A curated list of resources for learning about Trusted Execution Environments (TEEs) and their applications in the blockchain space.
Contributions are welcome! See CONTRIBUTING.md.
- Getting Started
- Articles
- Research Papers
- Hardware Platforms
- Cloud Solutions
- Blockchain Applications & Use Cases
- Code Repositories
- Major TEE Attacks
- Social Media & Community
- Additional Resources
Articles, talks and presentations to help you get started with TEEs.
- Articles
- Verifiable Off-chain Compute: Enabling an Instagram-like experience for Web3 - Florin Digital
- What is a Trusted Execution Environment (TEE)? - Halborn
- Trustless Execution Environments - David Atterman
- Why trusted execution environments will be integral to proof-of-stake blockchains
- Blockchain x TEE: Why Various Forefront Projects are Adopting TEE - TOKI
- 4 Ways to Compare Trusted Execution Environments and Zero-Knowledge Proofs
- Blockchains in Trusted Execution Environments (TEEs)
- Conference Talks
- How to Win Friends and TEE-fluence People - Ethan Buchman, Modular Summit 2024
- The TEE Stack - Andrew Miller, Modular Summit 2024
- Private Smart Contracts are Worth the Price of the SGX - Andrew Miller, ETHDenver 2023
- Protected Order Flow for Fair Transaction-Ordering in a Profit-Seeking World - Kushal Babel, MEV-SBC 2023
- Enabling Cross Chain Transfers Using SGX - Michael Kaplan, Avalanche Summit 2022
- Trusted Execution Environments Meet the Blockchain - Ittay Eyal, Simons Institute 2019
- Presentations
- DEVMOS 2024: Dylan Kawalec (Osmosis), 'Building Decentralized Frontends', Modular Summit 2024
- What apps are unlocked by the TEE stack - Xinyuan Sun, Modular Summit 2024
- Parallelized Confidential Computing - Yannik Schrade, Fil Dev Summit 2024
- TEE for Blockchain Applications - Ari Juels, a16z crypto 2023
- SGX Panel 2023: Andrew Miller, Jonathan Passerat Palmbach, Phil Daian, Justin Drake
- Workshops & Tutorials
- Phala Network: 'The Magic of TEEs' - Online Workshop on TEE Basics
- Blockchains + TEEs 2023: Day 1 - Kartik Nayan, Ittai Abraham, Aniket Kate
- Blockchains + TEEs 2023: Day 2 - Kartik Nayan, Ittai Abraham, Aniket Kate
- An intro to SGX & Enclave-based API with Kevin Yu | ETHDenver Privacy Workshop
- TEE-based Web2 User Data Attestations
- Advanced
- Block Building inside SGX - Flashbots Writings
- Running Geth within SGX: Our Experience, Learnings and Code - Flashbots Writings
- SGX-Based Backrunning and Covert Channels - Flashbots Writings
- MEV-SGX - A sealed bid MEV auction design - Eth Research
- Proprietary binary provisioning within TEEs - fnerdman
- We call this kernel saunters: How Apple rearranged its XNU core with exclaves - The Register
- Building Secure Ethereum Blocks on Minimal Intel TDX Confidential VMs - Flashbots Collective
- TDX Security For BOB Searchers, Flashbots
- Sirrah: Speedrunning a TEE Coprocessor - Flashbots Writings
- Nix + Bazel: Fully reproducible, incremental builds - Tweag
- Early Thoughts on Decentralized Root-of-Trust - Flashbots Collective
- Drawbacks In FHE Blockchain And How TEE Can Help It - Flashbots Collective
- How Secret Network Uses SGX - Secret Network
- Intel SGX and Blockchain: The iExec End-to-End Trusted Execution Solution - iExec
- Blockchains + TEEs Day 1 Summary - Decentralized Thoughts
- Blockchains + TEEs Day 2 Summary - Decentralized Thoughts
- Intel SGX Explained - V. Costan and S. Devada (MIT)
- Demystifying SGX — Part 1 - Obscuro Labs
- Security
- A Survey of Published Attacks on Intel SGX - Nilsson et al. (2020)
- Plundervolt: Software-based Fault Injection Attacks against Intel SGX - Murdock et al. (2020)
- Securing TEE Apps: A Developer's Guide - Bedlam Research
- TEE-based Smart Contracts and Sealing Pitfalls - IC3
- A few notes on AWS Nitro Enclaves: Attack surface - Trail of Bits Blog
Key research works covering different aspects of TEEs.
