TAM then deploys these two applications in REE and TEE respectively. (In SGX, UA must be deployed first, then let the UA to load TA in SGX.) 4. TAM requests remote attestation to the TEEP Agent, TEEP Agent then sends the evidence to TAM. The TAM works as Verifier in RATs architecture. 5. After verification, Network User works as Relying Party to receive the attestation result. If positive, Network User establishes secure channel with TA, and deploys personalization data to the TA. The mapping of UA, TA and implementations are shown in figure 3.

TEEP Implementation of Case 2/3 TEE, | {UA->REE, |{UA->untrusted | | | att TEEP Agent,| TA->trusted | VM, | | Load | PD->TA, | Container, | TA->trusted VM,| | Sequence | UA->REE} | att TEEP Agent,| att TEEP Agent,| | | | PD->TA} | PD->TA} | +-------------+----------------+----------------+----------------+ ]]>

TA and PD are bundled as a package, and UA is a separate package In this case, the process of TEEP is as follow. 1. Network User requests for confidential computing resource to the network M/OC. 2. TAM in M/OC orchestrates confidential computing device to undertake the request. 3. Network User deploys UA in REE. 4. TAM requests remote attestation to the TEEP Agent, TEEP Agent then sends the evidence to TAM. The TAM works as Verifier in RATs architecture. 5. After verification, Network User works as Relying Party to receive the attestation result. If positive, the Network User establishes secure channel with TEEP Agent and transfers the TA and PD package to TEEP Agent. 6. TEEP Agent deploys TA and PD.

TEEP Implementation of Case 4 REE, | {UA->REE, | {UA->untrusted | | Load | att TEEP Agent,| att TEEP Agent,| VM, | | Sequence | TA&PD->TEE} | TA&PD->trusted | att TEEP Agent,| | | | Container} | TA->trusted VM}| +-------------+----------------+----------------+----------------+ ]]>

TA and PD as a package, no UA In this case, Network User provides TA and PD as a package with no UA attached. The process of TEEP in this case is as follow. 1. Network User requests for confidential computing resource to the network M/OC. 2. TAM in M/OC orchestrates confidential computing device to undertake the request. 3. TAM requests remote attestation to the TEEP Agent, TEEP Agent then sends the evidence to TAM. The TAM works as Verifier in RATs architecture. 4. After verification,Network User works as Relying Party to receive the attestation result. If positive, the Network User establishes secure channel with TEEP Agent and transfers TA and PD to TEEP Agent. 5. TEEP Agent deploys TA and PD.

TEEP Implementation of Case 5 TEE} | TA&PD->trusted | TA->trusted VM}| | | | Container} | | +-------------+----------------+----------------+----------------+ ]]>

## TA and PD are separate packages, no UA In this case, Network User provides TA and PD as separate packages with no UA attached. The process of TEEP in this case is as follow. 1. Network User requests for confidential computing resource to the network M/OC. 2. TAM in M/OC orchestrates confidential computing device to undertake the request. 3. Network User transfers TA to TAM, then TAM transfers TA to TEEP Agent. 4. TAM requests remote attestation to the TEEP Agent, TEEP Agent then sends the evidence to TAM. The TAM works as Verifier in RATs architecture. 5. After verification, Network User works as Relying Party to receive the attestation result. If positive, the Network User establishes secure channel with TA and transfers PD to it.

TEEP Implementation of Case 6 TEE, | {TA->trusted |{TA->trusted VM,| | Sequence | att TEEP Agent,| Container, | att TEEP Agent,| | | PD->TA} | att TEEP Agent,| PD->TA} | | | | PD->TA} | | +-------------+----------------+----------------+----------------+ ]]>

IANA Considerations This document does not require actions by IANA.

Security Considerations Besides the security considerations in TEEP architecture, there is no more security and privacy issues in this document.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols. Broadcom Arm Limited Microsoft Amazon A Trusted Execution Environment (TEE) is an environment that enforces that any code within that environment cannot be tampered with, and that any data used by such code cannot be read or tampered with by any code outside that environment. This architecture document motivates the design and standardization of a protocol for managing the lifecycle of trusted applications running inside such a TEE. Broadcom Amazon Microsoft This document specifies a protocol that installs, updates, and deletes Trusted Components in a device with a Trusted Execution Environment (TEE). This specification defines an interoperable protocol for managing the lifecycle of Trusted Components. Informative References

Appendix 1 Submodules in TEEP Agent The original design of TEEP only includes TEEP Agent and TA inside TEE. While in confidential computing implementation, other submodules may also be involved in the TEE. In TEEP, these submodules could be covered by TEEP Agent. In SGX based confidential computing, submodule could provide convenient environment or API in which TA does not have to modify its source code to fit into SGX instructions. Submodules like Gramine and Occlum .etc are examples that could be included in TEEP Agent. If there is no submodule in TEEP Agent, the TA and UA need to be customized applications which fit into the SGX architecture. In SEV and other architectures that support whole guest VM as a TEE, TEEP Agent doesn't have to use extra submodule to work as a middleware or API. However with some submodules like Enarx which works as a runtime JIT compiler, TA could be deployed in a hardware independent way. In this scenario, TA could be deployed in different hardware architecture without re-compiling.