New attacks are diluting secure enclave defenses from Nvidia, AMD, and Intel (arstechnica.com)

Researchers published TEE.fail, a low-cost, low-complexity physical attack that breaks the modern trusted execution environments (TEEs) from all three major chip vendors—Nvidia Confidential Compute, AMD SEV‑SNP, and Intel SGX/TDX/SDX. The exploit requires two things: a compromised OS kernel and a tiny hardware “shim” inserted between a single physical memory chip and its motherboard slot. In roughly three minutes the attacker can view or tamper with enclave memory. Crucially, unlike recent Battering RAM and Wiretap techniques that only worked on DDR4, TEE.fail works against DDR5, bringing the newest TEEs into scope. The practical impact is broad: TEEs underpin cloud services, AI workloads, blockchain, finance and defense use cases, and many operators assume they defend against remote attackers even if the kernel is compromised. But all three vendors explicitly exclude physical attacks from their threat models—a limitation that’s often downplayed or misunderstood by users. TEE.fail highlights the need to re-evaluate assumptions, tighten physical security for remote/edge servers, and push vendors for clearer guarantees or hardware changes (e.g., stronger memory integrity, tamper detection, or redesigned memory interfaces). For the AI/ML community, the takeaway is simple and urgent: don’t treat current TEEs as a panacea against attackers with physical access, and update threat models, deployment practices, and attestation expectations accordingly.