My experience is that neither has a good UX for what I usually try to do with coding agents. The main problem I see is setup/teardown of the boxes and managing tools inside them.
Exactly, attestation is what matters. Excluding the inference provider from the prompt is the USP here. Privatemode can do that via an attestation chain (source code -> reproducible build -> TEE attestation report) + code/stack that ensures isolation (Kata/CoCo, runtime policy).
Edgeless Systems | Software Engineer - Confidential Computing and AI | REMOTE (EU) - Office in Berlin & Bochum (GER) | Full-time
We are a team of ~20 people, building open source software to make confidential computing more usable. To achieve this we have built multiple products, most of which you can find on our Github page (https://github.com/edgelesssys/). You won't find our AI product there, best way to learn about it are the docs (https://docs.privatemode.ai/).
Our products span unusually far across the tech stack, starting at measured boot, through Kubernetes operators, finishing somewhere in our JavaScript frontend. We don't expect you to do all of it - these are just possibilities.
Website: https://www.edgeless.systems/
Contact: Apply via the posting on our careers page and please mention that you come from HN. Also feel free to email me via ob [at] edgeless.systems in case of any questions.
There are startups building solutions like PCC. They all leverage confidential computing to do so. Decentriq, Opaque, Anjuna, Edgeless Systems (multiple OSS projects) come to mind.
Apple's secure enclave docs also mention memory encryption. The PCC blogpost mentions that the server hardware is built on secure enclaves. And since they are claiming that even Apple can't access it, I am currently assuming that there will be memory encryption happening on the servers. At which point you have have the main ingredients of CC: memory encryption & remote attestation.
EDIT: and they mention SGX and Nitro. Other CC technologies :)
> Apple's secure enclave docs also mention memory encryption.
Yes, but that's only within the enclave. Every Mac hardware since T2 has had that, and we don't consider them strong enough to meet the CC bar.
As an example of the difference, CC is designed so that a compromised hypervisor cannot inspect your guest workload. Whereas in Apple's design, they attempt to prove that the hypervisor isn't compromised. Now imagine there's a bug ...
(Not that SGX hasn't had exploitable hardware flaws, but there is a difference here.)
Constellation (a Kubernetes distro) [1] on Azure would give you this attestation feature. You could then run sth like HashiCorp's Vault in that cluster. You will know that all nodes of that cluster are in the state that you expect them to be through the attestation statement.
reply