SEED: A Minimal‑Footprint TEE Framework for Verifiable, Confidential Microservice Deployment
Authors: Omar Jarkas (The University of Queensland), Ryan K L Ko (The University of Queensland), Naipeng Dong (The University of Queensland), Redowan Mahmud (Curtin University)
Volume: 2026
Issue: 1
Pages: 411–425
DOI: https://doi.org/10.56553/popets-2026-0021
Abstract: We present SEED, a system that enables the deployment of distributed privacy-preserving micro-services in the cloud while maintaining the secrecy of user code and data and ensuring correct, complete results. Unlike prior approaches that minimize the TCB by pushing large parts of the software stack outside the enclave, SEED includes the entire container software stack—from the application layer up to the operating system—inside the TCB. This holistic design protects proprietary software, datasets, and optional ML models from exposure; prevents leakage of sensitive inputs or queries; and thwarts metadata-inference attacks that could reveal workload identity or versioning. Yet we achieve an optimized TCB (22 MB in total), over 30× smaller than the typical 690 MB TCB for confidential privacy-enhancing VMs. In practice, SEED runs on AMD SEV-SNP–capable machines and supports real container workloads (i.e., TensorFlow, OpenVINO inference, PyTorch training, Redis, NGINX, Apache httpd). We demonstrate that SEEDCore matches or outperforms mainstream runtime workload deployment, staying within 5% of native throughput and reaching up to 6× higher performance on CPU-bound jobs. Finally, we conduct a thorough privacy and security evaluation against 11 cloud attack vectors and show that SEED blocks or confines every exploit that remains possible even under the state-of-the-art Gramine-TDX model, thanks to late binding, per-container PCR chains, and continuous in-TEE attestation throughout the workload’s lifetime.
Keywords:
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
