How Confidential Containers Secure AI Workloads with Zero‑Trust TEE on Alibaba Cloud

Enterprises increasingly demand data privacy, prompting the extension of trusted infrastructure from storage and networking to a closed‑loop trusted computing layer. Confidential computing, especially using Trusted Execution Environments (TEE) like Intel TDX, enables applications to run securely without risk from other tenants, platform operators, or internal ops teams.

Alibaba Cloud, DAMO Academy OS Lab, Intel, and the Dragonfly community jointly released a reference architecture for Confidential Containers (CoCo) on the cloud. By using ACK TDX confidential sandbox container node pools, enterprises can achieve end‑to‑end zero‑trust protection for applications, data, and models.

Container Runtime Threats

The article identifies five primary runtime threats that can expose sensitive data in tenant containers:

Unauthorized deployment

Misconfiguration

Malicious images

Vulnerability exploitation

Privilege escalation and memory‑based attacks

Mitigation strategies include OPA policy governance, configuration inspection, image scanning with BinaryAuth, CVE remediation, and using confidential VMs or sandbox containers for the fifth threat.

Zero‑Trust Security Measures

Key cloud security services—RAM, KMS, BYOK storage encryption, VPC, security groups, identity and access management—address storage and network trust, but compute trust remains a challenge. The solution adopts a "never trust, always verify" mindset, minimizing permissions and enforcing zero‑trust across all components.

Confidential Container Deployment Steps

Select Intel‑based ECS 8th‑gen physical or virtual machines to build TEE sandbox container or confidential VM node pools.

Deploy remote attestation and proxy services via the ACK Marketplace (e.g., helm install coco‑kbs).

Install the coco‑operator to provide new runtimes (kata‑dragonball‑tdx, kata‑qemu‑tdx, enhanced runc) ( helm install coco‑operator).

Remote Attestation Architecture

ACK offers a multi‑tenant remote attestation framework that establishes full‑stack trust from hardware to software. An Attestation Agent runs inside the TEE, collects evidence, and sends it to a Key Broker Service (KBS). The KBS forwards evidence to an Attestation Service for verification, then returns proof and secret resources to the TEE, ensuring the integrity of code, configuration, and inputs.

The system is modular and plugin‑based, supporting multiple TEE platforms. KBS exposes RESTful APIs and integrates storage plugins and an OPA‑based policy engine for customizable attestation policies.

RunD Secure Container Support

RunD, an open‑source secure container solution from the Dragonfly community, includes the Rust Kata runtime and Dragonball VMM. It has been upstreamed to Kata Containers 3.0.0 and now supports TDX hardware, providing end‑to‑end confidential container capabilities.

AI Workload Protection

Leveraging Intel® TDX and Alibaba Cloud's fourth‑generation Xeon® with AMX acceleration, ACK confidential containers enable secure, high‑performance AI inference and fine‑tuning. Features include encrypted model storage, encrypted private application images, and less than 3% performance overhead.

BigDL LLM can be deployed on ACK confidential containers for secure large‑language‑model inference and fine‑tuning, with end‑to‑end encryption of data and models via KMS, BYOK OSS, and sealed secrets.

Additional Security Practices

Use dm‑verity and remote attestation to verify guest rootfs integrity.

Define OPA policies to measure container metadata (environment variables, mount points, OCI API).

Employ image signing (CoSign/sigstore, GPG) and encryption to protect image confidentiality.

Store sensitive configuration in sealed secrets, decrypted only inside the TEE.

Overall, the confidential container solution integrates compute, storage, and network trust, delivering a zero‑trust platform for AI, finance, healthcare, and other sensitive workloads.