The Trusted Computing Base (TCB) is the set of all hardware, firmware, and software components whose correct functioning is essential to a system's security. If any element within the TCB fails or is compromised, the entire system's security policy becomes unenforceable. The primary design goal is to minimize TCB size—reducing the attack surface and making formal verification feasible. In confidential computing, the TCB typically includes the CPU package, the Trusted Execution Environment (TEE) firmware, and the application code running inside the enclave.
Glossary
Trusted Computing Base (TCB)

What is Trusted Computing Base (TCB)?
The Trusted Computing Base (TCB) is the totality of hardware, firmware, and software components in a computing system that are critical to enforcing its security policy—a single vulnerability in any TCB component can compromise the entire system's security guarantees.
Critically, the TCB explicitly excludes the host operating system, hypervisor, and cloud provider infrastructure in a properly architected confidential AI deployment. This exclusion is the foundational value proposition of technologies like Intel SGX and AMD SEV. The TCB boundary is verified through remote attestation, which provides a cryptographically signed measurement of all TCB components, allowing a remote party to establish trust in the execution environment before releasing secrets or sensitive data.
Core Characteristics of a TCB
The Trusted Computing Base (TCB) is the minimal set of hardware, firmware, and software components critical to enforcing a system's security policy. A vulnerability in any single TCB component can compromise the entire system.
Minimality
The security of a system is inversely proportional to the size and complexity of its TCB. A smaller TCB has a smaller attack surface, fewer lines of code to audit, and a lower probability of containing exploitable vulnerabilities.
- Goal: Reduce the TCB to the absolute minimum required to enforce the security policy.
- Exclusion: Components like device drivers, user applications, and the OS kernel (in a TEE model) are explicitly excluded from the TCB.
- Verification: Formal methods and mathematical proofs become feasible only with a sufficiently small TCB.
Non-Bypassability
Every access to a protected resource or object must be mediated by the TCB. There can be no backdoors, undocumented interfaces, or alternative paths that allow an untrusted entity to circumvent the TCB's security checks.
- Reference Monitor Concept: The TCB must function as a complete and always-invoked reference monitor.
- Hardware Enforcement: Modern TCBs use hardware features like nested paging and memory encryption to enforce non-bypassability at the silicon level.
- Example: In Intel SGX, the CPU hardware prevents even the OS or hypervisor from reading enclave memory.
Tamper-Proof Integrity
The TCB must be protected from unauthorized modification, both at rest and during execution. Its integrity must be verifiable at load time and continuously monitored at runtime.
- Secure Boot: A hardware root of trust cryptographically verifies the TCB's firmware and software signatures before execution.
- Measured Boot: Each component's hash is extended into a Platform Configuration Register (PCR) for remote attestation.
- Runtime Protection: Hardware isolates TCB memory regions, preventing DMA attacks or privilege escalation from corrupting TCB state.
Verifiability
A TCB must be evaluable. Its correctness and trustworthiness must be demonstrable to a remote party through rigorous analysis, formal verification, or cryptographic attestation.
- Remote Attestation: The TCB generates a signed report quoting its measurement, proving it is genuine and running unmodified code.
- Open Source: While not strictly required, open-source TCB components allow independent security audits and community scrutiny.
- Formal Verification: The highest assurance comes from mathematically proving the TCB's implementation matches its specification, a technique used in high-assurance separation kernels like seL4.
Correctness of Security Policy
The TCB must correctly enforce the intended security policy. A perfectly isolated and non-bypassable TCB that enforces a flawed policy is still insecure. The policy definition is itself part of the TCB.
- Policy vs. Mechanism: The TCB provides the mechanism (isolation, access control), but the configured policy defines what is allowed.
- Example: A TEE might perfectly isolate an enclave, but if the enclave code has a buffer overflow, the security policy is violated.
- Implication: All code executing within the TCB boundary must be trusted to enforce the correct policy, reinforcing the need for minimality.
Trusted Path
The TCB must provide a secure, unspoofable communication channel between itself and the user or a remote relying party. This prevents an untrusted intermediary from intercepting or manipulating sensitive interactions.
- Local Trusted Path: A secure attention key (e.g., Ctrl+Alt+Del) that guarantees the user is communicating directly with the TCB, not a spoofed login prompt.
- Remote Trusted Path: Enclave TLS terminates a network connection directly inside a TEE, ensuring data is decrypted only within the protected TCB boundary.
- Attestation Binding: The trusted path is established only after the remote party has cryptographically verified the TCB's identity via attestation.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clarifying the foundational security perimeter of a computing system, where a single flaw can undermine all guarantees.
The Trusted Computing Base (TCB) is the totality of hardware, firmware, and software components in a computing system that are critical to enforcing its security policy—a single vulnerability or misconfiguration in any of these components could compromise the entire system's security guarantees. The TCB defines the attack surface that must be trusted implicitly; if the TCB is breached, no higher-level security mechanism can be relied upon. In a confidential computing context, the TCB typically includes the CPU package, the Trusted Execution Environment (TEE) firmware, and the application code running inside the enclave, while explicitly excluding the operating system, hypervisor, and cloud provider infrastructure. The primary design goal is to minimize the TCB to the smallest possible set of components, reducing the potential for bugs and making formal verification feasible.
Related Terms
The Trusted Computing Base is the minimal set of components that must be implicitly trusted. These related concepts define the mechanisms that minimize, verify, and protect that critical boundary.
Sealing
A TEE-specific operation that encrypts data and cryptographically binds it to the unique identity of the enclave and platform that created it. Sealing ensures that sensitive data can only be decrypted by the exact same enclave on the exact same hardware. This protects data at rest outside the TCB. An attacker who steals a sealed blob cannot decrypt it on a different machine or inside a tampered enclave, enforcing a strict data-in-use protection policy.
Side-Channel Attack
A class of exploits that targets the physical implementation of the TCB rather than its logical flaws. Attackers observe timing variations, power consumption, or electromagnetic emanations to infer secret data like cryptographic keys. Defending against side-channel attacks is a primary driver for keeping the TCB as small and simple as possible. Modern TEEs incorporate countermeasures like constant-time algorithms and memory encryption to mitigate these physical-layer threats.
Chain of Trust
A hierarchical sequence of validation where each component in the system is authenticated by the preceding component, beginning with the immutable Hardware Root of Trust. The chain extends from the bootloader to the OS kernel and finally to the application enclave. A break at any link—such as a compromised bootloader—invalidates all subsequent trust. The TCB encompasses every component in this chain that lacks a higher authority to verify it.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us