undefined | Better HN

0 pointsbjackman4mo ago0 comments

> no one, not even people operating the inference hardware

You need to be careful with these claims IMO. I am not involved directly in CoCo so my understanding lacks nuance but after https://tee.fail I came to understand that basically there's no HW that actually considers physical attacks in scope for their threat model?

The Ars Technica coverage of that publication has some pretty yikes contrasts between quotes from people making claims like yours, and the actual reality of the hardware features.

https://arstechnica.com/security/2025/10/new-physical-attack...

My current understanding of the guarantees here is:

- even if you completely pwn the inference operator, steal all root keys etc, you can't steal their customers' data as a remote attacker

- as a small cabal of arbitrarily privileged employees of the operator, you can't steal the customers' data without a very high risk of getting caught

- BUT, if the operator systematically conspires to steal the customers' data, they can. If the state wants the data and is willing to spend money on getting it, it's theirs.

0 comments

macrael4mo ago

I'm happy to be careful, you are right we are relying on TEEs and vTPMs as roots of trust here and TEEs have been compromised by attackers with physical access.

This is actually part of why we think it's so important to have the non-targetability part of the security stack as well, so that even if someone where to physically compromise some machines at a cloud provider, there would be no way for them to reliably route a target's requests to that machine.

michaelt4mo ago

> I came to understand that basically there's no HW that actually considers physical attacks in scope for their threat model?

xbox, playstation, and some smartphone activation locks.

Of course, you may note those products have certain things in common...

bjackmanOP4mo ago

Yeah that's a good point, I don't call that confidential compute though it's a different use case.

CoCo = protecting consumer data from the industry. DRM = protecting industry bullshit from the consumer.

TBF my understanding is that in the DRM usecases they achieve actual security by squeezing the TCB into a single die. And I think if anyone tries, they generally still always get pwned by physical attackers even though it's supposedly in scope for the threat model.

bragr4mo ago

All things that were compromised with physical attacks? What are mod chips if not physical attack as a service?

jon-wood4mo ago

I'm not aware of working jailbreaks for either Xbox Series or PS5. Its possible that's just a matter of time, but they've both been out for quite a while now it seems like the console manufacturers have finally worked out how to secure them.

1 more reply

zeusk4mo ago

Nvidia has been investing in confidential compute for inference workloads in cloud - that covers physical ownership/attacks in their thread model.

https://www.nvidia.com/en-us/data-center/solutions/confident...

https://developer.nvidia.com/blog/protecting-sensitive-data-...

bjackmanOP4mo ago

It's likely I'm mistaken about details here but I _think_ tee.fail bypassed this technology and the AT article covers exactly that.

j / k navigate · click thread line to collapse

0 pointsbjackman4mo ago0 comments

> no one, not even people operating the inference hardware

The Ars Technica coverage of that publication has some pretty yikes contrasts between quotes from people making claims like yours, and the actual reality of the hardware features.

https://arstechnica.com/security/2025/10/new-physical-attack...

My current understanding of the guarantees here is:

- even if you completely pwn the inference operator, steal all root keys etc, you can't steal their customers' data as a remote attacker

- as a small cabal of arbitrarily privileged employees of the operator, you can't steal the customers' data without a very high risk of getting caught

- BUT, if the operator systematically conspires to steal the customers' data, they can. If the state wants the data and is willing to spend money on getting it, it's theirs.

0 comments

macrael4mo ago

I'm happy to be careful, you are right we are relying on TEEs and vTPMs as roots of trust here and TEEs have been compromised by attackers with physical access.

michaelt4mo ago

> I came to understand that basically there's no HW that actually considers physical attacks in scope for their threat model?

xbox, playstation, and some smartphone activation locks.

Of course, you may note those products have certain things in common...

bjackmanOP4mo ago

Yeah that's a good point, I don't call that confidential compute though it's a different use case.

CoCo = protecting consumer data from the industry. DRM = protecting industry bullshit from the consumer.

bragr4mo ago

All things that were compromised with physical attacks? What are mod chips if not physical attack as a service?

jon-wood4mo ago

1 more reply

zeusk4mo ago

Nvidia has been investing in confidential compute for inference workloads in cloud - that covers physical ownership/attacks in their thread model.

https://www.nvidia.com/en-us/data-center/solutions/confident...

https://developer.nvidia.com/blog/protecting-sensitive-data-...

bjackmanOP4mo ago

It's likely I'm mistaken about details here but I _think_ tee.fail bypassed this technology and the AT article covers exactly that.

j / k navigate · click thread line to collapse