Skip to main content

Practical CoCo

A practical, opinionated handbook on confidential computing and Trusted Execution Environments (TEEs).

What this is

Most TEE documentation is either academic or vendor-specific marketing. Engineers evaluating or building on TEEs need practical guidance: what to verify, what you're trusting, where verification stops, and what tools exist. This handbook fills that gap.

The central idea

Attestation generates hardware-rooted proof that specific code ran on genuine TEE hardware. Verification is what makes that proof meaningful. Without pinning expected measurements and checking them, you're collecting signed claims no one validates — and anyone can generate those.

The question isn't "are we using TDX?" It's "what exactly can we verify, and what are we silently trusting?" Every deployment sits somewhere on a spectrum from compile everything from source, down to firmware to trust the cloud provider for the infrastructure layer and verify the application. This handbook calls that the trust cursor. Every section helps you understand where you are on it, and how to move deliberately.

Who this is for

  • Security engineers evaluating TEEs for their infrastructure
  • Developers building applications on TEE platforms
  • Technical decision-makers assessing trust assumptions before committing to a TEE strategy

How to read this

Start with Foundations — it establishes the mental model you need before picking any platform or tool. No vendor specifics, just the concepts that matter.

Then dive into platform-specific sections as they become available.

Principles

  • Practical over theoretical — real verification steps, real tools, real bugs encountered
  • Honest about limitations — every section surfaces what you can't verify and must trust
  • Progressive disclosure — foundations first, then platform specifics, then patterns