Supported Platforms
Polaris treats the TEE hardware and the infrastructure it runs on as two independent axes. The same components run everywhere, cloud or on-premises; what changes underneath is which hardware produces the attestation evidence and which key-management service the Policy Manager controls.
Clouds and TEE hardware
| Google Cloud | AWS | Microsoft Azure | Oracle Cloud | |
|---|---|---|---|---|
| AMD SEV-SNP | Available | Available | Available | - |
| AMD SEV-SNP with SVSM | Available | - | - | - |
| AMD SEV (memory encryption) | - | - | - | Available |
| Intel TDX | Available | - | Available | - |
| NVIDIA H100 confidential computing | Available | - | Available | - |
TEE families
AMD SEV-SNP. Full confidential VM protection: memory encryption, integrity protection against the hypervisor, and hardware-signed attestation reports verifiable against AMD's published key hierarchy. On selected platforms, Polaris additionally supports SVSM-based deployments, which add an isolated security module inside the VM where the TLS private key lives at a privilege level the guest OS itself cannot read.
AMD SEV. Memory encryption for confidential VMs on Oracle Cloud. Attestation on this platform is anchored in the cloud provider's instance identity combined with Polaris's continuous runtime appraisal.
Intel TDX. Intel's confidential VM technology, with hardware-signed quotes verifiable against Intel's published root of trust. Supported both through cloud attestation services and through direct hardware verification.
NVIDIA confidential GPUs. On H100-class GPUs, confidential computing mode encrypts GPU memory and produces GPU attestation verified against NVIDIA's attestation service. Polaris binds CPU and GPU evidence together, so a deployment is only healthy when both sides of the machine attest.
On-premises
Everything above also applies to hardware you own. Because Polaris's strongest verification path checks attestation reports directly against AMD's, Intel's, and NVIDIA's published keys, it needs no cloud attestation service at all, which makes on-premises a natural deployment target, not a special case.
Polaris runs on customer-owned confidential-computing-capable hardware:
- AMD EPYC servers with SEV-SNP enabled; recent generations additionally support SVSM-based key isolation.
- Intel Xeon servers with TDX support.
- NVIDIA H100/H200-class GPUs in confidential-computing mode, attested through NVIDIA's attestation service.
The trust chain on-premises is the purest Polaris offers: silicon to verifier with zero third-party intermediaries. No cloud identity service, no external attestation authority; the only outbound dependency is NVIDIA's attestation service when confidential GPUs are in play. That property matters for air-gapped, sovereign, and high-assurance environments where certification tracks favor a trust chain without intermediaries.
Two differences from cloud deployments to plan for: key management integrates with your own KMS or HSM (for example HashiCorp Vault or an enterprise HSM) rather than a cloud-native key service, and baselines for your OS images are established during deployment rather than shipped ready-made. On-premises deployments are delivered as engagements with our team; talk to us to scope one.
Verification paths
Depending on the platform, clients can verify attestation through two paths:
- Cloud-attested. The cloud provider's confidential computing service vouches for the VM, and the client verifies the provider's signed statement. Simple, and appropriate when the provider is already in your trust model for identity.
- Direct hardware attestation. The client verifies the raw hardware report against AMD's, Intel's, or NVIDIA's published keys. No cloud service, and no Fr0ntierX service, is in the verification path. This is the strongest available trust model and the recommended path where the platform supports it.
Key management
The Policy Manager enforces appraisal results through the key-management service native to each environment: Google Cloud KMS, AWS KMS, Azure Key Vault, and OCI Vault in the clouds, or your own HSM or vault on-premises. Keys remain in your account and your control; Polaris governs access to them based on the continuously verified health of the environment.
Deployment shape
A Polaris deployment consists of your workload container plus the Polaris components, provisioned through standard infrastructure-as-code tooling:
- A confidential VM running the Secure Proxy, your unmodified workload, and the Sentinel agent.
- A separate VM running the Policy Manager, deliberately outside the workload's trust domain.
- A KMS key whose access is gated on attestation.
Your application itself needs no changes: it listens on plain HTTP inside the boundary, and Polaris handles TLS, attestation, encryption, and enforcement around it.