SGX

Intel’s first-generation trusted execution environmentⓘTEEidentity-trustA hardware-isolated CPU region where code and data are protected from inspection by the host OS, used to run inference in a way the operator cannot read or modify. Chat about this → Open full entry →, introduced in 2015. SGX enclaves are isolated regions of memory the host OS cannot read, with hardware-rooted attestationⓘattestationidentity-trustA cryptographic protocol that lets a remote party verify which code is running inside a TEE, including which model is loaded and which build of the inference engine. Chat about this → Open full entry → that a known measurement of code is running inside. SGX served as the practical reference TEEⓘTEEidentity-trustA hardware-isolated CPU region where code and data are protected from inspection by the host OS, used to run inference in a way the operator cannot read or modify. Chat about this → Open full entry → for over a decade.

Its limitations are why it has been largely superseded for AI workloads. Enclave size is capped at modest gigabytes, which fits embeddings or small classifiers but not large-language-model weights. The threat model assumes the host is hostile but trusts the CPU; a parade of side-channel attacks (Foreshadow, Plundervolt, SGAxe) has required microcode updates and complicates the trust story.

For AI confidential-computing work in 2026, Intel TDX (per-VM isolation, much larger memory, similar attestationⓘattestationidentity-trustA cryptographic protocol that lets a remote party verify which code is running inside a TEE, including which model is loaded and which build of the inference engine. Chat about this → Open full entry → primitives) is the spiritual successor and the more common deployment target. SGX still appears in legacy workloads and in specialized scenarios where small isolated enclaves suffice.