- 2025
- SoK: A cloudy view on trust relationships of CVMs -- How Confidential Virtual Machines are falling short in Public Cloud - J. Eisoldt, A. Galanou, A. Ruzhanskiy, N. Küchenmeister, Y. Baburkin, T. Dai, I. Gudymenko, S. Köpsell, and R. Kapitza, arXiv, 2025.
- NVIDIA GPU Confidential Computing Demystified - Z. Gu, E. Valdez, S. Ahmed, J. J. Stephen, M. Le, H. Jamjoom, S. Zhao, and Zhiqiang Lin, arXiv, 2025.
- Performance of Confidential Computing GPUs - A. M. Ibarra, J. J. Stephen, A. G. Vidal, K. R. Jayaram, and A. F. Gomez, arXiv, 2025.
- 2024
- Towards Validation of TLS 1.3 Formal Model and Vulnerabilities in Intel's RA‑TLS Protocol - M. U. Sardar, A. Niemi, H. Tschofenig, and T. Fossati, IEEE, 2024.
- TeeRollup: Efficient Rollup Design Using Heterogeneous TEE - X. Wen, Q. Feng, H. Lyu, J. Niu, Y. Zhang, and C. Feng, arXiv, 2025.
- Confidential Computing on nVIDIA H100 GPU: A Performance Benchmark Study - J. Zhu, H. Yin, P. Deng, and S. Zhou, arXiv, 2024.
- SecScale: A Scalable and Secure Trusted Execution Environment for Servers - A. Sunny, N. Shrivastava, S., and R. Sarangi, arXiv, 2024.
- Confidential Federated Computations - H. Eichner, D. Ramage, K. Bonawitz, D. Huba, et al., arXiv, 2024.
- Teamwork Makes TEE Work: Open and Resilient Remote Attestation on Decentralized Trust - X. Zhang, K. Qin, S. Qu, T. Wang, C. Zhang, and D. Gu, arXiv, 2024.
- 2023
- Intel TDX Demystified: A Top‑Down Approach - P. Chen, W. Ozga, E. Valdez, S. Ahmed, Z. Gu, H. Jamjoom, U. Franke, and J. Bottomley, arXiv, 2023.
- A Distributed Efficient Blockchain Oracle Scheme for Internet of Things - Y. Xian, L. Zhou, J. Jiang, B. Wang, H. Huo, and P. Liu, arXiv, 2023.
- Blockchain‑based Federated Learning with Secure Aggregation in Trusted Execution Environment for Internet‑of‑Things - A. P. Kalapaaking, I. Khalil, M. S. Rahman, M. Atiquzzaman, X. Yi, and M. Almashor, arXiv, 2023.
- 2022
- SoK: Hardware‑supported Trusted Execution Environments - M. Schneider, R. J. Masti, S. Shinde, S. Capkun, and R. Perez, arXiv, 2022.
- SoK: TEE‑assisted Confidential Smart Contract - R. Li, Q. Wang, Q. Wang, D. Galindo, and M. Ryan, arXiv, 2022.
- Red Team vs. Blue Team: A Real‑World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations - E. Puschner, T. Moos, S. Becker, C. Kison, A. Moradi, and C. Paar, Cryptology ePrint Archive, 2022.
- Lessons Learned from Blockchain Applications of Trusted Execution Environments and Implications for Future Research - R. Karanjai, L. Xu, L. Chen, F. Zhang, Z. Gao, and W. Shi, arXiv, 2022.
- 2021
- Extending On‑chain Trust to Off‑chain - Trustworthy Blockchain Data Collection using Trusted Execution Environment (TEE) - C. Liu, H. Guo, M. Xu, S. Wang, D. Yu, J. Yu, and X. Cheng, arXiv, 2021.
- CHEX‑MIX: Combining Homomorphic Encryption with Trusted Execution Environments for Two‑party Oblivious Inference in the Cloud - D. Natarajan, A. Loveless, W. Dai, and R. Dreslinski, Cryptology ePrint Archive, 2021.
- Pre‑2020
- When Blockchain Meets SGX: An Overview, Challenges, and Open Issues - Z. Bao, Q. Wang, W. Shi, L. Wang, H. Lei, and B. Chen, IEEE, 2020.
- Ekiden: A Platform for Confidentiality‑Preserving, Trustworthy, and Performant Smart Contracts - R. Cheng, F. Zhang, J. Kos, W. He, N. Hynes, N. Johnson, A. Juels, and A. Miller, IEEE, 2019.
- Giving State to the Stateless: Augmenting Trustworthy Computation with Ledgers - G. Kaptchuk, I. Miers, and M. Green, Cryptology ePrint Archive, 2017.
