A wave of low-cost physical attacks has undermined memory-protection TEEs used by Nvidia Confidential Compute, AMD SEV-SNP, and Intel SGX/TDX.
The latest technique, dubbed TEE.fail, places a small piece of hardware between a memory chip and its motherboard and requires kernel-level access. When executed in about three minutes, it can break the confidentiality and integrity guarantees of all three vendors’ TEEs, even with the latest DDR5 memory.
Historically, manufacturers exclude physical attacks from TEE threat models or limit assurances to data secrecy and execution integrity when the OS kernel is compromised. The new findings emphasize that the threat landscape extends beyond software and into the hardware supply chain and that the typical threat model may be incomplete.
These attacks exploit a common weakness—deterministic encryption—across Nvidia, AMD, and Intel TEEs. They can enable forged attestations or “borrowed” reports, allowing attackers to impersonate trusted hardware and exfiltrate or tamper with data even when a server appears legitimately protected on the network.
Real-world implications include demonstrations against services that rely on TEEs for confidentiality, such as cloud or edge deployments. Researchers cited examples involving blockchain networks and AI workloads, where compromised attestations could undermine trust in enclave-based protections. In response, industry players are discussing mitigations like increasing ciphertext entropy and adding location verification to attestations, while stressing that no solution is perfect and physical access remains a hard problem to solve.
