thryec.hl

1/ Side-channel attacks: when isolation isn't enough We've covered TrustZone, SGX, and SEV—all provide strong hardware isolation to protect secrets. But there's a catch: even when an attacker can't directly read your data, they can sometimes infer it by watching how the hardware behaves. Welcome to the world of side-channel attacks—the art of learning secrets without breaking the locks.

1/ Before jumping into vendor specifics, remember: a TEE isn't a strict blueprint—it's more like a set of guidelines. The Confidential Computing Consortium (CCC) lays out key security must-haves, without dictating the exact tech to get there. Any TEE solution needs to deliver these basics to earn the label.

Please. If you're building TEE protocols, DO NOT discount microarchitectural side-channel exploits. If your protocol grows to a point where it becomes viable to exploit, you HAVE to assume sophisticated attackers going after you. Do not ignore the bare-minimums. + No early returns + No trad string comparisons + No data-dependent cache access patterns + No conditional branching (on sensitive data) + No time-dependent code + No access patterns reveal (cache hit vs miss timings) + No non-constant time crypto Please, nail the fucking basics of writing enclave code before going live and risking the hard-earned money of your users. PS: Not directed towards any specific protocol. Just a general observation.