- Teechain: A Secure Payment Network with Asynchronous Blockchain Access - J. Lind, O. Naor, I. Eyal, F. Kelbert, P. Pietzuch, and E. Gun Sirer, arXiv, 2017.
The underlying silicon providing TEE capabilities.
- Intel
- Advanced Matrix Extensions (AMX) - Accelerator to improve the performance of deep-learning training and inference on the CPU.
- Trust Domain Extensions (TDX) - Latest Hardware-based TEE architecture from Intel.
- Software Guard Extensions (SGX) - Protects data actively being used in the processor and memory by creating a TEE.
- AMD
- Secure Encrypted Virtualization-Trusted I/O (SEV-TIO) - Improved I/O performance and security in AMD SEV-SNP guests.
- Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) - Expands on SEV, adds memory integrity protection to help prevent malicious hypervisor-based attacks.
- Secure Encrypted Virtualization (SEV) - Hardware-based memory encryption through the AMD Secure Processor.
- NVIDIA
- H100 TensorCore GPU - Hardware-based trusted execution environment with NVIDIA Hopper and NVIDIA Blackwell architecture support.
- Hopper Architecture - Accelerated computing platform for AI.
- Blackwell Architecture - Latest HW generation with accelerated computing and generative AI optimizations.
- RISC-V
- Keystone - Open Framework for architecting Trusted Execution Environments built on RISC-V.
- ARM
- Confidential Compute Architecture (CCA) - Under development. Key component of the Armv9-A architecture.
- TrustZone - Isolates critical security firmware, assets and private information for Armv8-M based devices.
- OP-TEE - Companion TEE for a non-secure Linux kernel running on ARM; Cortex-A cores using the TrustZone technology.
- OpenTitan
- OpenTitan - Open source project building a reference design and integration guidelines for silicon root of trust (RoT) chips.
- lowRISC/opentitan - Open source silicon root of trust.
Major cloud providers offering virtual machines or services utilizing TEE hardware.
- Google Cloud
- Confidential Accelerator for AI workloads - Supports Intel TDX with Intel AMX, and NVIDIA H100 GPUs.
- Confidential VMs - Supports AMD SEV, AMD SEV-SNP, and Intel TDX.
- Confidential Space - Supports trust model where the workload author, workload operator, and resource owners are separate, mutually distrusting parties.
- Confidential VM attestation - Attestation support for AMD SEV (vTPM), AMD SEV-SNP (vTPM and TSM), and Intel TDX (vTPM and TSM).
- Amazon AWS
- Microsoft Azure
- Oracle Cloud
- Alibaba Cloud
Examples of how TEEs are being used or proposed within the blockchain ecosystem.
- AI
- TEN Protocol - Website, ten-protocol GitHub
- Aizel Network - Website, AizelNetwork GitHub
- ELIZA in TEE - TEE plugin for ELIZA (using dstack from Phala)
- Block Building & MEV Mitigation
- Jito BAM - Website
- Unichain - Website, Whitepaper
- Identity
- Self Protocol - Website, selfxyz GitHub
- Bridging
- Avalanche Bridge - Website, ava-labs GitHub
- Oracles
- Quex - Website, quex-tech GitHub
- Asset Management & Wallets
- Turnkey - Website, tkhq GitHub
- Lit Protocol - Website, LIT-Protocol GitHub
- Fireblocks - Website, fireblocks GitHub
- Cycles Money - Website
- Solana Saga Seed Vault - Website, solana-mobile GitHub
- General Off-Chain Compute
- Sui Nautilus - Website, MystenLabs GitHub
- Marlin Protocol - Website, marlinprotocol GitHub
- Phala Network - Website, Phala-Network GitHub
- Automata Network - Website, automata-network GitHub
- Clique Network - Website
- Privacy & Confidentiality
- Oasis Protocol - Website, oasisprotocol GitHub
- Secret Network - Website, scrtlabs GitHub
- Enclave Markets - Website
- Rollups & Coprocessors
- Taiko - Website, taikoxyz GitHub
Software related to TEEs in the context of blockchain, libraries, and example implementations.
- MystenLabs/nautilus - Nautilus: Verifiable offchain computation on Sui.
- Dstack-TEE/dstack - Dstack is a developer friendly and security first SDK to simplify the deployment of arbitrary Docker-based apps into TEE.
- marlinprotocol/oyster-serverless - Oyster Serverless is a cutting-edge, high-performance serverless computing platform designed to securely execute JavaScript (JS) and WebAssembly (WASM) code in a highly controlled environment.
- Phala-Network/phala-blockchain - The Phala Network Blockchain, pRuntime and the bridge.
