Security-enhanced instance families provide the trusted computing capability based on Trusted Cryptography Module (TCM) or Trusted Platform Module (TPM) chips. Some security-enhanced instance families including g7t, c7t, and r7t also provide the Software Guard Extension (SGX) encrypted computing capability based on Intel® SGX for a trusted confidential environment that offers a higher degree of security.
Trusted computing
Security-enhanced instance families integrate TPM or TCM into the hardware platform, use TPM or TCM chips as Root of Trust (RoT), and use the Unified Extensible Firmware Interface (UEFI) firmware, vTPM or vTCM, and remote attestation service to implement instance startup measurement and integrity verification. These ensure that security-enhanced instances are secure and trusted.
SGX encrypted computing
SGX uses Memory Encryption Engines (MEEs) in CPUs to encrypt data in the encrypted memory. Encrypted data is decrypted into plaintext only after the data enters CPUs. CPUs protect your private data from being extracted by malicious code. Therefore, when you use a vSGX instance, data remains protected even if the operating system, virtualization stack, or BIOS becomes compromised. You need only to trust CPUs to keep your private data secure. For information about how to use SGX, see Build an SGX encrypted computing environment.
Support of secure computing capabilities of instance families
Instance family | Trusted computing | SGX encrypted computing |
---|---|---|
Supported | Supported | |
Supported | Not supported |