Current cloud-sensitive workload protection relies on multi-layered nested isolation (e.g., confidential VMs, enclaves, sandboxes), leading to trusted computing base (TCB) bloat, complex end-to-end attestation, and cross-platform fragmentation. This work proposes Tyche, a unified isolation model introducing the first recursively nestable trust domain (TD) abstraction, managed by a lightweight security monitor that unifies resource isolation and remote attestation. Tyche operates atop commodity x86_64 and RISC-V hardware—requiring no specialized security extensions—and enables composable, verifiable, fine-grained isolation for confidential VMs, enclaves, and sandboxes. Its low-overhead, unified abstraction provides an SDK compatible with unmodified workloads, supporting demanding scenarios such as confidential inference at near-native Linux performance. We empirically validate Tyche’s cross-architecture portability and multi-tenant security guarantees.

Securing sensitive cloud workloads requires composing confidential virtual machines (CVMs) with nested enclaves or sandboxes. Unfortunately, each new isolation boundary adds ad-hoc access control mechanisms, hardware extensions, and trusted software. This escalating complexity bloats the TCB, complicates end-to-end attestation, and leads to fragmentation across platforms and cloud service providers (CSPs). We introduce a unified isolation model that delegates enforceable, composable, and attestable isolation to a single trusted security monitor: Tyche. Tyche provides an API for partitioning, sharing, attesting, and reclaiming resources through its core abstraction, trust domains (TDs). To provide fine-grain isolation, TDs can recursively create and manage sub-TDs. Tyche captures these relationships in attestations, allowing cloud tenants to reason about end-to-end security. TDs serve as the building blocks for constructing composable enclaves, sandboxes, and CVMs. Tyche runs on commodity x86_64 without hardware security extensions and can maintain backward compatibility with existing software. We provide an SDK to run and compose unmodified workloads as sandboxes, enclaves, and CVMs with minimal overhead compared to native Linux execution. Tyche supports complex cloud scenarios, such as confidential inference with mutually distrustful users, model owners, and CSPs. An additional RISC-V prototype demonstrates Tyche's portability across platforms.