- kata-containers/kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
- taikoxyz/raiko - Multi-proofs for Taiko. SNARKS, STARKS and Trusted Execution Enclave.
- enarx/drawbridge - A Confidential Computing-Aware Workload Repository.
- enarx/steward - A Confidential Computing-Aware Certificate Authority.
- confidential-containers/guest-components - Confidential Containers Guest Tools and Components.
- kinvolk/azure-cvm-tooling - Libraries and tools for Confidential Computing on Azure.
- HyperEnclave/hyperenclave - An Open and Cross-platform Trusted Execution Environment.
- mobilecoinfoundation/mobilecoin - Private payments for mobile devices.
- integritee-network/worker - Integritee off-chain worker and sidechain validateer.
- capsule-corp-ternoa/ternoa-node - Ternoa's Node Implementation.
- automata-network/automata - Automata Network is a modular attestation layer that extends machine trust to Ethereum with TEE Coprocessors.
- apache/incubator-teaclave - Apache Teaclave (incubating) is an open source universal secure computing platform, making computation on privacy-sensitive data safe and simple.
- scrtlabs/incubator-teaclave-sgx-sdk - Rust SGX SDK provides the ability to write Intel SGX applications in Rust Programming Language. Fork of
apache/incubator-teaclave-sgx-sdk.
- google/go-tpm-tools - Go packages built on go-tpm providing a high-level API for using TPMs.
- google/go-sev-guest - Library to wrap the /dev/sev-guest device in Linux, as well as a library for attestation verification of fundamental components of an attestation report.
- google/go-tdx-guest - Library to wrap the /dev/tdx-guest device in Linux, as well as a library for attestation verification of fundamental components of an attestation quote.
- matter-labs/vault-auth-tee - Hashicorp Vault plugin for authenticating Trusted Execution Environments (TEE) like SGX enclaves.
- usbarmory/GoTEE - Go Trusted Execution Environment (TEE).
- iotexproject/w3bstream - An offchain computing layer for DePIN verifiable data computation, supporting a variety of validity proofs including Zero Knowledge (ZK), Trusted Execution Environments (TEE), and Multi-party Computation (MPC).
- oasisprotocol/oasis-core - Performant and Confidentiality-Preserving Smart Contracts + Blockchains.
- hyperledger/fabric-private-chaincode - FPC enables Confidential Chaincode Execution for Hyperledger Fabric using Intel SGX.
- Microsoft/confidential-container-demos - Demos for running containers in confidential environments on Azure.
- intel/linux-sgx - Intel SGX SDK and Platform Software (PSW) for Linux.
- NixOS/nix - Nix, the purely functional package manager.
- microsoft/azure-tee-attestation-samples - Trusted Execution Environment examples leveraging attestations on Azure.
- lsds/Teechain - Teechain: A Secure Payment Network with Asynchronous Blockchain Access.
- skalenetwork/sgxwallet - Opensource high-performance hardware secure crypto wallet that is based on Intel SGX technology. First opensource product on Intel SGX whitelist. Scales to 100,000+ transactions per second. Currently supports ETH and SKALE, and will support BTC in the future. Sgxwallet is under heavy development and use by SKALE network.
- hyperledger-labs/private-data-objects - The Private Data Objects lab provides technology for confidentiality-preserving, off-chain smart contracts.
- openenclave/openenclave - SDK for developing TEE applications (enclaves) across different hardware platforms (SGX, OP-TEE).
- gramineproject/gramine - A library OS for Linux multi-process applications, with Intel SGX support.
- iisec-suzaki/optee-ra - OP-TEE Remote Attestation.
- pietroborrello/CustomProcessingUnit - The first analysis framework for CPU microcode.
- deislabs/mystikos - Tools and runtime for launching unmodified container images in Trusted Execution Environments.
- mofanv/PPFL - Privacy-preserving Federated Learning with Trusted Execution Environments.
- inclavare-containers/inclavare-containers - A novel container runtime, aka confidential container, for cloud-native confidential computing and enclave runtime ecosystem.
- WASM
- enarx/enarx - Enarx: Confidential Computing with WebAssembly.
- Shell
- flashbots/yocto-manifests - Repo Manifests for the Yocto Project Build System for reproducible TEE builds
- Python
- ethernity-cloud/mvp-pox-node - Ethernity Cloud Node.
- TypeScript
- tkhq/sdk - Turnkey TypeScript SDK.
- Nix
- aws/uefi - EDK2 changes for reproducible UEFI binaries on Nitro.
