Azure Unblogged - Azure Confidential Computing

In answer to the comment whether hardware-based encryption of trusted execution environments bring performance penalty.

Let's take the case of Intel SGX enclaves, that provide hardware enforced confidentially and integrity guarantees for running computations. This is achieved mainly by encrypting all information as it leaves the CPU, effectively shielding data in the memory from external observers.

Yes, there is an overhead of running computations inside an enclave. You would expect some overhead due to the added encryption and decryption complexity. In addition, extra security measures such as integrity tests and memory usage limitations can also effect performance.

The performance overheads can result from two main aspects: first is the actual overhead of executing CPU instructions and accessing the encrypted memory in an enclave. The second is the overhead associated with entering and exiting an enclave.

It's hard to provide exact figures on performance impact. A lot depends on the data volume that is processed.

• When running on large inputs, code running inside enclaves can typically achieve very high throughput, on par with code running outside enclaves.
• For small inputs, there may be some overhead of invoking enclave calls. This is because enclaves are only invoked via a special interface called ECALL. The ECALLs are known to have a performance impact due to the CPU’s context switches.