A trusted execution environment (TEE) is an enclave: attestation + encryption + memory isolation. The operator runs the server but cannot read the enclave's memory. The user verifies what code runs (attestation), then sends encrypted data that only the enclave can decrypt. The result: computation on private data without trusting the operator.
The three ingredients
A TEE combines three mechanisms. Attestation (Ch.11): the user verifies what code is running. Encryption: data sent to the enclave is encrypted with a key only the enclave holds. Memory isolation: the hardware prevents the OS, hypervisor, and operator from reading the enclave's memory, even with root access.
Scheme
; TEE = Attestation + Encryption + Isolation
(display "Ingredient 1: Attestation") (newline)
(display " User verifies the enclave runs the") (newline)
(display " expected code (hash matches).") (newline)
(display " -> Ch.11 Remote Attestation") (newline)
(newline)
(display "Ingredient 2: Encryption") (newline)
(display " Data is encrypted in transit with a key") (newline)
(display " that only the enclave can decrypt.") (newline)
(display " The operator sees ciphertext only.") (newline)
(newline)
(display "Ingredient 3: Memory isolation") (newline)
(display " Hardware enforces that no software outside") (newline)
(display " the enclave can read its memory pages.") (newline)
(display " Even the OS kernel is locked out.") (newline)
(newline)
(display "Together: the user knows what code runs,") (newline)
(display "sends data only that code can read, and") (newline)
(display "the operator cannot interfere.")
Real implementations
Platform
Vendor
Isolation mechanism
Intel SGX
Intel
CPU-level enclaves in user process
ARM TrustZone
ARM
Secure world / normal world split
AMD SEV
AMD
Encrypted VM memory, per-VM keys
AWS Nitro Enclaves
AWS
Isolated VM with no persistent storage, no network
Scheme
; Comparison of TEE approaches
(display "Intel SGX:") (newline)
(display " + Fine-grained: enclave inside a process") (newline)
(display " + Small TCB (trusted computing base)") (newline)
(display " - Limited enclave memory (EPC)") (newline)
(display " - Side-channel attacks demonstrated") (newline)
(newline)
(display "ARM TrustZone:") (newline)
(display " + Widely deployed (mobile phones)") (newline)
(display " + Hardware-enforced world separation") (newline)
(display " - Single secure world (not per-app)") (newline)
(newline)
(display "AWS Nitro Enclaves:") (newline)
(display " + No persistent storage, no SSH") (newline)
(display " + Attestation via Nitro TPM") (newline)
(display " + No side-channel via shared CPU") (newline)
(display " - Requires AWS infrastructure")
Application: the honest auction
Consider an ad auction server. Advertisers submit bids, and the server runs a VCG auction (second-price). Without a TEE, the operator could peek at bids, favor certain advertisers, or lie about the winning price.
With a TEE, the auction code runs in an enclave. Advertisers verify the code via attestation, then send encrypted bids. The enclave computes the winner and price. The operator never sees the bids or the auction logic's internal state.
Scheme
; Honest auction in an enclave; The operator runs the server but cannot see bids.
(display "Without TEE:") (newline)
(display " Operator sees all bids in cleartext") (newline)
(display " Operator could change auction logic") (newline)
(display " Bidders must trust the operator") (newline)
(newline)
(display "With TEE:") (newline)
(display " 1. Operator deploys auction code to enclave") (newline)
(display " 2. Bidders verify attestation:") (newline)
(display " hash(auction code) matches published hash") (newline)
(display " 3. Bidders encrypt bids to enclave's key") (newline)
(display " 4. Enclave decrypts, runs VCG auction") (newline)
(display " 5. Enclave outputs: winner + price") (newline)
(display " 6. Operator sees only the result") (newline)
(newline)
(display "The enclave proves honest VCG") (newline)
(display "without seeing the query.")
Trusted execution environment
Vector Space privacy-preserving ad auction. The enclave implementation is at 
vectorspace-enclave.