Documented attacks or attack vectors on TEEs. List is WIP.
Classes: TE – transient/speculative; MDS – microarchitectural data sampling; FI – fault injection; AL – architectural leakage; PR – protocol/design.
| Year | Name | Class | Affected TEEs | CVE(s) | Summary | Key Mitigations |
|---|---|---|---|---|---|---|
| 2018 | Foreshadow / L1TF | TE | Intel SGX, VMs, OS kernels | CVE‑2018‑3615, CVE‑2018‑3620, CVE‑2018‑3646 | Read enclave/VM/kernel secrets via L1D leaks | Microcode updates, L1D flush on enclave transitions, OS patches, SGX TCB recovery |
| 2018 | SEVered | PR / VM isolation | AMD SEV (pre‑SNP) | 1812.01129 | Malicious hypervisor remaps guest pages to exfiltrate plaintext | Move to SEV‑SNP (integrity protection), stronger guest validation |
| 2019 | MDS family (RIDL, Fallout, ZombieLoad) | MDS / TE | Intel SGX, VMs | CVE‑2018‑12126, CVE‑2018‑12127, CVE‑2018‑12130, CVE‑2019‑11091 | Leakage from CPU buffers into enclaves/VMs | Microcode buffer clearing, stronger serialization, sometimes disable HT |
| 2019 | Plundervolt | FI | Intel SGX | CVE‑2019‑11157 | Software‑controlled undervolting corrupts enclave computation & leaks secrets | Lock MSR undervolt interface (uCode), disable voltage control, protocol‑level FI checks |
| 2019 | TSX Asynchronous Abort (TAA) | TE / MDS | Intel SGX, VMs | CVE‑2019‑11135 | Additional transient leaks tied to TSX | Microcode, disable TSX, serialize on transitions |
| 2019 | SGX-Step | SC / Tooling | Intel SGX | 1611.06952 | Fine‑grained interrupting boosts side‑channel resolution | Rate‑limit interrupts, constant‑time/data‑oblivious coding |
| 2020 | Load Value Injection (LVI) | TE | Intel SGX | CVE‑2020‑0551 | Inject values into victim’s transient path | Compiler‑inserted LFENCEs/serialization; Intel LVI toolchain |
| 2020 | CacheOut | MDS / TE | Intel SGX | CVE‑2020‑0549 | Extract data from L1D despite prior mitigations | Stronger L1D flush/serialization; enclave transition hardening |
| 2020 | CrossTalk | MDS | Intel SGX | CVE‑2020‑0543 | Cross‑core leakage via shared buffers | Microcode fixes; synchronization/isolation |
| 2022 | ÆPIC Leak | AL | Intel SGX | CVE‑2022‑21233 | Architectural leak of stale data via APIC MMIO (no speculation) | Microcode/firmware updates, sanitize APIC reads, kernel patches |
| 2023 | Downfall / Gather Data Sampling (GDS) | TE | Intel SGX, VMs | CVE‑2022‑40982 | GATHER instruction leaks vector register data | Microcode; serialization barriers; toolchain guidance |
| 2023 | Inception / Phantom Speculation (AMD) | TE | AMD SEV/SNP (indirectly affects CC VMs) | CVE‑2023‑20569 | Speculation attack on Zen CPUs | Microcode/firmware updates; speculation barriers |
TEEs on social media.
- Tweet threads
- @P3b7_, Donjon Ledger analysis of Trezor Safe 3
- @CP2426_, focEliza Verifiable Terminal Release
- @_markel___, Extraction of Intel SGX Fuse Key0
- @PratyushRT, Breakdown of the Intel SGX (TEE) breach
- @buchmanster, TEE, ZK, FHE and MPC
- @buchmanster, How you win friends and TEE-fluence people - Chapter 2
- @DistributedMarz, Flashwares Live Session
- Podcasts
- AI Confidential - Podcast and newsletter.
- Community
- Flashbots Collective Forum - Discussions often touch on TEE usage for MEV mitigation and block building.
- Confidential Containers Community - Open-source project enabling cloud-native confidential computing by shielding containerized workloads.
- Confidential Computing Consortium - Linux Foundation project advancing confidential computing.
- sbellem/qtee - Exploring the physical limits of trusted hardware in the classical and quantum settings to achieve security through physics.
- bpradipt/awesome-confidential-computing - Collection of resources on Confidential Computing.
- erayack/awesome-sgx-blockchain - Awesome SGX and TEE on Blockchain Resources.
- orbstack/orbstack - Fast, light, simple Docker containers & Linux machines.
- TEE Bible - Your First Stop for TEE in Crypto.