Abstract: A key caching container provides for the secure storage of cryptographic keys and the secure operation of cryptographic functions for workload containers. A cryptographic call adapter in each workload container converts application cryptographic operation requests made by an application to workload container cryptographic operation requests that are sent to the key caching container. Secure provision of keys is enabled by a key broker service that acts as a proxy for a key management service. A secure enclave within the key caching container stores keys and instructions that perform cryptographic operations in an encrypted format. The key caching container provides a key handle associated with a cryptographic key to a requesting application, which the application uses in subsequent application cryptographic operation requests. The secure enclave is created and managed using security-related instructions in a security-enabled integrated circuit component that is part of a computing system's hardware platform.

Abstract: In function-as-a-service (FaaS) environments, a client makes use of a function executing within a trusted execution environment (TEE) on a FaaS server. Multiple tenants of the FaaS platform may provide functions to be executed by the FaaS platform via a gateway. Each tenant may provide code and data for any number of functions to be executed within any number of TEEs on the FaaS platform and accessed via the gateway. Additionally, each tenant may provide code and data for a single surrogate attester TEE. The client devices of the tenant use the surrogate attester TEE to attest each of the other TEEs of the tenant and establish trust with the functions in those TEEs. Once the functions have been attested, the client devices have confidence that the other TEEs of the tenant are running on the same platform as the gateway.