Explainer
What is confidential computing?
Confidential computing is a hardware feature that encrypts a virtual machine's memory while it's running. The cloud provider — the hypervisor, the host kernel, the physical machine — cannot read the VM's memory. The encryption is performed by the CPU itself; the keys never leave the silicon.
Without confidential computing, your cloud provider can always read your data in memory. With it, they see only ciphertext.
| Technology | Vendor | What it does | Availability |
|---|---|---|---|
| AMD SEV-SNP | AMD | Encrypts VM memory; attests the launch was untampered | Azure DCasv5, GCP N2D |
| Intel TDX | Intel | Trust Domain extensions; encrypts + isolates from host | GCP C3, Azure DCesv5 |
| Arm CCA | Arm | Realm management; memory encryption + attestation | Maturing (future) |
Why agents
Why this matters for AI agents
An autonomous agent is a special case in the threat model:
- It runs untrusted code — generated from a prompt, a tool call, or adversarial input.
- It touches sensitive data — credentials, PII, proprietary data, all in memory.
- It runs on infrastructure you don't fully control — the cloud provider's hypervisor can read the VM's memory.
Without confidential computing
Attestation
The two-layer binding
Layer 1 — hardware anchoring
The AMD VCEK-signed SNP report → VCEK chain validated to the genuine AMD Milan ARK → SHA256(var_data) == REPORT_DATA[..32] → binds the vTPM AK into the hardware-signed report.
Layer 2 — freshness + nonce binding
A tpm2_quote under the AK → signature covers a TPM2B_ATTEST embedding SHA256(canonical_report_data) → binds the per-workspace context to a fresh, unreplayable quote. Only the live, hardware-anchored AK could sign it.
Both layers must hold for the control plane to release the DEK.
Single-CVM-direct
Why not nesting?
AMD SEV-SNP strips the hardware virtualization extensions from the leaf guest. A confidential VM cannot also be a hypervisor. Verified on silicon: /dev/kvm is absent on a DCasv5; the svm CPU flag is zero.
So the confidential tier runs the workspace directly inside the CVM — no nested microVM. The CVM is the boundary. OpenShell provides in-process governance. One CVM per sensitive workspace.