> no one, not even people operating the inference hardware
You need to be careful with these claims IMO. I am not involved directly in CoCo so my understanding lacks nuance but after https://tee.fail I came to understand that basically there's no HW that actually considers physical attacks in scope for their threat model?
The Ars Technica coverage of that publication has some pretty yikes contrasts between quotes from people making claims like yours, and the actual reality of the hardware features.
My current understanding of the guarantees here is:
- even if you completely pwn the inference operator, steal all root keys etc, you can't steal their customers' data as a remote attacker
- as a small cabal of arbitrarily privileged employees of the operator, you can't steal the customers' data without a very high risk of getting caught
- BUT, if the operator systematically conspires to steal the customers' data, they can. If the state wants the data and is willing to spend money on getting it, it's theirs.
I'm happy to be careful, you are right we are relying on TEEs and vTPMs as roots of trust here and TEEs have been compromised by attackers with physical access.
This is actually part of why we think it's so important to have the non-targetability part of the security stack as well, so that even if someone where to physically compromise some machines at a cloud provider, there would be no way for them to reliably route a target's requests to that machine.
Yeah that's a good point, I don't call that confidential compute though it's a different use case.
CoCo = protecting consumer data from the industry. DRM = protecting industry bullshit from the consumer.
TBF my understanding is that in the DRM usecases they achieve actual security by squeezing the TCB into a single die. And I think if anyone tries, they generally still always get pwned by physical attackers even though it's supposedly in scope for the threat model.
I'm not aware of working jailbreaks for either Xbox Series or PS5. Its possible that's just a matter of time, but they've both been out for quite a while now it seems like the console manufacturers have finally worked out how to secure them.
Older firmware versions of PS5 are in fact jailbroken (google ps5 jailbreak and you’ll find a bunch of info). I’m not aware of any for Xbox Series but I think that’s more due to lack of interest and the fact that you can run homebrew in development mode already.
You need to be careful with these claims IMO. I am not involved directly in CoCo so my understanding lacks nuance but after https://tee.fail I came to understand that basically there's no HW that actually considers physical attacks in scope for their threat model?
The Ars Technica coverage of that publication has some pretty yikes contrasts between quotes from people making claims like yours, and the actual reality of the hardware features.
https://arstechnica.com/security/2025/10/new-physical-attack...
My current understanding of the guarantees here is:
- even if you completely pwn the inference operator, steal all root keys etc, you can't steal their customers' data as a remote attacker
- as a small cabal of arbitrarily privileged employees of the operator, you can't steal the customers' data without a very high risk of getting caught
- BUT, if the operator systematically conspires to steal the customers' data, they can. If the state wants the data and is willing to spend money on getting it, it's theirs.