SOFAEnclave Confidential Computing Stack: Occlum, HyperEnclave, and KubeTEE Overview

In an era where data security and privacy are increasingly emphasized, confidential computing has become a frontier technology attracting attention from internet companies worldwide. Ant Group has built the SOFAEnclave confidential computing solution, and this article systematically explains its components and how they solve real‑world deployment challenges.

Cloud‑native concepts have become mainstream, yet many critical and sensitive applications remain off‑cloud due to trust concerns. To address this, the notion of "trustworthy native" is proposed, enhancing infrastructure trustworthiness.

Trustworthy native technology includes platform trust, secure storage, communication security, and the focus of this article—confidential computing. By leveraging hardware‑provided Trusted Execution Environments (Enclaves), confidential computing protects applications from threats originating from other applications, operating systems, or tenants.

However, practical adoption of confidential computing faces several challenges: Enclaves are restrictive environments with unfamiliar programming interfaces and models; developers must learn multiple Enclave architectures; and mainstream cluster schedulers lack Enclave support, limiting large‑scale use.

To overcome these challenges, Ant Group developed the SOFAEnclave stack, divided into three parts as illustrated in the diagram.

1. Occlum: Making Confidential Computing Accessible to Everyone Occlum is an open‑source LibOS that provides POSIX interfaces and supports multiple languages (C/C++, Java, Python, Go, Rust) and secure file systems. It offers a Linux‑compatible Enclave runtime, enabling existing applications to run securely with minimal changes. Occlum has been widely adopted in industry and presented at ASPLOS 2020.

Occlum is the default runtime for Alibaba's Inclavare Containers, collaborates with projects like Hyperledger Avalon, and has been donated to the Confidential Computing Consortium (CCC). Microsoft Azure also recommends Occlum for confidential computing on Azure.

Occlum repository: https://github.com/occlum/occlum

Occlum is exploring new features such as an embedded mode, allowing applications to link Occlum as a library for a smaller TCB while retaining rich interfaces.

2. HyperEnclave: Providing a Unified Enclave Abstraction HyperEnclave abstracts various Enclave hardware platforms, supporting existing SDKs (e.g., Intel SGX SDK) and even machines without native Enclave extensions by using a Type 1.5 hypervisor for virtualized Enclaves. It offers trusted boot and remote attestation based on TPM/TXT and can leverage hardware memory‑encryption technologies like Intel MKTME/TDX or AMD SEV.

The hypervisor’s design principles include a minimal, formally verifiable TCB written in Rust, TPM/TXT‑based trusted boot and remote attestation, compatibility with existing Linux ecosystems (boot‑like Type 2, run‑like Type 1), and easy integration of hardware memory‑encryption capabilities.

3. KubeTEE: Enabling Confidential Computing at Scale on Kubernetes While Occlum and HyperEnclave target single nodes, modern internet services run on large Kubernetes clusters. KubeTEE integrates Enclave support into Kubernetes, exposing Enclave resources to containers, handling remote attestation, and managing Enclave lifecycle at scale.

KubeTEE repository: https://github.com/SOFAEnclave/KubeTEE

KubeTEE also includes the AECS component, which simplifies key distribution and deployment for Enclave services using confidential‑computing‑based remote attestation.

In summary, the SOFAEnclave stack—comprising Occlum, HyperEnclave, and KubeTEE—addresses the major challenges of confidential computing, lowers its entry barrier, and promotes the evolution from cloud‑native to trustworthy‑native architectures. Occlum and KubeTEE are already open‑source, and HyperEnclave will be open‑source soon, inviting further industry collaboration.